Docker Swarm - Token request failed: certificate signed by unknown authority

Troubleshooting
1

For feature requests, please see: http://www.mattermost.org/feature-requests/.

For troubleshooting questions, please post in the following format:

Summary

When trying to sign-in to Mattermost through Gitlab, I get the Token Request Failed error.

Steps to reproduce

Bring up Mattermost login page.
Click Sign in with Gitlab button.
Click Authorize button on Gitlab page.
Receive error.

Expected behavior

Mattermost account created after authorization.

Observed behavior

We have a Docker swarm which runs Gitlab and we are trying to add Mattermost. We do not want to run Mattermost inside the Gitlab Omnibus config and are instead running the official mattermost/mattermost-prod-app:5.9.0 image.

We use traefik as our reverse proxy and I have certs created from our company’s CA.

I am able to bring up Mattermost over https fine at https://[mattermost-host]:8000.

But when trying to sign in through Gitlab which is also in the Swarm, it fails and the logs show:
{“level”:“error”,“ts”:1553976776.5173821,“caller”:“api4/oauth.go:493”,“msg”:“AuthorizeOAuthUser: Token request failed, Post https://[gitlab-url]/oauth/token: x509: certificate signed by unknown authority”}

The certs I have for mattermost include our CA’s root certs. I’m assuming I have to add the root certs to the trust store - but not sure if this needs to be done in the mattermost container or traefik. I cannot edit the ca-certs in the mattermost container anyway.

2

I’m not experimented with Gitlab auth setup, but I think you can solve this in 2 different ways.

If your Gitlab server is inside the same Swarm cluster, maybe you could reach Gitlab using an internal Docker network, allowing you to use http instead of https. IIRC you can create an encrypted network in your Swarm, so http would not be insecure inside this internal network.

If you want to stay with https, or if Gitlab is not inside your Swarm cluster, then you need to add your CA’s root cert to the Mattermost container store (not Traefik), as you said.

3

Hi @rgrubin75,

To add, Mattermost / go uses /etc/ssl/certs/ . You could prepare such a folder to contain your certificates, and then mount the prepared folder using Docker volumes (i.e. hiding /etc/ssl/certs/ contained in the official image).