Recently, I’ve been building Nextcloud on AWS Lightsail. A cheap $5 instance is sufficient for me to sync files between devices and share calendars with my family. However, I want that online doc editing feature like one drive, google drive has.
Nextcloud has an official app called Nextcloud Office, but it needs a sort of backend to work. A WOPI-like client. Luckily, it comes with an app called Collabora Online - Built-in CODE Server , but sadly, this app will not work when Nextcloud is installed with the snap store. We have to install the CODE separately.
Head to the official documentation page and follow the instructions to install the package as I did: https://www.collaboraoffice.com/code/linux-packages/
If you run sudo journalctl -u coolwsd you will find that the service didn’t go well because the SSL certificate was missing. Of course, you can go with HTTP by disabling the HTTPS function of the CODE server. However, doing so will expose all the documents that you currently editing to the world.
Let’s just enable the SSL for the CODE shall we?
Here is some complicated thing to explain. The CODE server should be running behind a server like Nginx or Apache, however, we installed Nextcloud through the snap store. I don’t know the exact structure of it. I looked all over the nextcloud data folder inside snap, but did not find any trace of Apache. So here we are going to expose the CODE default port 9980.
First, go to your lightsail network page, and change the firewall to allow both UDP and TCP port 9980.
By default, the CODE server will seek for cert file /etc/coolwsd/cert.pem /etc/coolwsd/ca-chain.cert.pem and /etc/coolwsd/key.pem. And we can not simply use some self-signed cert for it, because doing so will confuse your browser – the same domain and different ports have different certifications, and one of them was an invalid one. After struggling with the self-signing problem, I came up with an idea – what about just using the IP address instead of the domain?
Okay, connection refused. By digging into the documentation, I found the config about this, adding the server IP address into it, not refusing anymore, but the same error shows, certification unknown. Looks like our browser is still pretty confused.
how about I just make the CODE server use the same cert that nextcloud using?
Well, another problem popped up, the cert that nextcloud generated through Let’s encrypt belonged to the root. And the CODE server uses a user called cool. Permission denied.
But it should work if I can solve the permission problem. Same domain, same cert, right?
So I manually copied the file through, then changed the owner to cool . It worked. Okay, one more thing. because LE cert can only survive for three months, we can’t really copy the cert for every three months. so I added a crontab to do the job automatically.
corntab -e to open the corntab editing mode, then add a command exactly same as the example, for once a week:
0 5 * * 1 sudo cp /var/snap/nextcloud/current/certs/live/cert.pem /etc/coolwsd/cert.pem && sudo cp /var/snap/nextcloud/current/certs/live/chain.pem /etc/coolwsd/ca-chain.cert.pem && sudo cp /var/snap/nextcloud/current/certs/live/privkey.pem /etc/coolwsd/key.pem && sudo chown cool:cool /etc/coolwsd/cert.pem && sudo chown cool:cool /etc/coolwsd/ca-chain.cert.pem && sudo chown cool:cool /etc/coolwsd/key.pem
The code above simply copies the LE cert files to the CODE server config folder and changes the owner to cool, so it will keep updated whenever the LE cert is updated.
Now we restart the server: sudo systemctl restart coolwsd
Now open https://yourdomain.com:9980, and you should see “OK” in the page’s top left corner. Which indicates the server is up and running.
Goto nextcloud’s settings, in the Administration section, find “Nextcloud Office”, then choose “Use your own server”, input https://yourdomain.com:9980 then click “save”.
Now you should be able to edit documents right inside the Nextcloud. Cheers.