Mattermost, Inc.

[SOLVED] SSL on Mattermost server not working

For feature requests, please see: http://www.mattermost.org/feature-requests/.

For troubleshooting questions, please post in the following format:

Summary

SSL is not starting on my internal server.

Steps to reproduce

Version: 4.0.0 (4.0.2)
Database: mysql

We have an internal Root CA and i have generated the public key and private key for the mattermost server. When i copy the key to the mattermost server, configure the same in the system console and restart the server, i am getting this error

[2017/08/11 07:52:05 CEST] [CRIT] Error starting server, err:tls: failed to parse private key

Expected behavior

SSL should work normally

Observed behavior

FYI, the same SSL keys work with Apache

Do you have any other details you can share about the key file such as what tools or commands you used to generate it?

Or do you have a key that isn’t confidential that you could share that reproduces the issue?

Hi,

I used openssl and we have a private CA server in our organization for securing internal sites.

From the private CA server which is running on UBuntu, i created the CSR, private key and then generated the public key.

I then entered the details in the config.json and restarted the service.

I also see the error cannot forward from 80 to 443 and then the error cannot parse the private key

For testing, i installed Apache and used the same keys and it is working fine.

Regards,
Krishna M S

Thanks. I did some testing and confirmed that generating keys using OpenSSL does work. Maybe you’re using different parameters that we don’t support though?

Here are the steps I’m using for OpenSSL:

  • Generate a private key: openssl genrsa -out ./mattermost.local.key 2048
  • Generate a CSR for that private key: openssl req -new -key ./mattermost.local.key -out ./mattermost.local.csr
  • Have the private CA create a signed certificate for that CSR: openssl x509 -req -days 7300 -in mattermost.local.csr -CA ca.crt -CAkey ca.key -out mattermost.local.crt -set_serial 01 -sha256
  • Configure Mattermost to use the private key and certificate:
    "ConnectionSecurity": "TLS",
    "TLSCertFile": "/Users/chris/go/src/github.com/mattermost/platform/ssltest/mattermost.local.crt",
    "TLSKeyFile": "/Users/chris/go/src/github.com/mattermost/platform/ssltest/mattermost.local.key",
    

For reference, my certificate file (.crt) contains the following:

-----BEGIN CERTIFICATE-----
MIIDGTCCAgECAQEwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDAeFw0xNzA4MTYxODMyMjJaFw0zNzA4MTExODMyMjJaMGAxCzAJBgNVBAYTAkFV
MRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRz
IFB0eSBMdGQxGTAXBgNVBAMTEG1hdHRlcm1vc3QubG9jYWwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCbm9Dba+Mm2RU+d19gEvlOLK1yYJFyHo9nxdok
Hh+qJmD+qxfKP3CVvmu8k9Ge4h0zqadn6W37Mv2qn/IMFtTYB5vrSONqTx0gEAzk
atVV4+xvYEw+gTklovK38lekzqdtB1LZaczgLwrU2A9A1NZG8j18uqBfK01M+hLS
3eH3eX1RwNQyBxKRi2JDXE8l34cJWnFgT3ZAXQ6FSmQ2wYcuFOxnWXV20QPZxC0g
Q913MkOn90HKQGXhYglLDzjAElvMoP5vRtT5tsJ17kFIXeL9ZaRDebBeO9s6uLTW
f/IsNXEd17vsJXGpa6PfmCTU4MbZ3RVEynG02NgXJTLOnBAJAgMBAAEwDQYJKoZI
hvcNAQELBQADggEBAKL8FwuH7ryu2iS+suypcUholl+vebx1X886AhoLiS4qnliS
EqppYd3dzwhvnTTcTL/g6iia07iiwFpWqfjfssoXpo9L9SjKfv8CTLoM4YNNClCq
ySTPK8pFmcLquYFHWWlGtqSe73EA1sTx8AyrJZIWvkyFtAct7m4BS+CHHE8Yuw32
RUPs6b8NMCMZmcGTj5fsLXCKsZihQiGAOaQYuq/4fxXaW/Lhdfy2DEXgr6mANRO/
T5hI0grWlEeMYwYINhm+CyQnjGbhGKDAB4i/C2CX5pQBoEuFWDBcouis1E7qvII5
Uvpe6rGPwnzruOPsJKbittVbmKgpShvsoeDFivQ=
-----END CERTIFICATE-----

And my key (.key) contains this:

