Mattermost, Inc.

Mattermost Recipe: Debugging SAML Key Issues

Problem

You’re seeing errors reading the SAML keys and certificates in the logs, and cannot log in via SAML

Solution

First, verify your files have the correct permissions by running this command:

sudo chown -R mattermost:mattermost /opt/mattermost

If you’re still seeing errors in your log, check your SAML key/cert formats using openssl

First, use these commands to verify that openssl can read your keys/certs:

openssl rsa -in /opt/mattermost/config/saml-private.key #checks Mattermost private key
openssl x509 -text -noout -in /opt/mattermost/config/saml-public.crt #checks Mattermost public certificate
openssl x509 -text -noout -in /opt/mattermost/config/saml-idp.crt #checks Mattermost IdP certificate

The first command will output something like this:

-----BEGIN RSA PRIVATE KEY-----
MIIJKwIBAAKCAgEAyJdqQTxyXRujDTzGl+NpmWvitxUkFF9K7w3yWSazZTxYjxaM
o+xWiDR3Ld4RbjZ0fAE7nCHIZFeatMYQJGE3P7gRxpb54SCmoELHYpBnzAyLG/k/
LHImRvyn3+GfLFPxvpRakMVMm9sv4oged6ZaTQTXpA9Dl171xmwU3EoP8a3l3F0I
9q2ByPtZrCIKD4wUaApOrvzur+VgOY3uAh6qkpJq+joX00Zok97UfyaQCnJsKq5c
FnY+aorzGM2+m81THDlVbubovYPXxiZGOF/vxNNYRt4Yg40v/zhvFzsPWP/plNGT
5PezFnGK5eOK+0NTjRDAMdckwEhzyN4rd+5MxWjGx0xosHdLGgibAR74RdCB6Aba
gvTp/g0QLn/mv1izBgs1dMcGAnIE1ScroAk3F8JNIFlYqPSXhOlOJiCp5mT4CIWn
qQgkP5Oor53bEJ+cp8dhlhCa+X5jX7JndNeoxMBRE/aWKqZosZ9+b1Kx8v7Kzu8B
B9dPs6tJSpVMIcljpccsVMorbzLRNOFvNCNpRsWiZ86VYMZmL7w5aX01sIDkAlLv
S2p6kOL86eKMV/AincHRparNRLAbvtaFxCEgmb1qnVJRykuhpahfNBpDepUgG/kV
afqIbpoN5jLUIISNpbKDZcpyyBRnMkH/Scz8fLqSRmgcOq5Lq/swDIGy4TECAwEA
AQKCAgEAltCRCP9jlPGEhB1fyy8mZD2jNbflapPDCT1ZKwJX+xOGGf8AOvckkD+y
I4BFZrH2no1mvhsAScE8BhKsbE3Tdkr0wnUc5tDftrq+ojKkd9wucxfREZ+5e8HW
jhNa079BkOKFvTc6RCxmMlHZZmhimGm9oBIB5bt12nvEq2Pb3P+8RRSF+sG1ROEG
KM9m9Q2DAj5Nrm9pHkK9OEin3FwmLxF68SvgYe8cDaGJ7xeVUOV6whRaFGFOyFg0
Mj/uwcF8bUoGG93suyB3iPmZ7iTjZv7n7lBp6e6rWZ6al8LF5Upz2npAUfSSZ5ty
rSmJgyS5muQvPMnfTdqrgyjXUdKPUMA7du3AB+CIMwH+p0iey7pIceIf5f1jDU0r
f9ZHS13pVWqnzpKipoW1PUBMlQPlj+heR1l6PsbFCVqZsPkDgzAzmhfCGBuPxBVQ
