We're Hiring!

Mattermost, Inc.

Https access problem

Hi,
I have installed Mattermost on a VPS. It was working well.
Then I created a domain (see SiteURL in blockquotes) that i directed to the IP adress of my server. I created letsencrypt certificates, and ths diagnostic was OK on ssllabs.
I configured Mattermost to listen to the port 443, which is opened.
Then it doesn’t work anymore (either ssllabs).

The true adress of the server is https://vps701695.ovh.net.

I don’t understand what’s wrong.
Here is the first lines of config.json :

“SiteURL”: “https://www.talk.rohou.fr”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “/etc/letsencrypt/live/talk.rohou.fr/fullchain.pem”,
“TLSKeyFile”: “/etc/letsencrypt/live/talk.rohou.fr/privkey.pem”,
“TLSMinVer”: “1.2”,
“TLSStrictTransport”: false,
“TLSStrictTransportMaxAge”: 63072000,
“TLSOverwriteCiphers”: ,
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
“TrustedProxyIPHeader”: [
“X-Forwarded-For”,
“X-Real-IP”
],

Is there someone with an idea ?
Thanks.

Is the mattermost binary running as an unprivileged user? You can’t just bind 443 without being root or withoutsetting capabilities. It’s advisable to use an reverse proxy like nginx instead of the http server inside mattermost though. Instructions can be found here https://docs.mattermost.com/install/config-proxy-nginx.html and an nginx conf generator https://ssl-config.mozilla.org/. In this case you need to revert all the changes and let mattermost listen on 8065 and proxy request to this port.

I don’t understand where my problem comes from…
I tried to get rid of apache and i installed nginx.
nginx is working fine, but mattermost refuse to start because of port 443 already used… The only tree applications on the server are webmin, nginx and mattermost…
The test on ssllabs for mydomain (talk.rohou.fr) is now right.

[mydomain] is talk.rohou.fr and its ip is 51.91.248.71

The mattermost file in sites-enabled begins with :

upstream backend {
   server 51.91.248.71:8065;
   keepalive 32;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
   listen 80 default_server;
   server_name   [mydomain] ;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name    [mydomain] ;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/[mydomain]/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/[mydomain]/privkey.pem;

And the mattermost’s config.json begins with :

"ServiceSettings": {
        "SiteURL": "[mydomain]",
        "WebsocketURL": "",
        "LicenseFileLocation": "",
        "ListenAddress": ":443",
        "ConnectionSecurity": "TLS",
        "TLSCertFile": "/etc/letsencrypt/live/[mydomain]/fullchain.pem",
        "TLSKeyFile": "/etc/letsencrypt/live/[mydomain]/privkey.pem",
        "TLSMinVer": "1.2",
        "TLSStrictTransport": false,
        "TLSStrictTransportMaxAge": 63072000,
        "TLSOverwriteCiphers": [],
        "UseLetsEncrypt": true,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": true,

When i do a curl on localhost:80, it gives :

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

When i do a curl on localhost:443, it gives :

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

When i do a curl on localhost:8065, it gives :

curl: (7) Failed to connect to localhost port 8065: Connexion refusée

I’m lost…

Hey,
you need to change the ListenAddress in the Mattermost config according to the port specified in nginx (in your case 8065. Mattermost will listen on this port on localhost and nginx will proxy requests, which came in on 443, to 8065. With your configuration now nginx binds 443 and Mattermost tries to bind 443 too (ot the other way around).

Best regards,
Marco

Thanks for this. I will try.
I succeeded to make it work by stopping nginx. Mattermost is on 443 and nginx off.
It would certainly be nicer to make nginx work using your solution. I’ll try.