Setup with Nextcloud AIO

[bigbeka]

Issue: Error - Java not installed message; Advice: Run occ libresign:install --java

To reproduce:

• Download and enable LibreSign from list of Nextcloud apps
• Click on 'Downloads Binaries'
• Wait for the list of items to show up and some of them errored out

Screenshots

Environment information (please complete the following information):

• OS: Proxmox > LXC > Docker > Nextcloud official container
• Browser Safari
• LibreSign Version 6.2.5
• Nextcloud Server Version 25.0.3

Searching here or elsewhere did not reveal that someone else had similar issue.

[Prodject]

I tried on two versions - Ubuntu latest + apache + nextcloud and mac M1 native docker + nextcloud. There is a similar error, more precisely - on 6.2.5 Java installation error, and on 6.2.3 cfssl installation and configuration error. Also tried to manually install all dependencies via php occ libresign:install --all. Installation doesn't throw errors, but dependency validation fails.

It seems to me that developers may return the http api url manual installation mode to be able to install packages in a separate container / vm. Or add the ability to provide installation of dependencies from an offline bundle package

[bigbeka]

@Prodject Thanks for the followup message and further reproducing. Hoping to get this sorted soon.

[Prodject]

Hoping to get this sorted soon

I tried to roll back to version 4.2.1 - I got a successful result of downloading dependencies. I also tried to update the version to 6.2.5 - the dependencies were preserved, but there was a bug that the current signature could not be changed. In v.4.2.1 there was also a bug with a signature overlay conflict in pdf, I could not fix it either, and it was saved in 6.2.5.

[lhsazevedo]

Could you try in the latest release (6.2.6)? Note that this release is compatible with Nextcloud 25 only. We do not support previous versions anymore, as we haven't sufficient funding at the moment.

[bigbeka]

@lhsazevedo updated LibreSign to 6.2.6 with Nextcloud being 25.0.3, tried to 'Download binaries', still shows the same errors. I have also tried to remove LibreSign completely and 'Download and Enable' from within the UI, no luck there either. Any other troubleshooting I can be doing? Nextcloud docker logs does't shown any errors while 'Download binaries' process.

[Prodject]

Could you try in the latest release (6.2.6)? Note that this release is compatible with Nextcloud 25 only. We do not support previous versions anymore, as we haven't sufficient funding at the moment.

I have now tried a clean installation of docker v.4.16.2 + nextcloud latest (docker pull nextcloud:latest) + LibreSign 6.2.6. After clicking the "Download" button, the installation lasts only a few seconds and the button becomes active again (at the same time, only one dependency is installed). In version 6.2.5 there was an identical error (loading only a few seconds)

[lhsazevedo]

Thanks for reporting @bigbeka and @Prodject. I'll setup environments similar to yours and try to reproduce the issue to further investigate this problem.

[bigbeka]

@lhsazevedo many thanks. I will run a fresh install on a fresh VM, and try to run LibreSign's download binaries as well and see if that works out.

[bigbeka]

Okay, so this is interesting. Fresh VM > Fresh Docker & Compose > Fresh Nextcloud install. And it worked, I can’t get the imagick working to generate the previews when assigning signature positions on the actual pdfs.

@lhsazevedo what would you suggest the next troubleshooting should be? How do I get LibreSign working on my production?

I have disabled most of the apps on my Nextcloud instance to test if there are any conflicts (no luck here).

Screenshot from test setup:

[lhsazevedo]

I'm glad you made it. Now looks like you are missing the optional ghostscript dependency, that is only need for adding visible signatures.

Since you are using the Nextcloud AIO container, you'll need to add it to the NEXTCLOUD_ADDITIONAL_APKS environment variable and rebuild the image. Read more about it: How to add OS packages permanently to the Nextcloud container?. Make sure to also specify the default imagemagick, as the doc warns.

@Prodject I've just released a new version (6.2.7) which fixes a bug in the "download binaries" that was preventing the progress bars from showing which might fix your issue. Could you try again with this new version, in a clean installation?

[bigbeka]

@lhsazevedo Would you look at that! Many thanks for the update, LibreSign 6.2.7 did the trick with my production as well (I just had to update LibreSign in Nextcloud GUI), all success apart from imagick, which I believe I will need to rebuild NextCloud AIO with Nextcloud_additional_APKS as you mentioned. Thank you for the link and your work on this!

