We're Hiring!

Mattermost, Inc.

IOS SSL Verification For Gitlab SSO

TL;DR: Gitlab SSO SSL certificates must be valid for less that 825 days.

I am making this post to assist others who may have had a similar issue to me. I am currently running Mattermost Teams server version 5.26 behind an NGINX proxy. My IOS application is running 1.37.0 (Build 334).

I recently integrated my Mattermost instance with my local Gitlab server and everything was going smoothly through Chrome on my desktop. I then attempt to login via the IOS application. I am able to login with username/password but was unable to authenticate via SSO. I was able to click the SSO link on the app, but it always returned an invalid SSL certificate error. It took about 6-8 hours of frustrating debugging to finally hook up my Iphone to a Mac and look through the logs after receiving the validation error and was able to pinpoint it to the valid date range. Since I stood up my own CA in my local test environment, I have my certs valid for 5 years. It turns out that the SSO functionality of the app somehow uses different SSL verification than the main server connection. After resigning my Gitlab cert for 824 days, the SSO sign on functionality worked perfectly.

I was just wondering if we could get the SSL verification to be consistent across all of the authentication mechanisms to avoid errors like this in the future. Also, a more clear error message would have helped troubleshoot this. The current error message looks like a generic MITM attack warning and will not allow us to manually trust the certificate.