Office gives WOPI error

Issue:
Upon opening a document Nexcloud AIO Office gives “Unauthorized WOPI host.” error.
System information:
Nextcloud AIO
Debian (openmediavault image)
Static IP
Cloudflare
DOMAIN_NAME is cloud.domain.tld, domain.tld is a separate server with a separate website on it.
optional containers: collabora, talk and thats it
Related logs:

nextcloud:

2024-09-01T15:59:05.974259876Z Collabora URL (used for Nextcloud to contact the Collabora server):
2024-09-01T15:59:05.974264225Z   https://DOMAIN_NAME
2024-09-01T15:59:05.974268235Z Collabora public URL (used in the browser to open Collabora):
2024-09-01T15:59:05.974330790Z   https://DONAIN_NAME
2024-09-01T15:59:05.974351629Z Callback URL (used by Collabora to connect back to Nextcloud):
2024-09-01T15:59:05.974357183Z   autodetected (will use the same URL as your user for browsing Nextcloud)

Collabora container(periodic error):

2024-09-01T15:36:49.754954336Z wsd-00007-00017 2024-09-01 18:36:49.754811 +0300 [ remotefontconfig_poll ] ERR  Remote config server has response status code: 0 (Unknown)| wsd/COOLWSD.cpp:1208

Collabora container(when trying to open document):

2024-09-01T15:37:38.899732503Z WOPI::CheckFileInfo failed for URI [https://DOMAIN_NAME/index.php/apps/richdocuments/wopi/files/630_ocoh941voayu?access_token=6hccyoDJEOtqSqWNOu1ymLgaBvyVyU2l&access_token_ttl=0]: 0 (Unknown) . Headers: 	Body: []| wsd/wopi/CheckFileInfo.cpp:95
2024-09-01T15:37:38.899777176Z wsd-00007-00019 2024-09-01 18:37:38.899590 +0300 [ websrv_poll ] ERR  #51: Invalid URI or access denied to [https://DOMAIN_NAME/index.php/apps/richdocuments/wopi/files/630_ocoh941voayu?access_token=6hccyoDJEOtqSqWNOu1ymLgaBvyVyU2l&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:109
2024-09-01T15:37:39.772383898Z wsd-00007-00019 2024-09-01 18:37:39.772168 +0300 [ websrv_poll ] ERR  #50: CheckFileInfo failed for [https%3A%2F%2FDOMAIN_NAME%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F630_ocoh941voayu], State::Fail| wsd/RequestVettingStation.cpp:272
2024-09-01T15:37:40.366501276Z WOPI::CheckFileInfo failed for URI [https://DOMAIN_NAME/index.php/apps/richdocuments/wopi/files/630_ocoh941voayu?access_token=6hccyoDJEOtqSqWNOu1ymLgaBvyVyU2l&access_token_ttl=0&permission=edit]: 0 (Unknown) . Headers: 	Body: []| wsd/wopi/CheckFileInfo.cpp:95
2024-09-01T15:37:40.366552016Z wsd-00007-00019 2024-09-01 18:37:40.366371 +0300 [ websrv_poll ] ERR  #52: Invalid URI or access denied to [https://DOMAIN_NAME/index.php/apps/richdocuments/wopi/files/630_ocoh941voayu?access_token=6hccyoDJEOtqSqWNOu1ymLgaBvyVyU2l&access_token_ttl=0&permission=edit]| wsd/wopi/CheckFileInfo.cpp:109

Related information:
Added 0.0.0.0/0 and ::0 into the “Allow list for WOPI requests” field to rule out cloudflare.
Disabled certificate check just in case.
Tried Talk, works perfectly fine.
No 127.0.1.1 or 127.0.0.1 in the hosts.
No related firewall rules.
Capabilities and Discovery link can be reached from both containers.
Probably not related but just in case:
I had to move data folder after initial setup because i forgot to change it during said setup.
The domain name in the "URL (and Port) of Collabora Online-serveri:
" field is just cloud.domainname.tld.

Hii @brcdllll welcome to collabora online forums :slight_smile:

here are some points that i suggest going through for the solution

The “Unauthorized WOPI host” error in Nextcloud AIO Office typically indicates an issue with the trust relationship between Nextcloud and Collabora Online. Here are several steps to troubleshoot and resolve the issue:

1. WOPI Host Configuration in Collabora

Make sure that the WOPI host setting in Collabora’s configuration explicitly allows requests from your Nextcloud instance. The configuration should include Nextcloud’s domain, cloud.domain.tld, in the list of allowed hosts.

