Page 1 of 2

can 9.6 use self signed certs??

PostPosted: Wed Jul 04, 2018 12:34 am
by ivanbishop
I posted earlier... I cannot open any documents... and I see these errors.
I generated self signed certs and placed them as I did in the PREVIOUS version of Onlyoffice (this worked)


[2018-07-04 00:32:43.221] [ERROR] nodeJS - error downloadFile:url=https://forscotland.com:6443/products/files/httphandlers/filehandler.ashx?action=stream&fileid=3&version=1&stream_auth=268360361663.VNW6XN0YLBJXMPDD2LXVZPBHNUKANTDPTW6MJBNHI&X-REWRITER-URL=https%3a%2f%2fforscotland.com%3a6443;attempt=1;code:DEPTH_ZERO_SELF_SIGNED_CERT;connect:undefined;(id=BCsHK55qiXtp76CXR2Q_)
Error: self signed certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:609:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38)
[2018-07-04 00:32:44.239] [ERROR] nodeJS - error downloadFile:url=https://forscotland.com:6443/products/files/httphandlers/filehandler.ashx?action=stream&fileid=3&version=1&stream_auth=268360361663.VNW6XN0YLBJXMPDD2LXVZPBHNUKANTDPTW6MJBNHI&X-REWRITER-URL=https%3a%2f%2fforscotland.com%3a6443;attempt=2;code:DEPTH_ZERO_SELF_SIGNED_CERT;connect:undefined;(id=BCsHK55qiXtp76CXR2Q_)
Error: self signed certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:609:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38)
[2018-07-04 00:32:45.257] [ERROR] nodeJS - error downloadFile:url=https://forscotland.com:6443/products/files/httphandlers/filehandler.ashx?action=stream&fileid=3&version=1&stream_auth=268360361663.VNW6XN0YLBJXMPDD2LXVZPBHNUKANTDPTW6MJBNHI&X-REWRITER-URL=https%3a%2f%2fforscotland.com%3a6443;attempt=3;code:DEPTH_ZERO_SELF_SIGNED_CERT;connect:undefined;(id=BCsHK55qiXtp76CXR2Q_)
Error: self signed certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:609:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38)

Re: can 9.6 use self signed certs??

PostPosted: Thu Jul 05, 2018 10:15 am
by Maxim
Hello!
can 9.6 use self signed certs??

Yes
Error: self signed certificate

Smth is wrong

Re: can 9.6 use self signed certs??

PostPosted: Thu Jul 05, 2018 5:40 pm
by ivanbishop
yes something is wrong :)

I used the previous version of the docker/community images with self signed certs for 7 months on same server. All worked
perfectly.

The latest docker images are pulled cleanly and you see the document server runs OK and the community server UI pulls up the
documents available for edit OK.


I suspect that node.s is the culprit and that I either mis-entered my domain name into the CERT at creation time OR I need to alter HOW this version of node.js
reacts to self signed certs.


https://www.cyberciti.biz/faq/verify-ss ... e-openssl/
https://stackoverflow.com/questions/204 ... r-29397100


I'll test with wget including "ignore cert check" and see what happens.


thanks

Re: can 9.6 use self signed certs??

PostPosted: Mon Jul 09, 2018 7:59 am
by Maxim
Hello!
I'll test with wget including "ignore cert check" and see what happens.

Wait for your result

Re: can 9.6 use self signed certs??

PostPosted: Wed Jul 11, 2018 12:02 pm
by knife-grinder
Hi All,
I'm writing here 'cause we stack in the same problem: DEPTH_ZERO_SELF_SIGNED_CERT.
I did a test using wget and ignoring the non trusted certificate and it goes all well except that it doesn't find the file, maybe 'cause it's not same session.