wXgL5+o9GsljMz2vl1Q6txkzm509K98S7Ye4U3WjYWt/jXGBzxlfwYtcWgkfaP8t
PuRYxEhfUshzOuJxAIAAMyqKxYYzZ6FlpQ8DY3wms9nAIcQi9mWlo5a4jjXSIObY
o8rmstnS2U5CsN/IYUzQJ5XjJgMADS2gJ6LRAOtn9JgUofc6WOJ2HdmNiuj8oeFz
cCj0U0gGV/g5VHLARVHTBmhUleOG3k6z7LTlvlwuClbE+O1LUmECggEBAO01Bklb
mqxFbWceyyiLlxBjOCIMrJlpXIazumNcF+l0y6fH4FBOVKCpuPoZyri2UHcIS73c
yBPBVAqWivtJc09jJ3O5kD2DjJEYpdxR1ewhmD/yYhx7ByeVEHS7EUDqr7WAPA1W
rdBCizUg1Qla1pqHTPuQBJ+uQdbWuzovgUEO12ZaIsXZShnTWjtvwtyBiHK1wSYe
tWrokNYCFP+TU9cYm5sRX9deMeC13F1aDz2YLINQ8O9v+7KYnRttCkXH5/RaCcnk
TaSv9vqfVau4Q/usJejj18eU937oh335nwBsVwqtJ0kbkkU+Kgv2hzGtZmTrF1Wa
Ztm97IRH4QdZXj0CggEBANh7wsWlfXMSyj5o8ynWkwBQVXWCLkdBcMJilDXGcepP
GJDvCJGvlBaPdE2v/xAA/hXhLE6/2AUcuTiPylkcQ3mMTiAnedgVpoERM/hPQkEn
rc+JZ8yqk5CZhwJZJLrjZoQNaJ8ZdhfQo1cl2co+M2lkcSH46v+4YG64Nayj8bXl
thiNbpjuiHiC5I62UlFH6XEfwuhNgi5Exa+iCVUIhbQ8t7vofkgORwA7oUKZR5U4
JAjAMt/puPoYsinup2Q2+aPWdB3DE/OXz8iqdqNZPjOLYW8TbLy3ND2FxKOPg4UO
jT9O7kGOx7z5diEMxRmTLfSMk275I6yWm88mWbSe0gUCggEBAJwZYOG1nrvvlGdg
JGGyOt9V7AK8RHlQlMswS2BHopTHf54SMtOmOJriFhDAGGAl2h37H5z6RdB6UUwG
db+YPoHnxnapjvpsL3zss3mhgR27ne23HEmRzMuHlSS8VkZaKvdORDai7A85O1Lj
IE7fsIpQr6B8zg4nJryy4tMPoAeoNKfueSOqMtF7/M1QZvOlap3SbiEf5FNOaMHs
7NSjp3DNiNkrPd8E5d3yz+m+8nieQ+zGv0dScli9heYeg7wYKdTry7VIwK+3/NhB
Mqemw1ZDm07/YWi954FklIWaV8B3i3BDMq8xrbhTiGgG/ED8031mGB0FVtnD2nnS
s4uajCECggEBANa5CtvX5bJ59LgqiOX6uxwYkmtXkGeE9T8ZYEBmcR8jDQ7UyP8X
1B78czOLWcaZ9WvmSHhjuPR5JQ6BMQdqDVNGY0dpYGWANALY+V9V3jWaEcBEXfyX
RH6siUk++juUyl44nokQTB4bB6itFnSPdZcX1U8JAq5aRuwLMtHmWx08l32K6yQt
lJdT3Tfgh42vclCOXFjmaDVUaXBnnDIHnfbEMsnjNT5rSulkO/M+7c2IPdWgLdYC
kUMfs7f7y3SPQtXLJKlQkT2QWryCt+IV5qhhm2b9MWGNpfdP81b4Rk93u4oL1C6a
XGuIVC8751QStAZYWPQ9kbDiQfEZ7OhGj7ECggEBANGy1Rt5Urfb3CHnOJhtpWIY
FMH+rWeUEin7+WWnK1NKpWXD4ztqOdca5SBXchOgp+OgEQa+TlGyLjpcMswVFRmx
6ZQQgXK0JtDtiI8lne0mHFDWJMVpg/H0g4JZqlbHeo8jfhmfkyaXDGIYbHoj6sib
Yzfoxi+/wNPoN7v6kBDk+7iP0Pv49O+umxBF+TkYj09KJtdvGJY43DMcXeaAbyYL
BzLNpW/exFP2KVNdh0+HWbAOQo7znJOSYc7rxQK0SO6v4//FOF8Yc6QvTRPyDgYq
zH/L2vNDF62FN80DFzLWWB6f6zTgOJnO+XTeVNgjkvz/otw3Yq2OSACDuLePDQw=
-----END RSA PRIVATE KEY-----