@lhsazevedo Off-topic question: Is there a way to ask for signatures without requiring for an account? This features would really get it close to DocuSign (Clinex of signature validations).

[lhsazevedo]

Great! Happy to help. Let us know if you got it fully working.

At the moment, a Nextcloud account is required for signing the document, but we are aware that removing this requirement would fit LibreSign to lots of use cases out there. This will require some significant rework in the app though, we are planning this in #1406.

@Prodject I'm closing this for now, but don't hesitate to ping us if it still fails in a clean install.

[bigbeka]

@lhsazevedo We might need to reopen this, as original issue came back, right after I tried to add "imagick" to -e NEXTCLOUD_ADDITIONAL_APKS and I re-pulled the latest Nextcloud Docker image in this process.

I can confirm that the same issue came up when I re-pulled the latest image for the fresh/test instance.

This is on my production instance:

Could you suggest how to go about this now?

[lhsazevedo]

Thanks for reporting again. Sure. I suggest you to running the following commands:

# Uninstall all LibreSign binaries (Java, cfssl etc)
php occ libresign:uninstall --all

# Update Nextcloud filesystem nodes for libresign app data
php occ files:scan-app-data libresign

Then proceed to the settings page and try downloading the binaries again. I've found that sometimes I need to click "download binaries" button for a second time when the first one fails.

If that doesn't work, you could also repeat the commands above but this time download the binaries using the CLI:

# Uninstall LibreSign binary dependencies (Java, cfssl etc)
php occ libresign:uninstall --all

# Update Nextcloud filesystem nodes for libresign app data
php occ files:scan-app-data libresign

# Install LibreSign binary dependencies
php occ libresign:install --all

Either way, please report the results here to help us track this down.

[bigbeka]

Many thanks @lhsazevedo , you are the best!

So I managed to get the dependencies installed with 3 CLI commands:

php occ libresign:uninstall --all php occ files:scan-app-data libresign php occ libresign:install --all

GUI 'Downloads binaries' did not help.

Running the second command gave me an error, which is not related to LibreSign, it is actually being tracked here.

I have also tried to recreate the Nextcloud container, dependencies seem to be working and are not showing any errors.

For the life of me, I can't get imagick working, as you suggested, I have added -e NEXTCLOUD_ADDITIONAL_APKS="imagick imagemagick".

• Would you have any suggestions on this?

[bigbeka]

Reading through the internet, I came across this, which might be interesting: https://github.com/nextcloud/server/issues/13099#issue

Would you guys consider switching from imagick to something else as suggested in the above discussion?

[BicycleMarketResearchLLC]

Thank you all for working on this, I have been following and trying the suggested resolutions. I keep getting this error in the GUI. It seems like a slight version mismatch in JRE:

Invalid java version. Found: sh: /mnt/ncdata/appdata_ocmmonyuk9bz/libresign/java/jdk-17.0.5+8-jre/bin/java: not found expected: openjdk version "17.0.5" 2022-10-18

Do you know if there is a mechanism to specify the correct version of java for the install? I am on the latest AIO deployment of Nextcloud on an Ubuntu VPS.

[lhsazevedo]

No problem, I'm learning a lot while trying to understand what is happening!

Oh, that should be -e NEXTCLOUD_ADDITIONAL_APKS="imagemagick ghostscript", where:

• imagemagick is the sole default value of NEXTCLOUD_ADDITIONAL_APKS, we are just keeping it:

  By default added is imagemagick. If you want to keep that, you need to specify it. (source)

• ghostscript is the dependency that was missing here

That should fix it.

Thanks for sharing the concerns around imagick vulnerabilities. The app uses it only for rendering pages when adding visible signatures, it would be necessary to estimate the work required to switch to a safer alternative like the new Imaginary service mentioned in the thread you sent. Would you mind creating an issue for this?

---

Hi @BicycleMarketResearchLLC, I guess the cause of your problem is not related to this one. Could you open a new issue for it?

[lhsazevedo]

@bigbeka We improved error logging for the setup process in v6.2.9 (Nextcloud 25) and v7.0.0 (Nextcloud 26).

Maybe we can get more details about your issue. Try downloading binaries again and, if it fails, please share the last entries from data/nextcloud.log.

[bigbeka]

Hi @lhsazevedo Thank you very much! I have now upgraded my NC25 to NC26.0.0

I had deleted LibreSign before doing this, so I downloaded LibreSign 7.0.0 and tried to download binaries and here are the errors that it output. Does it tell anything useful?

