We're Hiring!

Mattermost, Inc.

[solved] Mobile App(Android) TLS handshake error

I’ve got Mattermost server version 5.9 with configured SSL(my own certificate, issued by rapidssl).
Windows application works fine, IOS application also works fine. But android application cannot connect to server, on the server side in log messages I see:

{“level”:“info”,“ts”:1554454773.874336,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:29159: remote error: tls: unknown certificate”,“source”:“httpserver”}
{“level”:“info”,“ts”:1554454774.1127157,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:39251: remote error: tls: unknown certificate”,“source”:“httpserver”}
{“level”:“info”,“ts”:1554454774.7795985,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:57096: remote error: tls: unknown certificate”,“source”:“httpserver”}
{“level”:“info”,“ts”:1554454775.319641,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:4419: remote error: tls: unknown certificate”,“source”:“httpserver”}

Although thru browser chat works(on Android). This problem affects all Android devices(I’ve tried at least 5).

Here is server configuration:

"ServiceSettings": {
    "SiteURL": "https://chat.mydomain.com",
    "WebsocketURL": "",
    "LicenseFileLocation": "",
    "ListenAddress": "XXX.XXX.XXX.XXX:443",
    "ConnectionSecurity": "TLS",
    "TLSCertFile": "/opt/mattermost/cert/public.crt",
    "TLSKeyFile": "/opt/mattermost/cert/private.key",
    "TLSMinVer": "1.2",
    "TLSStrictTransport": false,
    "TLSStrictTransportMaxAge": 63072000,
    "TLSOverwriteCiphers": [],
    "UseLetsEncrypt": false,
    "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
    "Forward80To443": true,

The server works directly without proxy.

Hi @AndreyChe,

Have you had a chance to take a look at this troubleshooting doc: https://docs.mattermost.com/mobile/mobile-troubleshoot.html#i-keep-getting-a-message-cannot-connect-to-the-server-please-check-your-server-url-and-internet-connection?

Thank you, now it works. I had to put full chain in certificate file.

may i know what was the solution

Hi, @vijaymadan7851

I believe that the solution was based on @AndreyChe’s response earlier:

You need to include the entire chain (including root, intermediate, and end user) in the certificate file while you set up TLS on your instance.

How did You put full chain?

I’ve got wildcard certificate for my domain, so i put crt and key, like at other apache, etc. servers. Everything works perfect for Windows App and web clients, but my mobile app gets error:

{“level”:“info”,“ts”:1585167084.414385,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from xxx.xxx.xxx.xxx:12345: tls: first record does not look like a TLS handshake”,“source”:“httpserver”}

Hello, @czarek

Is your wildcard certificate self signed? If yes, it might be related to this issue. You might want to consider Let’s Encrypt as an alternative.

Also, can you please perform the certificate check in SSL Labs and share the result here?

No, it’s released by ESET SSL CA :slight_smile: so it is globally trusted certificate.

SSL Labs doesn’t support random ports, which I am using :slight_smile:

As i mentioned before, web client works fine, without any prompt about incorrect cert or potential danger, as it happen when You use self signed.

Also i didn’t write, that without SSL, Android App was working perfect

The most funny, is that one of my test employee succesfully connect via Adnroid App with server without any ssl isssue.

For me, on both phones same error

May i get some solution, about merging root cert with intermediete and end-user

SSL reported:

Additional Certificates (if supplied)
Certificates provided 3 (3599 bytes)
Chain issues Incomplete

OK, so i got PFX with all i need, but how to extract full chain cert for mattermost

For PFX file:

openssl pkcs12 -in cert.pfx -out cert.crt -nodes

The most funny is that everywhere PEM is full chain cert, but pem generated with same command, wasn’t work

Problem solved

2 Likes

I had the same error. I am running mattermost 5.31 on ubuntu with an Apache SSL proxy (cert issued by GoDaddy). Connections were working via Chrome on Windows and the Windows app however I got a “untrusted certificate” error on the Android app. I added:

SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt

to my Apache conf and it worked without issue.

1 Like