And the second commands will output something like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15346930713781960660 (0xd4fb402c33817fd4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=Palo Alto, O=Mattermost, OU=DevOps, CN=base.example.com
        Validity
            Not Before: Apr 28 18:27:26 2020 GMT
            Not After : Apr 26 18:27:26 2030 GMT
        Subject: C=US, L=Palo Alto, O=Mattermost, OU=DevOps, CN=base.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c8:97:6a:41:3c:72:5d:1b:a3:0d:3c:c6:97:e3:
                    69:99:6b:e2:b7:15:24:14:5f:4a:ef:0d:f2:59:26:
                    b3:65:3c:58:8f:16:8c:a3:ec:56:88:34:77:2d:de:
                    11:6e:36:74:7c:01:3b:9c:21:c8:64:57:9a:b4:c6:
                    10:24:61:37:3f:b8:11:c6:96:f9:e1:20:a6:a0:42:
                    c7:62:90:67:cc:0c:8b:1b:f9:3f:2c:72:26:46:fc:
                    a7:df:e1:9f:2c:53:f1:be:94:5a:90:c5:4c:9b:db:
                    2f:e2:88:1e:77:a6:5a:4d:04:d7:a4:0f:43:97:5e:
                    f5:c6:6c:14:dc:4a:0f:f1:ad:e5:dc:5d:08:f6:ad:
                    81:c8:fb:59:ac:22:0a:0f:8c:14:68:0a:4e:ae:fc:
                    ee:af:e5:60:39:8d:ee:02:1e:aa:92:92:6a:fa:3a:
                    17:d3:46:68:93:de:d4:7f:26:90:0a:72:6c:2a:ae:
                    5c:16:76:3e:6a:8a:f3:18:cd:be:9b:cd:53:1c:39:
                    55:6e:e6:e8:bd:83:d7:c6:26:46:38:5f:ef:c4:d3:
                    58:46:de:18:83:8d:2f:ff:38:6f:17:3b:0f:58:ff:
                    e9:94:d1:93:e4:f7:b3:16:71:8a:e5:e3:8a:fb:43:
                    53:8d:10:c0:31:d7:24:c0:48:73:c8:de:2b:77:ee:
                    4c:c5:68:c6:c7:4c:68:b0:77:4b:1a:08:9b:01:1e:
                    f8:45:d0:81:e8:06:da:82:f4:e9:fe:0d:10:2e:7f:
                    e6:bf:58:b3:06:0b:35:74:c7:06:02:72:04:d5:27:
                    2b:a0:09:37:17:c2:4d:20:59:58:a8:f4:97:84:e9:
                    4e:26:20:a9:e6:64:f8:08:85:a7:a9:08:24:3f:93:
                    a8:af:9d:db:10:9f:9c:a7:c7:61:96:10:9a:f9:7e:
                    63:5f:b2:67:74:d7:a8:c4:c0:51:13:f6:96:2a:a6:
                    68:b1:9f:7e:6f:52:b1:f2:fe:ca:ce:ef:01:07:d7:
                    4f:b3:ab:49:4a:95:4c:21:c9:63:a5:c7:2c:54:ca:
                    2b:6f:32:d1:34:e1:6f:34:23:69:46:c5:a2:67:ce:
                    95:60:c6:66:2f:bc:39:69:7d:35:b0:80:e4:02:52:
                    ef:4b:6a:7a:90:e2:fc:e9:e2:8c:57:f0:22:9d:c1:
