Mattermost, Inc.

Where does mattermost server take its certificate trust from?

I am currently running an internal trial to decide whether the company uses MM as its new chat app.

I have a server in pre-production using an internal namespace with an NGINX proxy that has been signed by the company CA server. This all works fine for the most part. The underlying Ubuntu server now has the cacerts of my private tree installed.

I have seen in the troubleshooting guide that internal signing isn’t supported by the app itself.

Using matterpoll or anything with ephemeral interactive buttons the buttons don’t work. The server generates an x509 error.

{“level”:“error”,“ts”:1565374462.2017803,“caller”:“mlog/log.go:172”,“msg”:“Action integration error”,“path”:"/api/v4/posts/1ykc4a6xkiry5p36s4zagkyqby/actions/uot7xarrzi8odj86q45o79rtdo",“request_id”:“z6fishwn83btxncaqoi3cpoysw”,“ip_addr”:“172.27.27.215”,“user_id”:“14hnsq4o97fjikqwgepf43hfcw”,“method”:“POST”,“err_where”:“DoActionRequest”,“http_code”:400,“err_details”:“err=Post https:// internal domain /plugins/com.github.matterpoll.matterpoll/api/v1/polls/jp88eizn37gndpa6d54hmqr5dc/delete: x509: certificate signed by unknown authority”}

If I set Enable Insecure Outgoing Connections to true then the buttons work again.

I can only assume that the mattermost server app itself is establishing a connection over TLS, going through its own NGINX proxy and finding an untrusted certificate.

Is there any way to get mattermost app to establish trust with an internal CA or am I readying this wrong?

Kind Regards,

Rhys

Hi @Raziel-lj You don’t want Enable Insecure Outgoing Connections . As far as we know, go uses certificates in /etc/ssl/certs . Putting the company cert there should do the trick. (We assume that in this case “app” is “webapp” and not “mobile app”.)

I had added trust to the store and checked it with openssl s_client -connect internaldomain:443 -CApath /etc/ssl/certs from the MM host and it still didn’t work.

It does however, now work! So somewhere in a reboot or just waiting a little time and it’s behaving.

Thanks for confirming go uses that store!