Enabling certificate verification is not working

Dear friends,

I’ve been struggling for dozen of hours so far to get Collabora Code usable with NextCloud. I did some good progresses because I can now edit documents. The only remaining thing is, I’m not able to activate the certificate verification. When unchecked, everything works like a charm.

Nextcloud version: 23.0.6
Operating system and version: TrueNAS-12.0-U8
Collabora Code: 22.05.3.1.1

NextCloud

My instance is running in a jail on TrueNAS.

Collabora stack

Collabora server is running on docker with the following configuration (I will try to give maximum of details since it was hard time for me to get all that stuff together).

Docker-compose file

version: '3'
services:
  code:
    container_name: collabora-code
    environment:
      - aliasgroup1=cloud.reunion.net
      - username=admin
      - password=secret
      - TZ=Europe/Paris
      - domain=cloud.reunion.net
      - DONT_GEN_SSL_CERT=1
      - server_name=docker2.reunion.net
    cap_add:
      - MKNOD
    restart: always
    #image: collabora/code:21.11.3.4.1 22.05.3.1.1
    image: collabora/code:22.05.3.1.1
    ports:
      - '9980:9980'
    networks:
      - collabora
      
  nginx-proxy-manager:
    container_name: nginx-proxy-manager
    depends_on:
      - code
    restart: always
    
    image: jlesage/nginx-proxy-manager
    ports:
      - "8181:8181"
      - "8080:8080"
      - "443:4443"
    volumes:
      - "/mnt/docker/collabora/nginx:/config:rw"
    networks:
      - collabora
      

networks:
  collabora:
    driver: bridge

The following article was also very helpful because it seems that richdocuments > 5.0.0 is not working. This helped me to downgrade richdocuments:

https://7thzero.com/blog/upgrade-to-nextcloud-23-prevents-online-document-editing-in-collabora-online-files-download-instead-of-edit

What is ok so far:

  • I’m able to connect to my collabora server over SSL through the reverse proxy using the following links:
    https://docker2.reunion.net:4443/browser/dist/admin/admin.html
    https://docker2.reunion.net:4443/hosting/capabilities

  • I filled out the Collabora Online server in NextCloud : https://docker2.reunion.net but I can only edit documents if the check box Disable certificate verification (insecure) is unticked.

  • When I SSH into the jail and run cURL -v, the output look good. I use my own CA authority and added the root CA in /usr/local/www/nextcloud/data/files_external

root@NextCloud:/nextcloud/apps/richdocuments # curl -v https://docker2.reunion.net
*   Trying 192.168.10.7:443...
* Connected to docker2.reunion.net (192.168.10.7) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=FR; ST=Bas-Rhin; L=Marlenheim; O=Home; emailAddress=admin@famille-huck.fr; CN=docker2.reunion.net
*  start date: Jul  4 17:07:36 2022 GMT
*  expire date: Aug  5 17:07:36 2023 GMT
*  subjectAltName: host "docker2.reunion.net" matched cert's "docker2.reunion.net"
*  issuer: C=FR; ST=XXX; L=XXX; O=Home; emailAddress=XXX.fr; CN=XXX
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801473c00)
> GET / HTTP/2
> Host: docker2.reunion.net
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: openresty
< date: Mon, 11 Jul 2022 15:45:21 GMT
< content-type: 10
< content-length: 2
< last-modified: Mon, 11 Jul 2022 15:45:21
< x-served-by: docker2.reunion.net
< 
* Connection #0 to host docker2.reunion.net left intact
OK

I would be very happy being able to finalize this setup being able to activate certificate verification.

How can I investigate further? I did not find any log file and don’t know either what is the underlying mechanism used by collabora to issue this check.

Cheers