                    d1:a5:aa:cd:44:b0:1b:be:d6:85:c4:21:20:99:bd:
                    6a:9d:52:51:ca:4b:a1:a5:a8:5f:34:1a:43:7a:95:
                    20:1b:f9:15:69:fa:88:6e:9a:0d:e6:32:d4:20:84:
                    8d:a5:b2:83:65:ca:72:c8:14:67:32:41:ff:49:cc:
                    fc:7c:ba:92:46:68:1c:3a:ae:4b:ab:fb:30:0c:81:
                    b2:e1:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Alternative Name: 
                DNS:logs.example.com, DNS:metrics.example.com, IP Address:192.168.0.1, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         4e:7a:1d:b1:1b:e0:57:e0:a2:3c:00:59:35:ad:9d:5b:40:94:
         2b:0d:dd:db:ea:59:60:37:f3:81:a8:a6:d2:07:72:35:6c:28:
         12:73:bd:de:e8:4b:01:ab:0a:6f:c7:7d:1a:6a:31:4b:12:89:
         ef:8b:0a:08:f9:d3:14:ec:73:13:c2:3d:01:e3:5e:47:39:7b:
         f6:66:05:36:70:a9:06:d9:43:be:2f:30:59:90:1a:3e:4d:05:
         27:84:c6:a1:20:cb:5f:29:68:29:e7:ce:d2:10:f5:a9:2c:f5:
         68:d4:8c:a8:69:de:87:9e:9b:d3:00:ce:46:85:5d:f7:3d:ab:
         e2:dd:a4:e4:7e:6c:1f:5c:43:c7:f1:a3:41:bc:3b:03:16:af:
         3b:47:c9:b1:47:d5:5c:08:8a:0c:16:d3:59:c3:12:2a:68:73:
         d6:79:e5:86:1d:0d:e9:1a:b9:fa:14:9e:1c:6a:1e:f0:73:68:
         9e:2b:e7:58:e9:76:ec:c3:62:3a:58:44:a1:11:30:8b:51:fc:
         67:f3:b4:25:86:e9:fe:a8:8c:21:f2:c3:31:a0:ed:27:71:5c:
         d8:dd:da:b0:ec:34:8a:b4:dc:6e:b8:e2:fd:90:b6:d0:7e:30:
         b4:0c:97:8c:1e:33:a1:43:6a:81:d5:0f:4f:6e:8a:2c:63:0c:
         d8:ce:9a:1b:6d:29:7c:8b:d3:a0:62:3b:ff:ea:68:d6:a2:31:
         05:de:72:82:68:a6:e6:b7:b6:d3:b1:d7:c2:8b:e0:cd:c5:b6:
         26:80:39:ab:67:e1:43:c4:6c:8d:fc:92:a3:bb:09:79:ac:39:
         8d:5a:93:67:13:0e:dd:d9:64:ce:ac:23:45:92:03:39:1e:11:
         c8:69:d9:29:78:6f:8a:94:7e:dc:f6:50:3d:bf:3e:18:b1:46:
         be:86:24:0e:73:a3:4e:88:be:58:5a:48:a2:8f:9c:26:22:2b:
         01:5f:c9:e0:b7:de:96:c1:86:0c:ce:80:99:2f:85:6a:c4:53:
         37:8e:ba:8d:18:76:c7:97:87:54:4b:f3:dc:e4:40:ba:e2:b1:
         a9:31:17:fa:70:91:2c:6a:48:0f:23:b6:34:50:f2:ed:88:13:
         68:16:d9:fc:e5:ef:f6:97:ef:a9:a1:25:91:6c:25:c7:2b:ef:
         1f:9a:e7:08:b5:67:de:c8:be:f7:e4:a1:e6:a5:ea:22:10:de:
         ba:d6:6c:9c:83:a8:15:26:9e:6c:c8:43:23:c3:b1:5c:e8:96:
         31:a5:d8:96:b6:5f:f2:3b:d0:8d:fb:53:0a:1e:0c:f8:59:52:
         b5:1a:ae:28:94:1f:ac:70:82:ff:74:8f:00:3b:5a:50:12:ae:
         2d:7b:d5:64:1c:e0:33:a6

