we installed the Mattermost Enterprise Edition and currently face a problem with the configuration of a secure database connection.
We want to use the MySQL-Server within our intranet as database for Mattermost and the database connection has to be encrypted with SSL/TLS. Our current SqlSettings look like this:
Do you have an advise how to configure the details for the database connection over SSL/TLS?
We tried the tls=custom url parameter in the DataSource string but couldn’t find a way to set the required TLSConfig object using the config files. With tls=true we get the following error:
Failed to ping db err:tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
Using the tls=skip-verify option works to establish an connection, but doesn’t meet our security requirements.
We would be grateful for a good hint.
I have done things like this with SSH tunnels. That’s very reliable and as secure as TLS.
Thanks for your reply.
You´re right, but this solution isn´t wanted by our administration.
Is there a native way using the mattermost server config?
I’m not aware of a way to put SSL on a MySQL connection. But I may be wrong.
Well, we configured our MySQL server to only accept an SSL encrypted mysql connection for the database/user combination on which the mattermost server depends.
As i said, by using tls=skip-verify the connection is established, but mattermost doesn´t verify the certificate.
So we search for a way to tell mattermost which root certificate to use, so the mysql server certificate can be verified.
Answer from Mattermost Support:
how to setup MySQl DB for mattemost on windows.
This topic is a bit old, but especially because it’s old, was there any change to this? Is it possible to define a root CA file to connect to the database with a self-signed TLS certificate, or not yet?
From what I see in the ticket at [MM-5996] Investigate: Support database connection over SSL/TLS - Mattermost, it seems to be open and to not have had any activity for a few years. Is this feature going to be implemented (whitout using tls=skip-verify)?
Thanks in advance
I would suggest using a reverse proxy such as through Apache, and proxying the database to a VirtualHost in which you are using SSL/TLS. At that point, you should be able to create a listener on the target server (that you want the database to send data to) and then, in essence, import the database information almost as if it was in a cluster environment.