You can verify this by checking the configuration file (usually /etc/coolwsd/coolwsd.xml) or by running:

coolconfig get net.wopi.host

Ensure that cloud.domain.tld is listed. If not, add it using:

coolconfig set net.wopi.host "cloud.domain.tld"

You can also set it directly in the XML file:

<net>
  <wopi>
    <host allow="cloud.domain.tld"/>
  </wopi>
</net>

After making changes, restart the Collabora container.

docker restart collabora

2. Check for Consistency in URLs

In your logs, the Collabora URL used by Nextcloud and the browser is https://DOMAIN_NAME, but ensure that the exact domain, including the subdomain cloud.domain.tld, is used consistently across all configurations, both in Collabora and Nextcloud.

  • In Nextcloud settings (Nextcloud Admin > Collabora Online):

    • Ensure the URL for Collabora Online server is set to https://cloud.domain.tld.
  • In the Collabora container:

    • Check for the same domain consistency in coolwsd.xml (or via coolconfig).

3. Ensure Correct Callback URL

Check that the Callback URL in the Nextcloud logs is correct, matching https://cloud.domain.tld. It is auto-detected, but if it’s incorrect, you can explicitly set it in the config.php file of Nextcloud:

'overwriteprotocol' => 'https',
'overwrite.cli.url' => 'https://cloud.domain.tld',

This ensures Nextcloud generates correct URLs, especially when behind proxies or Cloudflare.

4. Allow List for WOPI Requests

Setting 0.0.0.0/0 and ::0 in the WOPI allow list might be too permissive. Instead, restrict the allow list to your Nextcloud server’s specific IP or domain:

coolconfig set net.wopi.host "cloud.domain.tld"

This reduces the risk of exposing your Collabora server to unintended access.

5. Verify Cloudflare Configuration

Ensure Cloudflare’s proxy settings aren’t interfering with the SSL/TLS certificates or communication between Nextcloud and Collabora. If using Cloudflare’s proxy service (orange cloud icon in Cloudflare DNS settings), try temporarily disabling it (grey cloud) to rule out any issues with SSL termination or header forwarding.

Alternatively, make sure that Cloudflare’s SSL mode is set to “Full (strict)” to ensure that valid certificates are used across both ends.

6. Test with Certificate Check Re-enabled

After adjusting the domain and WOPI settings, re-enable certificate checking to maintain secure communication:

coolconfig set ssl.termination false

This ensures that the communication between Nextcloud and Collabora remains secure.

7. Inspect Permissions and Logs

The errors indicate issues with CheckFileInfo, meaning the WOPI token or permissions may not be properly set. Double-check that Nextcloud is properly handling token generation and passing the correct information to Collabora.

Look closely at the WOPI logs in both Collabora and Nextcloud to see if there are any permission-related issues or more detailed errors when fetching the document.


By following these steps, you should be able to resolve the “Unauthorized WOPI host” error. If the issue persists, further investigation into specific logs or a configuration reset may be necessary.

Resource : Collabora Online SDK — SDK https://sdk.collaboraonline.com/ documentation

Thanks,
Darshan

You can verify this by checking the configuration file (usually /etc/coolwsd/coolwsd.xml) or by running:

I indeed do not have my domain in xml file.
I have tried to edit said file as you’ve advised but i have issues doing so since im not familiar with docker.
-I’ve tried installing text editor inside container and editing here( didnt work, gives me dpkg error)
-I’ve tried editing it inside overlay folder (vim isnt able to save the file)
-I’ve tried coolconfig command (it gives some output as if it succeeded but xml file remains unedited)
-I’ve tried copying file inside container with docker cp command (not even replacing it, just copying renamed xml file in the same folder to then replace it inside container, but container hangs and then starts bootlooping for some reason)

Could this be the issue?

2024-09-11T20:14:42.957286781Z wsd-00007-00007 2024-09-11 23:14:42.956957 +0300 [ coolwsd ] WRN  Waking up dead poll thread [main], started: false, finished: false| net/Socket.hpp:719
2024-09-11T20:14:42.957923230Z frk-00011-00011 2024-09-11 23:14:42.957816 +0300 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:557