If you encounter an error, use the cat -v command to examine the files, like this:

cat -v /opt/mattermost/config/saml-public.crt

Here’s an example of the output for an invalid certificate:

-----BEGIN CERTIFICATE-----^M
MIIFmzCCA4OgAwIBAgIJANT7QCwzgX/UMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV^M
BAYTAlVTMRIwEAYDVQQHDAlQYWxvIEFsdG8xEzARBgNVBAoMCk1hdHRlcm1vc3Qx^M
DzANBgNVBAsMBkRldk9wczEZMBcGA1UEAwwQYmFzZS5leGFtcGxlLmNvbTAeFw0y^M
MDA0MjgxODI3MjZaFw0zMDA0MjYxODI3MjZaMGIxCzAJBgNVBAYTAlVTMRIwEAYD^M
VQQHDAlQYWxvIEFsdG8xEzARBgNVBAoMCk1hdHRlcm1vc3QxDzANBgNVBAsMBkRl^M
dk9wczEZMBcGA1UEAwwQYmFzZS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEB^M
BQADggIPADCCAgoCggIBAMiXakE8cl0bow08xpfjaZlr4rcVJBRfSu8N8lkms2U8^M
WI8WjKPsVog0dy3eEW42dHwBO5whyGRXmrTGECRhNz+4EcaW+eEgpqBCx2KQZ8wM^M
ixv5PyxyJkb8p9/hnyxT8b6UWpDFTJvbL+KIHnemWk0E16QPQ5de9cZsFNxKD/Gt^M
5dxdCPatgcj7WawiCg+MFGgKTq787q/lYDmN7gIeqpKSavo6F9NGaJPe1H8mkApy^M
bCquXBZ2PmqK8xjNvpvNUxw5VW7m6L2D18YmRjhf78TTWEbeGIONL/84bxc7D1j/^M
6ZTRk+T3sxZxiuXjivtDU40QwDHXJMBIc8jeK3fuTMVoxsdMaLB3SxoImwEe+EXQ^M
gegG2oL06f4NEC5/5r9YswYLNXTHBgJyBNUnK6AJNxfCTSBZWKj0l4TpTiYgqeZk^M
+AiFp6kIJD+TqK+d2xCfnKfHYZYQmvl+Y1+yZ3TXqMTAURP2liqmaLGffm9SsfL+^M
ys7vAQfXT7OrSUqVTCHJY6XHLFTKK28y0TThbzQjaUbFomfOlWDGZi+8OWl9NbCA^M
5AJS70tqepDi/OnijFfwIp3B0aWqzUSwG77WhcQhIJm9ap1SUcpLoaWoXzQaQ3qV^M
IBv5FWn6iG6aDeYy1CCEjaWyg2XKcsgUZzJB/0nM/Hy6kkZoHDquS6v7MAyBsuEx^M
AgMBAAGjVDBSMBIGA1UdEwEB/wQIMAYBAf8CAQAwPAYDVR0RBDUwM4IQbG9ncy5l^M
eGFtcGxlLmNvbYITbWV0cmljcy5leGFtcGxlLmNvbYcEwKgAAYcEfwAAATANBgkq^M
hkiG9w0BAQsFAAOCAgEATnodsRvgV+CiPABZNa2dW0CUKw3d2+pZYDfzgaim0gdy^M
NWwoEnO93uhLAasKb8d9GmoxSxKJ74sKCPnTFOxzE8I9AeNeRzl79mYFNnCpBtlD^M
vi8wWZAaPk0FJ4TGoSDLXyloKefO0hD1qSz1aNSMqGneh56b0wDORoVd9z2r4t2k^M
5H5sH1xDx/GjQbw7AxavO0fJsUfVXAiKDBbTWcMSKmhz1nnlhh0N6Rq5+hSeHGoe^M
8HNonivnWOl27MNiOlhEoREwi1H8Z/O0JYbp/qiMIfLDMaDtJ3Fc2N3asOw0irTc^M
brji/ZC20H4wtAyXjB4zoUNqgdUPT26KLGMM2M6aG20pfIvToGI7/+po1qIxBd5y^M
gmim5re207HXwovgzcW2JoA5q2fhQ8RsjfySo7sJeaw5jVqTZxMO3dlkzqwjRZID^M
OR4RyGnZKXhvipR+3PZQPb8+GLFGvoYkDnOjToi+WFpIoo+cJiIrAV/J4LfelsGG^M
DM6AmS+FasRTN466jRh2x5eHVEvz3ORAuuKxqTEX+nCRLGpIDyO2NFDy7YgTaBbZ^M
/OXv9pfvqaElkWwlxyvvH5rnCLVn3si+9+Sh5qXqIhDeutZsnIOoFSaebMhDI8Ox^M
XOiWMaXYlrZf8jvQjftTCh4M+FlStRquKJQfrHCC/3SPADtaUBKuLXvVZBzgM6Y=^M
‚M-^@M-^T-‚M-^@M-^S-END CERTIFICATE-----^M

