Issues with HTTPS/TLS


#1

This is my second attempt to get TLS running on my Mattermost server.

First time my instance was running under url subdirectory and it didn’t work because MM limitations.

Now I’m doing a subdomail and following the documentation. Unfortunately it’s not working.

Everything is fine until I turn on TLS and port80to443 and use let’s encrypt on.

I get many errors in the log

“source”:“httpserver”

  • tls: first record does not look like a TLS handshake
  • urn:acme:error:rejectedIdentifier: Error creating new authz :: Policy forbids issuing for name
  • acme/autocert: missing certificate

Cheers


#2

Hi @RbDev! Thank you for reaching out.

To help troubleshoot this further, would you like to check the following documentation:

  1. We have some important upgrade notes related to port80to443, if you look at sections for v4.9 and v4.6.2
  2. Config settings - if you search for “TLS”, there might be settings relevant to the issue you are seeing. If you’re not sure which ones might be relevant, I can ask one of our engineers.

Let me know if any of this helps as a first step.


#3

Hi amy,

Thanks for trying to help.

  1. What should I be looking at?
  2. This is what I’ve been using to setup up TLS but no success.

This is my config.

{
“ServiceSettings”: {
“SiteURL”: “https://myserver.com”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “”,
“TLSKeyFile”: “”,
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,

Cheers


#4

@RbDev Thank you for the additional information!

In the important upgrade notes, there are these following notes - I am not 100% sure if these are relevant to the issue you are seeing, but they might be relevant depending on what server version you are using - please let me know if these do not help:

“If using Let’s Encrypt without a proxy server, the server will fail to start with an error message unless the Forward80To443 config.json setting is set to true.”

“If forwarding port 80 to 443, the server will fail to start with an error message unless the ListenAddress config.json setting is set to listen on port 443.”

“If using Let’s Encrypt without a proxy server, forward port 80 through a firewall, with the Forward80To443 config.json setting set to true to complete the Let’s Encrypt certification.”


#5

Hi Amy,

All three are positive.You can see 2 in the config.

firewall is opened for 80,443 and 8065 temporary. once this is working, I expect only 443 to be needed.

Cheers


#6

Hi @RbDev - Just giving you an update here that I’ve asked our engineers to take a look at this soon.


#7

Yes please Amy. I really dont like to have my messages unencrypted on the internet.


#8

Hi there,

One of our amazing community members found a potential explanation. The error message Policy forbids issuing for name means that the domain you’re using has been blacklisted by Let’s Encrypt. They do this for a few reasons, but mainly to prevent impersonation of large sites.

To test this, try disabling your web server and then running this command:

$ sudo certbot certonly --standalone -d example.com

Replace example.com with your domain.


#9

Sorry Paul. Unfortunately I’ve cancelled the new MM server project.

I will continue running MM as subdirectory in my main server.


#10

Just a quick update. Lets encrypt did black listed AWS.

The only way to use it is by getting a domain.


#11

I wanna resurrect this forum.

I’ve decided to give the second server in AWS another try but this time with TLS private key instead of lets encrypt.

I have it up and running without TLS but just like before it fails when I try to enable TLS.

There are two issues happening.

  1. The setcap isn’t working. I’m running MM with it’s own user and it seems setcap doesn’t take effect.
  2. Running MM as root I’m getting a wierd behaviour. Web experience is unstable, I cant connect MM clients and IE and Edge accesses keep returning TLS error “EOF”

I have a .cert and .key created using openssl. They are at mm root directory.

Has anyone managed to get this working? Any support would be appreciated. Whats the best way to configure TLS in MM?

Config

{
“ServiceSettings”: {
“SiteURL”: “https://myawsmm”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “./mattermost.cert”,
“TLSKeyFile”: “./mattermost.key”,
“UseLetsEncrypt”: false,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
“ReadTimeout”: 300,


#12

Hi @RbDev! I found this thread on a similar issue from a few months ago and there our engineers recommended configuring TLS on Apache and using separate certificates for each virtual host.

Link to that thread is here: https://stackoverflow.com/questions/49496183/mattermost-tls-issue.

If this doesn’t help, just let me know and I’ll ask our engineers to take a look.


#13

Following link bellow I got HTTP and HTTPS working with nginx.

https://docs.mattermost.com/install/config-proxy-nginx.html

https://docs.mattermost.com/install/config-ssl-http2-nginx.html

But with HTTPS, Safari browsers cannot access websockets and MM mobile clients cannot login.

and API calls are getting blocked.

get : http://server/api/v4/users/m8fp1td76tbi5ctaonm5tm5zko/image 401 (Unauthorized)

Any ideas.


#14

I’ve noticed that running nginx was just swapping one problem for many others so I’ve decided to go back and work on getting direct mattermost hosting working.

The good news is I got MM running on HTTPS (port 443). The trick is to run platform as root user. It’s bad for security but it won’t work any other way.

Ok so now we’ve got 3 issues.

  1. Safari keeps complaining about websocket issues. Same issue we’ve seen before in the screenshot. Other browsers are fine. Any ideas?

  2. Edge and IE keep flooding MM log with TLS EoF error.

{“level”:“info”,“ts”:1531464394.5365913,“caller”:“runtime/asm_amd64.s:2361”,“msg”:“http: TLS handshake error from XX.XX.XX.XX:62476: EOF”,“source”:“httpserver”}

  1. I can log on MM clients using HTTP but not HTTPS. Any idea why?

prerelease server doesnt have these issues. Can you share the prerelease settings?

Cheers