[bigbeka]

@lhsazevedo After trying (with no luck) the new version, I tried manually running CLI commands you shared above, and they worked as expected, but the imagemagick is still not working. 🤷‍♂️ I have added - NEXTCLOUD_ADDITIONAL_APKS="imagemagick ghostscript" in the Nextcloud's docker-compose environment script.

Any other thoughts on this?

Oh, that should be -e NEXTCLOUD_ADDITIONAL_APKS="imagemagick ghostscript", where:

• imagemagick is the sole default value of NEXTCLOUD_ADDITIONAL_APKS, we are just keeping it:

  By default added is imagemagick. If you want to keep that, you need to specify it. (source)

• ghostscript is the dependency that was missing here

That should fix it.

[vitormattos]

Ghostscript and ImageMagick is mandatory. You need to have both at server machine.

[lhsazevedo]

Any other thoughts on this?

Either you do not have ghostscript installed or LibreSign wasn't able to detect it, the former is most likely. You can check by opening a shell in your Nextcloud container and typing gs --version.

[bigbeka]

@lhsazevedo Thank you, as always, you were right, gs is not installed despite the fact that I have the -e NEXTCLOUD_ADDITIONAL_APKS="imagemagick ghostscript" added to my docker-compose.yml.

Your suggestions on this error would be greatly appreciated. I will do some googling.

[bigbeka]

Hi @lhsazevedo Thank you very much! I have now upgraded my NC25 to NC26.0.0

I had deleted LibreSign before doing this, so I downloaded LibreSign 7.0.0 and tried to download binaries and here are the errors that it output. Does it tell anything useful?

@lhsazevedo It would be great to resolve this, as I am back in square 1 with 'Download Binaries'. As soon as I re-pull the image and docker-compose up I get the following state:

[lhsazevedo]

Oops, I missed your comment about the error log. I'll take a look into it later this weekend. Thank you for your patience.

[bigbeka]

Not at all, thank YOU for your help! Have a great weekend.On 25 Mar 2023, at 12:24, Lucas Azevedo @.***> wrote: Oops, I missed your comment about the error log. I'll take a look into it later this weekend. Thank you for your patience.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[bigbeka]

@lhsazevedo Any news on this? Is there anything I could troubleshoot?

[Nocross]

"Java not installed"

Cause:

Download of incompatible flavor of OpenJDK: linux - instead of alpine, which is the base for AIO NextCloud.

Suggestion(s):

Add fallback to OS environment java as it will be sufficiently expectable for Operator/Administrator.

Remove download(s) of external binaries:

• Security issue - patching of 'embedded' java is completely reliant on Developer/Maintainer(s) of the app;
• Single point of failure - completely dependent on existence and availability of GitHub.

"imagick/ghostscript "

Cause:

Narrow test for executable pass with single well-known name - ConfigureCheckService.php

Suggestion(s):

• Extend heuristics for more well-known names/alias(es) and/or query distribution package manager for info;
• Provide setting for manageable configuration.

[szaimen]

Hi, what about using -e NEXTCLOUD_ADDITIONAL_APKS="imagemagick openjdk17-jre ghostscript"

[Nocross]

@szaimen, will not suffice by itself.

one'll have to manually override java_path setting (ConfigureCheckService.php:164) and create a symlink for /usr/bin/gs (i. e. to /usr/local/bin/ghostscript) which will deviate from alpine package.

[vitormattos]

@Nocross you can use this app setting to change the java path too and do a handmade setup. But the easiest way to do the setup is using the interface that will download all the necessary binaries because all the binaries to LibreSign works will stay inside the app data folder and you don't need to worry about how to do the setup.

[Nocross]

@vitormattos, the setup procedure is fragile and it won't work out of the box for AIO flavor of NextCloud - as it downloads wrong archive for java. Correct one for alpine can be downloaded - https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.5%2B8/OpenJDK17U-jre_x64_alpine-linux_hotspot_17.0.5_8.tar.gz

To be precise: InstallService.php:L261 assumes that beside arch all linux distribution are uniform.