To fix this file, first run dos2unix to convert the line endings.

dos2unix /opt/mattermost/config/saml-public.crt

Finally, edit the file to ensure the first and last lines do not have an invalid characters like em or en dashes, which commonly happens when a certificate is pasted into a rich-text editor. These are shown by ,M-^, @M-, and ^T-. Once these changes have been made the output will look like this:

-----BEGIN CERTIFICATE-----
MIIFmzCCA4OgAwIBAgIJANT7QCwzgX/UMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
BAYTAlVTMRIwEAYDVQQHDAlQYWxvIEFsdG8xEzARBgNVBAoMCk1hdHRlcm1vc3Qx
DzANBgNVBAsMBkRldk9wczEZMBcGA1UEAwwQYmFzZS5leGFtcGxlLmNvbTAeFw0y
MDA0MjgxODI3MjZaFw0zMDA0MjYxODI3MjZaMGIxCzAJBgNVBAYTAlVTMRIwEAYD
VQQHDAlQYWxvIEFsdG8xEzARBgNVBAoMCk1hdHRlcm1vc3QxDzANBgNVBAsMBkRl
dk9wczEZMBcGA1UEAwwQYmFzZS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAMiXakE8cl0bow08xpfjaZlr4rcVJBRfSu8N8lkms2U8
WI8WjKPsVog0dy3eEW42dHwBO5whyGRXmrTGECRhNz+4EcaW+eEgpqBCx2KQZ8wM
ixv5PyxyJkb8p9/hnyxT8b6UWpDFTJvbL+KIHnemWk0E16QPQ5de9cZsFNxKD/Gt
5dxdCPatgcj7WawiCg+MFGgKTq787q/lYDmN7gIeqpKSavo6F9NGaJPe1H8mkApy
bCquXBZ2PmqK8xjNvpvNUxw5VW7m6L2D18YmRjhf78TTWEbeGIONL/84bxc7D1j/
6ZTRk+T3sxZxiuXjivtDU40QwDHXJMBIc8jeK3fuTMVoxsdMaLB3SxoImwEe+EXQ
gegG2oL06f4NEC5/5r9YswYLNXTHBgJyBNUnK6AJNxfCTSBZWKj0l4TpTiYgqeZk
+AiFp6kIJD+TqK+d2xCfnKfHYZYQmvl+Y1+yZ3TXqMTAURP2liqmaLGffm9SsfL+
ys7vAQfXT7OrSUqVTCHJY6XHLFTKK28y0TThbzQjaUbFomfOlWDGZi+8OWl9NbCA
5AJS70tqepDi/OnijFfwIp3B0aWqzUSwG77WhcQhIJm9ap1SUcpLoaWoXzQaQ3qV
IBv5FWn6iG6aDeYy1CCEjaWyg2XKcsgUZzJB/0nM/Hy6kkZoHDquS6v7MAyBsuEx
AgMBAAGjVDBSMBIGA1UdEwEB/wQIMAYBAf8CAQAwPAYDVR0RBDUwM4IQbG9ncy5l
eGFtcGxlLmNvbYITbWV0cmljcy5leGFtcGxlLmNvbYcEwKgAAYcEfwAAATANBgkq
hkiG9w0BAQsFAAOCAgEATnodsRvgV+CiPABZNa2dW0CUKw3d2+pZYDfzgaim0gdy
NWwoEnO93uhLAasKb8d9GmoxSxKJ74sKCPnTFOxzE8I9AeNeRzl79mYFNnCpBtlD
vi8wWZAaPk0FJ4TGoSDLXyloKefO0hD1qSz1aNSMqGneh56b0wDORoVd9z2r4t2k
5H5sH1xDx/GjQbw7AxavO0fJsUfVXAiKDBbTWcMSKmhz1nnlhh0N6Rq5+hSeHGoe
8HNonivnWOl27MNiOlhEoREwi1H8Z/O0JYbp/qiMIfLDMaDtJ3Fc2N3asOw0irTc
