Issues with HTTPS/TLS


#1

This is my second attempt to get TLS running on my Mattermost server.

First time my instance was running under url subdirectory and it didn’t work because MM limitations.

Now I’m doing a subdomail and following the documentation. Unfortunately it’s not working.

Everything is fine until I turn on TLS and port80to443 and use let’s encrypt on.

I get many errors in the log

“source”:“httpserver”

  • tls: first record does not look like a TLS handshake
  • urn:acme:error:rejectedIdentifier: Error creating new authz :: Policy forbids issuing for name
  • acme/autocert: missing certificate

Cheers


#2

Hi @RbDev! Thank you for reaching out.

To help troubleshoot this further, would you like to check the following documentation:

  1. We have some important upgrade notes related to port80to443, if you look at sections for v4.9 and v4.6.2
  2. Config settings - if you search for “TLS”, there might be settings relevant to the issue you are seeing. If you’re not sure which ones might be relevant, I can ask one of our engineers.

Let me know if any of this helps as a first step.


#3

Hi amy,

Thanks for trying to help.

  1. What should I be looking at?
  2. This is what I’ve been using to setup up TLS but no success.

This is my config.

{
“ServiceSettings”: {
“SiteURL”: “https://myserver.com”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “”,
“TLSKeyFile”: “”,
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,

Cheers


#4

@RbDev Thank you for the additional information!

In the important upgrade notes, there are these following notes - I am not 100% sure if these are relevant to the issue you are seeing, but they might be relevant depending on what server version you are using - please let me know if these do not help:

“If using Let’s Encrypt without a proxy server, the server will fail to start with an error message unless the Forward80To443 config.json setting is set to true.”

“If forwarding port 80 to 443, the server will fail to start with an error message unless the ListenAddress config.json setting is set to listen on port 443.”

“If using Let’s Encrypt without a proxy server, forward port 80 through a firewall, with the Forward80To443 config.json setting set to true to complete the Let’s Encrypt certification.”


#5

Hi Amy,

All three are positive.You can see 2 in the config.

firewall is opened for 80,443 and 8065 temporary. once this is working, I expect only 443 to be needed.

Cheers


#6

Hi @RbDev - Just giving you an update here that I’ve asked our engineers to take a look at this soon.


#7

Yes please Amy. I really dont like to have my messages unencrypted on the internet.


#8

Hi there,

One of our amazing community members found a potential explanation. The error message Policy forbids issuing for name means that the domain you’re using has been blacklisted by Let’s Encrypt. They do this for a few reasons, but mainly to prevent impersonation of large sites.

To test this, try disabling your web server and then running this command:

$ sudo certbot certonly --standalone -d example.com

Replace example.com with your domain.


#9

Sorry Paul. Unfortunately I’ve cancelled the new MM server project.

I will continue running MM as subdirectory in my main server.