Mattermost, Inc.

Command Line Interface (CLI) throwing certificate error

When I try to use the Mattermost CLI as user mattermost to run “./mattermost version”, I get:

panic: failed to apply option: failed to apply Config option: failed to load: invalid config: Config.IsValid: Invalid value for TLS certificate file - Either use LetsEncrypt or set path to existing certificate file,

The certificates are configured correctly in the System Console, I’m able to get to Mattermost at an https address using both the browser and desktop client. Any ideas? Thanks!

Hey there @elkapitan, just to check, are you using a self-signed or CA-signed certificate? Also, does this happen with other users and other commands as well?

Hi Joe. It is a self-signed certificate from an internal provider, but has a chain up to a CA embedded it it. And, the error does happen with other users and other commands, I just used mattermost version as an example.

Hello, @elkapitan

The error you are seeing was called from the this line of code in Mattermost - model.config.is_valid.tls_cert_file.app_error and since you mentioned that you are using a self signed certificate form an internal CA, I suspect that it is a combination of enabling forward80to443 as well as UseLetsEncrypt.

May I know if you are able to provide the snippet of the following parameters from ServiceSettings section in the config.json to verify this? For example, this is how it looks like on a fresh installation on my end:

"TLSCertFile": "",
"TLSKeyFile": "",
"UseLetsEncrypt": false,
"LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
"Forward80To443": false,

Hi @ahmaddanial,

Here is the ServiceSettings section of my config.json:

“ServiceSettings”: {
“SiteURL”: “”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “./tls/”,
“TLSKeyFile”: “./tls/”,
“TLSMinVer”: “1.2”,
“TLSStrictTransport”: true,
“TLSStrictTransportMaxAge”: 63072000,
“TLSOverwriteCiphers”: [],
“UseLetsEncrypt”: false,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
“TrustedProxyIPHeader”: [

Hello, @elkapitan

Thanks for the clarification. Since “UseLetsEncrypt”: false is in place, may I know if your Mattermost instance is publicly accessible? If yes, can you please provide with the URL to your Mattermost site?

Additionally, can you confirm that the TLSCertFile and TLSKeyFile is in the directory? A simple ls -lAh command on the directory will help.

For anyone else in the same boat, I was able to resolve by redoing the chown and chmod commands listed in the install guide on the mattermost directory. I also had to change the TLSCertFile and TLSKeyFile path references in config.json from relative ("./yourtlsfolder/yourcert") to absolute ("/opt/mattermost/yourtlsfolder/yourcert"). I don’t know why relative paths stopped working on my setup.