brji/ZC20H4wtAyXjB4zoUNqgdUPT26KLGMM2M6aG20pfIvToGI7/+po1qIxBd5y
gmim5re207HXwovgzcW2JoA5q2fhQ8RsjfySo7sJeaw5jVqTZxMO3dlkzqwjRZID
OR4RyGnZKXhvipR+3PZQPb8+GLFGvoYkDnOjToi+WFpIoo+cJiIrAV/J4LfelsGG
DM6AmS+FasRTN466jRh2x5eHVEvz3ORAuuKxqTEX+nCRLGpIDyO2NFDy7YgTaBbZ
/OXv9pfvqaElkWwlxyvvH5rnCLVn3si+9+Sh5qXqIhDeutZsnIOoFSaebMhDI8Ox
XOiWMaXYlrZf8jvQjftTCh4M+FlStRquKJQfrHCC/3SPADtaUBKuLXvVZBzgM6Y=
-----END CERTIFICATE-----

Note: If you have Migrated your configuration to the database the files are stored in your the ConfigurationFiles database table. To resolve issues with these, verify the file format in a plaintext editor like Notepad, Notepad++, Sublime Text, vi, or emacs and then upload it. If you’re handling the keys on a Windows machine, be sure to set your editor to use Unix line endings or use dos2unix to convert them after being uploaded.

Do not use a rich-text editor like Wordpad, Microsoft Word, or Google Docs to handle sharing certificates and keys. They are often configured to convert normal dashes to em or en dashes which will cause the format to be invalid. These will also change line endings but usually do not have the ability to change them.

Discussion

Mattermost uses a PEM format for all keys and certificates, which has very specific format requirements.

First it must begin with -----BEGIN CERTIFICATE-----. There must be precisely five (5) dashes at the beginning and end of the line, and they must be Unicode character 0x2D. Also, there should be no non-whitespace characters at the end of this line.

Whitespace is ignored, but line endings must be Unix-style - \n - and not contain the carriage return character - \r or ^M. The body should also be base 64 encoded.

Finally, it must end with -----END CERTIFICATE-----. Again, five (5) dashes are at the beginning and end of the line, and there should be no non-whitespace characters at the end of the line.

More details about the PEM file format can be found in RFC-7468

2 Likes