[vitormattos]

I'm thinking about to increase this part of code and put a link to a issue or other place that can help other people to solve problems related to Java setup:

https://github.com/LibreSign/libresign/blob/main/lib/Service/ConfigureCheckService.php#L118-L134

[prevail90]

i pulled

/var/www/html # php java_test.php `./occ config:app:get libresign java_path' The file Console didn't exists.

after I created a java_test.php and inputted:

<?php if (!function_exists('exec')) { die("function exec didn't exists.\n"); }

if (!file_exists($argv[1])) { printf("The file %s didn't exists.\n", $argv[1]); die(); }

if (!is_executable($argv[1])) { printf("The file %s haven't execution permission.\n", $argv[1]); die(); }

echo "Current date: "; \exec('date', $output); var_dump($output);

\exec($argv[1] . " -version 2>&1", $output); var_dump($output);

[narendra-bhole]

I'm also facing similar error

Invalid java version. Found: sh: /mnt/ncdata/appdata_ocmmonyuk9bz/libresign/java/jdk-17.0.5+8-jre/bin/java: not found expected: openjdk version "17.0.5" 2022-10-18

it looks some excution permission issue in docker. Please help me to resolve

[Aniket-IN]

Same issue, just using the simple default Nextcloud Docker AIO installation still facing same issue.

[Arbel-arad]

i noticed this error when trying to install the dependencies the error only shows up when using the button on the web interface, but installing with OCC still doesn't work.

[Arbel-arad]

looking at it again, i tried to sign a document and got the following result:

Error to sign PDF. ["sh: \/mnt\/ncdata\/appdata_oc5bwmghpu5h\/libresign\/java\/jdk-17.0.5+8-jre\/bin\/java: not found"]

there appear to be both a forward and back slash in all locations. (is this intended?) also, the java files are indeed in the correct folder:

3f9316d05ee4:/var/www/html$ ls -l /mnt/ncdata/appdata_oc5bwmghpu5h/libresign/java/jdk-17.0.5+8-jre/bin/
total 120
-rwxrwx--- 1 www-data root 16320 Oct 19  2022 java
-rwxrwx--- 1 www-data root 16336 Oct 19  2022 jfr
-rwxrwx--- 1 www-data root 16376 Oct 19  2022 jrunscript
-rwxrwx--- 1 www-data root 16336 Oct 19  2022 keytool
-rwxrwx--- 1 www-data root 16344 Oct 19  2022 rmiregistry
3f9316d05ee4:/var/www/html$ 

trying to execute java manually errors out as well:

3f9316d05ee4:/mnt/ncdata/appdata_oc5bwmghpu5h/libresign/java/jdk-17.0.5+8-jre/bin$ ./java --version
bash: ./java: cannot execute: required file not found

[vitormattos]

I made a lot of changes at setup flow.

Who with Nextcloud AIO could help testing again to check if this issue was solved?

[bigbeka]

I will try it now. Do I need to delete anything manually before reinstalling? I already had LibreSign installed on my instance of NC.

[bigbeka]

Magic!! It all works as it should! Thank you for implementing additional identification factors. They all work like charm. All dependencies are installed with a click of a button! I tested signing with "Email" both with "Request to create account..." and without. Both worked.

Although the "Identification documents" doesn't seem to work. The flow does not ask to upload any ID docs.

I made a lot of changes at setup flow.

Who with Nextcloud AIO could help testing again to check if this issue was solved?

[vitormattos]

Wow! Very happy by your feedback!

Although the "Identification documents" doesn't seem to work. The flow does not ask to upload any ID docs.

Could you open an issue about this?

I think that now is the time to close this issue. It's the party time!

[!NOTE]

If you like this app, don't hesitate to help us

Ways to help this project:

• Creating a very nice review of this project at:
  • social networks like LinkedIn, Instagram, etc and putting the @LibreSign and @LibreCodeCoop
  • AlternativeTo https://alternativeto.net/software/libresign/
  • Nextcloud apps store: https://apps.nextcloud.com/apps/libresign
• Sponsoring the development by GitHub sponsor https://github.com/sponsors/LibreSign
• helping the translations on Transifex
• contacting us to have Enterprise support: https://libresign.coop

[martin-77]

