[SOLVED] Unable to start webserver using TLS: Access is denied [Win64]

Summary

Webserver will not start when using SSL certs, error message:

[CRIT] Error starting server, err:open cert1.key: Access is denied.

Steps to reproduce

Version: 3.10.0
Database: mysql
OS: Win10E 1703 x64
working dir: c:\mattermost\bin
Configured TLS by inputting cert1.crt, and cert1.key in the \bin directory (working dir).
Permissions on both the .key and .crt file are set to “EVERYONE” for testing. Owner is SYSTEM

MM is running as a SYSTEM service…so, should have no permissions issues.

Expected behavior

Web server runs fine when NOT using TLS/SSL.

Observed behavior

webserver fails to start, the following errors are obvserved:

[2017/07/02 06:59:36 PDT] [INFO] Loaded system translations for 'en' from 'c:\mattermost\i18n/en.json'
[2017/07/02 06:59:36 PDT] [INFO] Current version is 3.10.0 (3.10.0/Wed Jun 14 21:04:02 UTC 2017/8b83e9d4279718c8f9797c6a9c081245231cbba0/none)
[2017/07/02 06:59:36 PDT] [INFO] Enterprise Enabled: false
[2017/07/02 06:59:36 PDT] [INFO] Current working directory is c:\mattermost\bin
[2017/07/02 06:59:36 PDT] [INFO] Loaded config file from c:\mattermost\config\config.json
[2017/07/02 06:59:36 PDT] [INFO] Server is initializing...
[2017/07/02 06:59:36 PDT] [INFO] Pinging SQL master database
[2017/07/02 06:59:37 PDT] [DEBG] Deleting any unused pre-release features
[2017/07/02 06:59:37 PDT] [DEBG] Initializing user API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing team API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing channel API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing post API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing file API routes
[2017/07/02 06:59:37 PDT] [DEBG] api.system.init.debug
[2017/07/02 06:59:37 PDT] [DEBG] Initializing webhook API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing preference API routes
[2017/07/02 06:59:37 PDT] [DEBG] api.saml.init.debug
[2017/07/02 06:59:37 PDT] [DEBG] Initializing compliance API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing cluster API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing LDAP API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing brand API routes
[2017/07/02 06:59:37 PDT] [INFO] Initializing job API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing command API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing status API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing web socket API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing emoji API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing OAuth API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing reactions api routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing WebRTC API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing open graph protocol api routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing user API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing team API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing channel API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing post API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing web socket API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing file API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing command API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing admin API routes.
[2017/07/02 06:59:37 PDT] [DEBG] Initializing general API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing OAuth API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing webhook API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing preference API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing license API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing emoji API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing status API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing WebRTC API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing reactions api routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing deprecated API routes
[2017/07/02 06:59:37 PDT] [DEBG] Parsing server templates at c:\mattermost\templates/
[2017/07/02 06:59:37 PDT] [DEBG] Email batching job starting. Checking for pending emails every 30 seconds.
[2017/07/02 06:59:37 PDT] [DEBG] Initializing user WebSocket API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing system WebSocket API routes
[2017/07/02 06:59:37 PDT] [DEBG] Initializing status WebSocket API routes
[2017/07/02 06:59:37 PDT] [DEBG] wsapi.webtrc.init.debug
[2017/07/02 06:59:37 PDT] [INFO] Starting 16 websocket hubs
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 0 is starting with goroutine 2097
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 1 is starting with goroutine 2098
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 2 is starting with goroutine 2099
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 3 is starting with goroutine 2100
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 4 is starting with goroutine 2101
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 5 is starting with goroutine 2102
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 6 is starting with goroutine 2103
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 7 is starting with goroutine 2104
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 8 is starting with goroutine 2105
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 9 is starting with goroutine 2106
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 10 is starting with goroutine 2107
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 11 is starting with goroutine 2108
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 12 is starting with goroutine 2109
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 13 is starting with goroutine 2110
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 14 is starting with goroutine 2111
[2017/07/02 06:59:37 PDT] [DEBG] Initializing web routes
[2017/07/02 06:59:37 PDT] [DEBG] Hub for index 15 is starting with goroutine 2112
[2017/07/02 06:59:37 PDT] [DEBG] Using client directory at c:\mattermost\webapp\dist/
[2017/07/02 06:59:37 PDT] [DEBG] Email batching job starting. Checking for pending emails every 30 seconds.
[2017/07/02 06:59:37 PDT] [INFO] Starting Server...
[2017/07/02 06:59:37 PDT] [INFO] Server is listening on :8065
[2017/07/02 06:59:37 PDT] [INFO] Starting jobs
[2017/07/02 06:59:37 PDT] [DEBG] Cleaning up token store.
[2017/07/02 06:59:37 PDT] [CRIT] Error starting server, err:open cert1.key: Access is **denied**.

Config.json:

    "ServiceSettings": {
        "SiteURL": "http://mydomain.com:8065",
        "LicenseFileLocation": "",
        "ListenAddress": ":8065",
        "ConnectionSecurity": "TLS",
        "TLSCertFile": "cert1.crt",
        "TLSKeyFile": "cert1.key",
        "UseLetsEncrypt": false,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": false,
        "ReadTimeout": 300,
        "WriteTimeout": 300,
        "MaximumLoginAttempts": 10,
        "GoroutineHealthThreshold": -1,
        "GoogleDeveloperKey": "",
        "EnableOAuthServiceProvider": true,
        "EnableIncomingWebhooks": true,
        "EnableOutgoingWebhooks": true,
        "EnableCommands": true,
        "EnableOnlyAdminIntegrations": true,
        "EnablePostUsernameOverride": true,
        "EnablePostIconOverride": true,
        "EnableLinkPreviews": false,
        "EnableTesting": true,
        "EnableDeveloper": true,
        "EnableSecurityFixAlert": true,
        "EnableInsecureOutgoingConnections": true,
        "EnableMultifactorAuthentication": false,
        "EnforceMultifactorAuthentication": false,
        "AllowCorsFrom": "",
        "SessionLengthWebInDays": 30,
        "SessionLengthMobileInDays": 30,
        "SessionLengthSSOInDays": 30,
        "SessionCacheInMinutes": 10,
        "WebsocketSecurePort": 443,
        "WebsocketPort": 80,
        "WebserverMode": "gzip",
        "EnableCustomEmoji": false,
        "RestrictCustomEmojiCreation": "all",
        "RestrictPostDelete": "all",
        "AllowEditPost": "always",
        "PostEditTimeLimit": 300,
        "TimeBetweenUserTypingUpdatesMilliseconds": 5000,
        "EnablePostSearch": true,
        "EnableUserTypingMessages": true,
        "EnableUserStatuses": true,
        "ClusterLogTimeoutMilliseconds": 2000

Do you get the same issue if u write the full path to the crt/key files?

@prixone YES, I’ve tried multiple paths. IN and out of the the root c:\mattermost DIR.

@prixone :Figured this out -

So, I copied BOTH the .cert and .key files directly from my SSL root folder on the box (Let’sCertify) to the C:\mattermost\bin folder. Set permissions to EVERYONE. Still no-go.

I had to create a blank .txt file, then copy the actual key from the original .key file into the new .txt file, then rename it to cert1.key. Only after then did it take the file.

So, I’m not sure if that’s a bug with MM/windows/Let’sCertify…but I’ve never seen that before.

Really weird. Anyway, got it to work.

THX

Glad you found a workaround for your issue :slight_smile: but given what you said it seems it was indeed some user/permission issue.