Mattermost, Inc.

Https access problem

Hi,
I have installed Mattermost on a VPS. It was working well.
Then I created a domain (see SiteURL in blockquotes) that i directed to the IP adress of my server. I created letsencrypt certificates, and ths diagnostic was OK on ssllabs.
I configured Mattermost to listen to the port 443, which is opened.
Then it doesn’t work anymore (either ssllabs).

The true adress of the server is https://vps701695.ovh.net.

I don’t understand what’s wrong.
Here is the first lines of config.json :

“SiteURL”: “https://www.talk.rohou.fr”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “/etc/letsencrypt/live/talk.rohou.fr/fullchain.pem”,
“TLSKeyFile”: “/etc/letsencrypt/live/talk.rohou.fr/privkey.pem”,
“TLSMinVer”: “1.2”,
“TLSStrictTransport”: false,
“TLSStrictTransportMaxAge”: 63072000,
“TLSOverwriteCiphers”: ,
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
“TrustedProxyIPHeader”: [
“X-Forwarded-For”,
“X-Real-IP”
],

Is there someone with an idea ?
Thanks.

Is the mattermost binary running as an unprivileged user? You can’t just bind 443 without being root or withoutsetting capabilities. It’s advisable to use an reverse proxy like nginx instead of the http server inside mattermost though. Instructions can be found here https://docs.mattermost.com/install/config-proxy-nginx.html and an nginx conf generator https://ssl-config.mozilla.org/. In this case you need to revert all the changes and let mattermost listen on 8065 and proxy request to this port.

I don’t understand where my problem comes from…
I tried to get rid of apache and i installed nginx.
nginx is working fine, but mattermost refuse to start because of port 443 already used… The only tree applications on the server are webmin, nginx and mattermost…
The test on ssllabs for mydomain (talk.rohou.fr) is now right.

[mydomain] is talk.rohou.fr and its ip is 51.91.248.71

The mattermost file in sites-enabled begins with :

upstream backend {
   server 51.91.248.71:8065;
   keepalive 32;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
   listen 80 default_server;
   server_name   [mydomain] ;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name    [mydomain] ;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/[mydomain]/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/[mydomain]/privkey.pem;

And the mattermost’s config.json begins with :

"ServiceSettings": {
        "SiteURL": "[mydomain]",
        "WebsocketURL": "",
        "LicenseFileLocation": "",
        "ListenAddress": ":443",
        "ConnectionSecurity": "TLS",
        "TLSCertFile": "/etc/letsencrypt/live/[mydomain]/fullchain.pem",
        "TLSKeyFile": "/etc/letsencrypt/live/[mydomain]/privkey.pem",
        "TLSMinVer": "1.2",
        "TLSStrictTransport": false,
        "TLSStrictTransportMaxAge": 63072000,
        "TLSOverwriteCiphers": [],
        "UseLetsEncrypt": true,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": true,

When i do a curl on localhost:80, it gives :

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

When i do a curl on localhost:443, it gives :

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

When i do a curl on localhost:8065, it gives :

curl: (7) Failed to connect to localhost port 8065: Connexion refusée

I’m lost…