Mattermost, Inc.

TLS Configuration problem with LetsEncrypt

Yesterday i discovered MM and fall in love with it. Today i was setting a production server for use with my team but after activating TLS i started to getting error

 Secure Connection Failed
An error occurred during a connection to im.rocketpacks.biz. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

at firefox and

This site can’t provide a secure connection

xxx.domain.biz sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

MM works fine when i disable tls by editing config.json
Then i checked logs. Here is what i find
“msg”:"http: TLS handshake error from x.x.x.x.53000: acme/autocert: missing certificate$
{“level”:“error”,“ts”:1575953454.386041,“caller”:“http/server.go:3010”,“msg”:“http: TLS handshake error from :53016: acme/autocert: missing certificate” {"level":"error","ts":1575953455.4031475,"caller":"http/server.go:3010","msg":"http: TLS handshake error from ********* 53018: acme/autocert: missing certificate

Here is my configuration file
“SiteURL”: “https://im.*******.biz”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “”,
“TLSKeyFile”: “”,
“TLSMinVer”: “1.2”,
“TLSStrictTransport”: false,
“TLSStrictTransportMaxAge”: 63072000,
“TLSOverwriteCiphers”: [],
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
“TrustedProxyIPHeader”: [
“X-Forwarded-For”,
“X-Real-IP”

And yes, I created certificate by Certbot.
/etc/letsencrypt/live/im.******.biz/ contains
cert.pem chain.pem fullchain.pem privkey.pem README
files.

I don’t know how can i resolve this issue… I tried to google but no luck.

Thanks

Hi there, @bbdoc

The missing certificate error in the mattermost.log suggests that the certificate chain might be incomplete. May I know what is the result that you are getting when you run the SSL Test on your domain? Can you share the results here?

You can also run the following command and share the output here. Change the parameter to the SiteURL without the https:

echo | openssl s_client -showcerts -connect <domain>:443 -CApath /etc/ssl/ && echo | openssl s_client -connect <domain>:443 2>/dev/null | openssl x509 -noout -dates -text

Since you mentioned that it works fine when you disabled TLS, it could just be a minor issue with the certificate config. Let me know how it goes on your end.