Please reopen: @vitormattos

Not working on nextcloud-aio with manual upgrade to hub 8 same was on hub 7

errors:

c2bc57ffc481:/var/www/html$ php occ libresign:configure:check
 --------- ----------------- --------------------------------------------------------------------------------------------------- -----------------------------------
  Status    Resource          Message                                                                                             Tip
 --------- ----------------- --------------------------------------------------------------------------------------------------- -----------------------------------
   error    java              Java binary not found: /mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin/java   Run occ libresign:install --java
   error    pdftk             PDFtk binary is invalid: /mnt/ncdata//appdata_ocmhlw0tagos/libresign/pdftk.jar                      Run occ libresign:install --pdftk
   error    jsignpdf          Necessary Java to run JSignPdf                                                                      Run occ libresign:install --java
  success   cfssl             CFSSL binary path: /mnt/ncdata/appdata_ocmhlw0tagos/libresign/cfssl
  success   cfssl             CFSSL: Version: 1.6.4, Runtime: go1.18
  success   cfssl-configure   Root certificate config files found.
 --------- ----------------- --------------------------------------------------------------------------------------------------- -----------------------------------
c2bc57ffc481:/var/www/html$ php occ libresign:install --all
Downloading java...
    0 [>---------------------------]Failure on download java try again.
Directory /mnt/ncdata//appdata_ocmhlw0tagos/libresign/java does not exist for sink value of /mnt/ncdata//appdata_ocmhlw0tagos/libresign/java/OpenJDK21U-jre_x64_linux_hotspot_21.0.2_13.tar.gz
    0 [->--------------------------]
    0 [--->------------------------]Failure on download java, empty file, try again 

/mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin/java: folder is empty /mnt/ncdata//appdata_ocmhlw0tagos/libresign/pdftk.jar: strange error //

any idea how to fix the // error?

[vitormattos]

Try to run the occ command: occ files:scan-app-data libresign

[martin-77]

Command shows 8 folders and 26 files.

[vitormattos]

Check now if all is working fine.

You also can use the UI at Administration Settings > LibreSign

[martin-77]

Still the same. tried occ uninstall and install, java stays uninstalled. Or to be more precise:

the // thing is gone, but still:

c2bc57ffc481:/var/www/html$ php occ libresign:configure:check
 --------- ----------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------
  Status    Resource          Message                                                                                                                                                                    Tip
 --------- ----------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------
   error    java              Invalid java version. Found: sh: /mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin/java: not found expected: openjdk version "21.0.2" 2024-01-16 LTS   Run occ libresign:install --java
   error    pdftk             PDFtk binary is invalid: /mnt/ncdata/appdata_ocmhlw0tagos/libresign/pdftk.jar                                                                                              Run occ libresign:install --pdftk
   error    jsignpdf          Necessary Java to run JSignPdf                                                                                                                                             Run occ libresign:install --java
  success   cfssl             CFSSL binary path: /mnt/ncdata/appdata_ocmhlw0tagos/libresign/cfssl

  success   cfssl             CFSSL: Version: 1.6.4, Runtime: go1.18

  success   cfssl-configure   Root certificate config files found.

 --------- ----------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------

tried

php occ libresign:uninstall --all
php occ files:scan-app-data libresign
php occ libresign:install --all

nothing changed

[vitormattos]

Sounds that could be related with:

• https://github.com/LibreSign/libresign/issues/2327

The issue #2327 already was solved but is open because is necessary to think more about how to give tips to identify that is a problem related to policies of SELinux.

To identify if is about policy, try to run the command to check the java version directly at the terminal of your server.

/mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin/java --version

And first, check if this file (java) exists.

[martin-77]

java is not installed, folder is empty

c2bc57ffc481:/var/www/html$ /mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin/java --version
bash: /mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin/java: cannot execute: required file not found

edit: have to correct myself:

c2bc57ffc481:/mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin$ ls -la
total 104
drwxr-xr-x 2 www-data www-data  4096 Apr 26 17:12 .
drwxr-xr-x 6 www-data www-data  4096 Apr 26 17:12 ..
-rwxr-xr-x 1 www-data www-data 16240 Jan 17 06:55 java
-rwxr-xr-x 1 www-data www-data 16304 Jan 17 06:55 jfr
-rwxr-xr-x 1 www-data www-data 16344 Jan 17 06:55 jrunscript
-rwxr-xr-x 1 www-data www-data 16312 Jan 17 06:55 jwebserver
-rwxr-xr-x 1 www-data www-data 16304 Jan 17 06:55 keytool
-rwxr-xr-x 1 www-data www-data 16336 Jan 17 06:55 rmiregistry
c2bc57ffc481:/mnt/ncdata/appdata_ocmhlw0tagos/libresign/java/jdk-21.0.2+13-jre/bin$ ./java --version
bash: ./java: cannot execute: required file not found