Gitlab mattermost error: certificate is not valid for any names, but wanted to match


#1

Hi,

I’m trying to setup gitlab and mattermost behind haproxy.
I’m using the official docker image of gitlab/gitlab-ce , tag 9.2.1-ce.0 .
Both of them should be running in one and the same container, wich mappes the exposed ports 80 and 443 on the host 192.168.10.121:

8080 -> 80
8443 -> 443

gitlab uses the hostname ‘git.mydomain.com’ ,
mattermost uses ‘chat.mydomain.com

Both are directed to the same haproxy backend:

backend http_gitlab
mode http
option httplog
option forwardfor
option http-server-close
option httpchk
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server gitlab 192.168.10.121:8080 maxconn 50

I’ve modified the gitlab.rb according the gitlab documentation:

external_url 'https://git.mydomain.com
nginx[‘listen_port’] = 80
nginx[‘listen_https’] = false
nginx[‘proxy_set_headers’] = {
“X-Forwarded-Proto” => “https”,
“X-Forwarded-Ssl” => “on”,
}

mattermost_external_url 'https://chat.mydomain.com
mattermost_nginx[‘listen_port’] = 80
mattermost_nginx[‘listen_https’] = false
mattermost_nginx[‘proxy_set_headers’] = {
“X-Forwarded-Proto” => “https”,
“X-Forwarded-Ssl” => “on”,
}

gitlab itself is working fine at https://git.mydomain.com .
But mattermost has an issue with SSO: After it redirects me to gitlab for login and I klick ‘Authorize’, a blank page is displayed. The page source contains:

{“id”:“api.user.authorize_oauth_user.token_failed.app_error”,“message”:“Token request failed”,“detailed_error”:"",“request_id”:“km8x4wu9if817njji1rwb1smjc”,“status_code”:500}

And an error message is raised in the mattermost current log:

2017-05-25_10:30:18.81999 [2017/05/25 10:30:18 UTC] [EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=urc7pnxmwpgd5p6xs73botb3gr uid= ip=192.168.10.2, 192.168.10.101 Token request failed [details: Post https://git.mydomain.com/oauth/token: x509: certificate is not valid for any names, but wanted to match git.mydomain.com]

I’ve no glue, what could cause this error. gitlab is running fine with the certificate on the proxy server. I also copied the git.mydomain.com.crt from the haproxy server to the config/ssl dir of gitlab because it also contains the ca’s cert. But the error persists.

Does someone have any hint about the issue?

Thanks a lot.


#2

Solved it. At least partially. The container dns-resolved git.mydomain.com and chat.mydomain.com to the external address which gets nat’ed and then forwarded with haproxy. For some reason there is an issue with sso in that scenario. I’ve temporary extended the /etc/hosts of the container to contain the mapping of git.mydomain.com and chat.mydomain.com to the internal address of haproxy. This made the sso working. But it would be nice to know about the reason for this behaviour.


#3

Thanks for posting your solution @expatcz,

I’ve asked one of our devs for feedback on the reason for the behaviour and once I hear back I’ll post here :slight_smile:


#4

Sorry about the long delay @expatcz, the devs are a little busy with the current release which is due out on June 16th but they should have feedback for you soon :slight_smile:


#5

I’ve the same error. But I’m not behind a proxy. I’m in internal network.


#6

I’ve the same error. But behind nginx proxy.


#7

Hi @expatcz @Positron and @mkzaker,

Thanks for your feedback and apologies for the delayed response. We’ve just shipped v3.10 release so our devs should be more available to help.

FYI, I did come across this GitLab Mattermost Install Guide that might have some help for your issue. We also have this ticket open which may be affecting your installation.


#8

I had this error once too. It was because when I created the certificate, I left the Common Name blank. It seems that Mattermost rejects the certificate if you don’t specify the correct FQDN in the certificate. In your case, that would be git.mydomain,com.