Mattermost, Inc.

Wildcard certificates not valid for Gitlab token requests?

Hello…

GitLab user here. I was just setting up the (now included) Mattermost service and seem to have run into a snag. This is an internal server and we have our own CA that signed the wildcard certificate (*.ourdomain.com) that is used for applications like this. Our CA is a valid root CA on the machine (CentOS 6 latest).

All seems to be fine until Mattermost does the token request, where I get the following logged:

2015-09-24_19:37:41.17151 [09/24/15 13:37:41] [EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=y7sb7mek93gitesqhf4qftqikh uid= ip=192.168.2.50 Token request to gitlab failed [details: Get https://gitlab.ourdomain.com.com/api/v3/user: x509: certificate is valid for *.com.com, com.com, not gitlab.ourdomain.com.com]

The duplicate .com.com stuff is in the actual log entry, which is odd also (but maybe just a log error?) The actual certificate should be valid for *.ourdomain.com on the system, so I’m guessing there is some logic in Mattermost that doesn’t respect wildcards? or something else?

Any guesses would be appreciated…

Thanks

-James

The line is logged at https://github.com/mattermost/platform/blob/master/api/user.go#L1488. The detailed error message of “x509: certificate is valid for *.com.com, com.com, not gitlab.ourdomain.com.com” is what we get from golang. See https://golang.org/src/crypto/x509/verify.go line 89, which would suggest the cert is improperly configured.