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAm5vQ22vjJtkVPndfYBL5TiytcmCRch6PZ8XaJB4fqiZg/qsX
yj9wlb5rvJPRnuIdM6mnZ+lt+zL9qp/yDBbU2Aeb60jjak8dIBAM5GrVVePsb2BM
PoE5JaLyt/JXpM6nbQdS2WnM4C8K1NgPQNTWRvI9fLqgXytNTPoS0t3h93l9UcDU
MgcSkYtiQ1xPJd+HCVpxYE92QF0OhUpkNsGHLhTsZ1l1dtED2cQtIEPddzJDp/dB
ykBl4WIJSw84wBJbzKD+b0bU+bbCde5BSF3i/WWkQ3mwXjvbOri01n/yLDVxHde7
7CVxqWuj35gk1ODG2d0VRMpxtNjYFyUyzpwQCQIDAQABAoIBAHz12vpqIEcxKys3
x6KqegQ6QqtIO2TOf9ERBMXeXwVPvrKkiP1Ehs/p1DDi8AJMiLDVO/dpcIW6hBTC
TylAKHq3WZHPvbjAgZ4e5YuE837/Av7J8VB8i3za51mqxpE11yPqLrEjkoAxptwY
Cd/BS7Y7j/8bC/CBIJmBdR5bSrxlVhjmHSvLMkzASF+ewCQbAWA9fOml1l+T1Ras
zkpjz3/Gg0U9OSLy4qxw2yhNjcAJlkojJMg92AxtWJUpYAcjOwvt4ysk1Rz4LG0q
vVeENZYW3xNgr8akbXPgINK5DbeFPi25B1QVl3ombogyQaFu1q350a4jSyHxSXQ4
UZjffCUCgYEAyRatNRdzHsZ9mfQoGcJEPIyiUnDVTKVoy3XW47S/kNVI9CVdsHWQ
IBZdMDAgd0q8wbqIONjFG5Aqkc5gfXAunEOUOYqP/T8ikej+0i1wSLot0mEBxcsy
/PirrGnpN0LMTiJe8k0Av6mbZQ8Z4QuGkgVl1qqdGzEaYDiVaC33uy8CgYEAxhnQ
X4EdQnP57RBlc01DssK7GhSNuzMcg+D0Vhw1WUDhFc8n5qUnZKi+YsFosJ9xb0AJ
PwvcuDazJRMb/IZASNjfUnKM8N5Adae1DklAoTjKsJtv5jghedWXFNpgEEz43JyO
EEJzZ9rdekbU2V0GA/0xD2Ph8iAVXa2IATfJukcCgYBPj8NUQETyJkLHyQyctHpf
Ip2O1MnwG3oNFkDBs2AgI+NLhgU9riYqK+8PA9u0l0N7uxvusgW61B2jtu4Cc4Jd
nXdmFObHolVBOdiovAWzIMbEeFFFOxKfeJwkCXuWu70uJPdAEyt6qdar83+fxPmn
iK80cija+2CeNYUXxShBTQKBgCvS1hfqljB3O5jIAclqFEndbkqstVXuTqaWAzdx
chPWmHScqTUK4BYShluOcbxw6UU1I1aBJ0jRQPw4p/5LLLlw0KaKlMdMQ3JDsXgB
mHyR9bTwDeceD7nGGHAShyHUBVG4iGzsZl9ZOZmtRbT4MTZ8sne3HurTUiaxFt8+
GjBNAoGARhHUi67V8cu/pizbIwC1HVuAjgKdJj/poSO+tLr9YKArnj5cW7xtqwIy
1wjhzbmBwX2gMyL7Hr/3a9p3y5T32AK5U+BiAG9fjcpr0+KcU7dPr0oEG2/hIEYc
5ubd3qMxFDOQSO6eupJe07uiZIsKbtEvxC6PgXPVGn8GpwqeGS4=
-----END RSA PRIVATE KEY-----

If there’s anything you’re doing differently that you think should work, let me know and I’ll see if I can reproduce the issue and file it as a bug if appropriate.

2 Likes

Hi Chris,

SSL works now perfectly. Thank you very much.

Best Regards

Krishna M S

Hi,

The only error is this

[2017/08/17 05:39:25 CEST] [EROR] Unable to setup forwarding

http://mattermost.toradex.int is not getting forwarded to https://mattermost.toradex.int

[/uploads/mattermost/original/2X/d/dc87b7e10266c77069ec5802f0113b300d5c2b82.png]

Could u please help me out on this issue?

Best Regards

Krishna M S

Hi Chris,

When I open https://mattermost.toradex.int in chrome I get an error like this

This server could not prove that it is mattermost.toradex.int; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

Do we need to reconfigure the certificate and add additional parameters?

Best Regards

Krishna M S

The “Unable to setup forwarding” error is happening because by default, Ubuntu doesn’t allow processes to bind to ports lower than 1024. You’ll need to give mattermost the “cap_net_bind_service” capability as described here: https://docs.mattermost.com/install/config-tls-mattermost.html

As for the “server could not prove that it is mattermost.toradex.int” error, I’m guessing yes, you probably need to add additional parameters to the certificate. Perhaps this stack overflow answer will work for you? https://stackoverflow.com/a/43665244

Hi,

Thanks for your help. It works well.

Best Regards

Krishna M S

Hi,

I ran this command twice. Do I need to run this as user mattermost?

Best Regards

Krishna M S

Hi Chris,

The video call is not going through. I am seeing this error in the log file

[2017/08/21 11:25:20 CEST] [EROR] /api/v4/webrtc/token:WebRTC.Token code=500 rid=m4spg9ge47n5zki5i5n8zw74wr uid=um7x7zhsh7gxjbiqxxirujkw5o ip=10.18.0.116 We encountered an error while connecting to the server [details: Post https://mattermost.toradex.int:7089/admin: x509: certificate is valid for dockerhost, not mattermost.toradex.int]

Please tell me how to replace the certificate for the docker?

Best Regards

Krishna M S

For the video call you might want to Enable Insecure Outgoing Connections under security -> Connections in the Mattermost System Console

Hi,

I have tried that option also. I just get the error connecting to video call and there are no logs written.

Best Regards

Krishna M S

Have you seen our updated guide here? https://docs.mattermost.com/deployment/webrtc.html