SSO with Letsencrypt certificates on two machines: Bad response from token request!

I have Omnibus Gitlab and Mattermost installed on two separate machines. Both use HTTPS with Let’s encrypt certificates and HTTPS works fine.

The problem is that when I use SSO with Gitlab, Mattermost returns the dreadful error: Bad response from token request. The log file is the following (note how the details section is empty!):

[EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=o9nzr1yjbtr15xqi5hy8pwssnh uid= ip=IP_ADDRESS Bad response from token request [details: ]

I have tried including Let’s encrypt certificate authority as explained in other posts, etc. but it did not help. Any Suggestions? Would love to solve this issue.

Thanks!

Just to give more context, I have created an account on Mattermost and tried to enable SSO as login method. Here is the Gitlab log when SSO fails. Any help would be really appreciated!

One thing I noticed is that the callback URL called is always ‘…/signup/gitlab/complete’ while ‘…/login/gitlab/complete’ never gets called.

Thanks!

Started POST “/oauth/authorize” for IP_ADDRESS at 2016-10-18 21:52:51 +0000
Processing by Oauth::AuthorizationsController#create as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>“K7h0ebqZQoHcuD00WuUwP/8Z8vwN8RDrb6bwrNZt2iXyxkGpmZ2iCdBb2DwmeG0ZxbtqxsNAIf+QgqiyegNQOA==”, “client_id”=>“606b5f0a4ed6095a957a6444dff9b9619a7f493ae5e2077f7fa4d4eae79837a2”, “redirect_uri”=>“https://MYSERVER.com/signup/gitlab/complete”, “state”=>“eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImFuZHJlYStyZXBvQG15amlrby5jb20iLCJoYXNoIjoiJDJhJDEwJEFuSmE0Smt1dUhGR1dpaTIyR1NlR09scmNJOUdnczNxVEMwYWZ6YWxiRHNhc2guQkZITEguIn0=”, “response_type”=>“code”, “scope”=>“api”}
Redirected to https://MYSERVER.com/signup/gitlab/complete?code=c6fa61dec82e38549ca647863dc3df14c3e17ee3fc7b3245d7871b11a2ff4683&state=eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImFuZHJlYStyZXBvQG15amlrby5jb20iLCJoYXNoIjoiJDJhJDEwJEFuSmE0Smt1dUhGR1dpaTIyR1NlR09scmNJOUdnczNxVEMwYWZ6YWxiRHNhc2guQkZITEguIn0%3D
Completed 302 Found in 8ms (ActiveRecord: 2.5ms)
Started GET “/oauth/authorize?response_type=code&client_id=606b5f0a4ed6095a957a6444dff9b9619a7f493ae5e2077f7fa4d4eae79837a2&redirect_uri=https%3A%2F%2FNYSERVER.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImFuZHJlYStyZXBvQG15amlrby5jb20iLCJoYXNoIjoiJDJhJDEwJDVzUkFzclJHWnBNa1VvMk9YT1J4ZGVaWi9QVjVuOWtHeXdiQmFMelZBaVVmM0gxaDBRQTZxIn0%3D” for IP_ADDRESS at 2016-10-18 21:55:47 +0000
Processing by Oauth::AuthorizationsController#new as HTML
Parameters: {“response_type”=>“code”, “client_id”=>“606b5f0a4ed6095a957a6444dff9b9619a7f493ae5e2077f7fa4d4eae79837a2”, “redirect_uri”=>“https://MYSERVER.com/signup/gitlab/complete”, “state”=>“eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImFuZHJlYStyZXBvQG15amlrby5jb20iLCJoYXNoIjoiJDJhJDEwJDVzUkFzclJHWnBNa1VvMk9YT1J4ZGVaWi9QVjVuOWtHeXdiQmFMelZBaVVmM0gxaDBRQTZxIn0=”}
Completed 200 OK in 31ms (Views: 24.3ms | ActiveRecord: 3.1ms)
Started POST “/oauth/authorize” for IP_ADDRESS at 2016-10-18 21:55:52 +0000
Processing by Oauth::AuthorizationsController#create as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>“hB2kUWhbB7m4lvjHxdwBgYuOwJ2HueFuw8oiYZ4yIrBdY5GBS1/nMbR1Hc+5QVynsSxYp0kI0Ho87np/MlyorQ==”, “client_id”=>“606b5f0a4ed6095a957a6444dff9b9619a7f493ae5e2077f7fa4d4eae79837a2”, “redirect_uri”=>“https://MYSERVER.com/signup/gitlab/complete”, “state”=>“eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImFuZHJlYStyZXBvQG15amlrby5jb20iLCJoYXNoIjoiJDJhJDEwJDVzUkFzclJHWnBNa1VvMk9YT1J4ZGVaWi9QVjVuOWtHeXdiQmFMelZBaVVmM0gxaDBRQTZxIn0=”, “response_type”=>“code”, “scope”=>“api”}
Redirected to https://MYSERVER.com/signup/gitlab/complete?code=928608464c91b8a4d1da9f170c1019a606d885b846e0a4068f35acfb16c09a5c&state=eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImFuZHJlYStyZXBvQG15amlrby5jb20iLCJoYXNoIjoiJDJhJDEwJDVzUkFzclJHWnBNa1VvMk9YT1J4ZGVaWi9QVjVuOWtHeXdiQmFMelZBaVVmM0gxaDBRQTZxIn0%3D
Completed 302 Found in 11ms (ActiveRecord: 6.5ms)

I have found that this is because my Gitlab has SSL client certificates enabled. Seems to be a bug! Am I missing something? Is there a way to use SSO when SSL client certificates have been enabled in Gitlab?

Thanks!

Hi @andrea,

I apologize for the late response. Mattermost currently doesn’t support using SSL client certificates but it’s certainly something we’d add if it garnered enough community support for the idea.

It looks like there is already some support for the idea here. If you’d like to show your support, feel free to create an account and vote/comment on the issue