The error we have is the same:
Code: Select all
[2018-07-11 13:11:25.317] [ERROR] nodeJS - error downloadFile:url=https://www.oursite.com/index.php/apps/onlyoffice/empty?doc=WTlQa2tNY1NDa0tPTHo4RkZ1MVpXSUVBdHFDRmZVK3ZlRmJYaVprLzFUbz0/eyJhY3Rpb24iOiJlbXB0eSJ9;attempt=3
;code:DEPTH_ZERO_SELF_SIGNED_CERT;connect:undefined;(id=conv_check_969052483_docx)
Error: self signed certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:609:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38)


WGET says
Code: Select all
wget --no-check-certificate -O conv_check_969052483_docx https://www.oursite.com/index.php/apps/onlyoffice/empty?doc=WTlQa2tNY1NDa0tPTHo4RkZ1MVpXSUVBdHFDRmZVK3ZlRmJYaVprLzFUbz0/eyJhY3Rpb24iOiJlbXB0eSJ9
 
--2018-07-11 13:18:22--  https://www.oursite.com/index.php/apps/onlyoffice/empty?doc=WTlQa2tNY1NDa0tPTHo4RkZ1MVpXSUVBdHFDRmZVK3ZlRmJYaVprLzFUbz0/eyJhY3Rpb24iOiJlbXB0eSJ9
Resolving www.oursite.com (www.oursite.com)... IP
Connecting to www.oursite.com (www.oursite.com)|IP|:443... connected.
WARNING: The certificate of ‘www.oursite.com’ is not trusted.
WARNING: The certificate of ‘www.oursite.com’ hasn't got a known issuer.
HTTP request sent, awaiting response... 403 Forbidden
2018-07-11 13:18:23 ERROR 403: Forbidden.


Any idea on how to solve this issue?

Installed:
nodejs 6.14.3-1nodesource1
onlyoffice-documentserver 5.1.4-22
postgresql-9.0 9.0.23-1.pgdg80+2
mono-runtime 5.12.0.226-0xamarin3+debian8b1
nginx 1.6.2-5+deb8u5
rabbitmq-server 3.7.6-1

Operating system:
Linux cesin00vps 3.16.0-6-amd64 #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) x86_64 GNU/Linux

TIA

Re: can 9.6 use self signed certs??

PostPosted: Thu Jul 12, 2018 6:45 am
by Maxim
Hello!
If you disable SSL cert validation in default.json?
Code: Select all
rejectUnauthorized = false

Re: can 9.6 use self signed certs??

PostPosted: Thu Jul 12, 2018 7:52 pm
by ivanbishop
Hi Maxim, the global disable IU'll try but it make node.js a little insecure ;) It's why I included links in my first post.

I'm busy at work right now but will update when I get a chance.

More importantly can you state clearly if node.js as shipped in latest Onlyoffice isn't "self signed cert friendly"
and that by default you support commercial certs, "letsencrypt" certs ONLY?

I REALLY want OO back and running.

thanks
so much

Re: can 9.6 use self signed certs??

PostPosted: Mon Jul 16, 2018 7:35 am
by Maxim
Hello ivanbishop!
We recommend letsencrypt certs because there is intermediate cert also. If there is intermediate cert for your self-signed cert please install them.
More importantly can you state clearly if node.js as shipped in latest Onlyoffice isn't "self signed cert friendly"
and that by default you support commercial certs, "letsencrypt" certs ONLY?

node.js is sensitive to intermediate certs which self-signed has not often.
I suppose if you install intermediate certs everything will be ok.

Re: can 9.6 use self signed certs??

PostPosted: Mon Jul 16, 2018 12:51 pm
by knife-grinder
Hi,
I tryed to modify the default.json as you suggested, I don't know exactly as it work so I tryed two way:
Code: Select all
"rejectUnauthorized": "false"

and
Code: Select all
"rejectUnauthorized": false


I also restarted the service service supervisor restart 'cause I don't know if the file is read every time or only a startup and nothing changed.
I put the value in this section
Code: Select all
 "FileConverter": {
    "converter": {

but my doubt is that this isn't the right place.

Any idea?

Re: can 9.6 use self signed certs??

PostPosted: Mon Jul 16, 2018 12:55 pm
by knife-grinder
Maxim, can you be more clear about "letsencrypt" and how to install intermediate certs?