Gitlab mattermost error: certificate is not valid for any names, but wanted to match

Hi,

I’m trying to setup gitlab and mattermost behind haproxy.
I’m using the official docker image of gitlab/gitlab-ce , tag 9.2.1-ce.0 .
Both of them should be running in one and the same container, wich mappes the exposed ports 80 and 443 on the host 192.168.10.121:

8080 → 80
8443 → 443

gitlab uses the hostname ‘git.mydomain.com’ ,
mattermost uses ‘chat.mydomain.com’

Both are directed to the same haproxy backend:

backend http_gitlab
mode http
option httplog
option forwardfor
option http-server-close
option httpchk
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server gitlab 192.168.10.121:8080 maxconn 50

I’ve modified the gitlab.rb according the gitlab documentation:

external_url ‘https://git.mydomain.com’
nginx[‘listen_port’] = 80
nginx[‘listen_https’] = false
nginx[‘proxy_set_headers’] = {
“X-Forwarded-Proto” => “https”,
“X-Forwarded-Ssl” => “on”,
}

mattermost_external_url ‘https://chat.mydomain.com’
mattermost_nginx[‘listen_port’] = 80
mattermost_nginx[‘listen_https’] = false
mattermost_nginx[‘proxy_set_headers’] = {
“X-Forwarded-Proto” => “https”,
“X-Forwarded-Ssl” => “on”,
}

gitlab itself is working fine at https://git.mydomain.com .
But mattermost has an issue with SSO: After it redirects me to gitlab for login and I klick ‘Authorize’, a blank page is displayed. The page source contains:

{“id”:“api.user.authorize_oauth_user.token_failed.app_error”,“message”:“Token request failed”,“detailed_error”:“”,“request_id”:“km8x4wu9if817njji1rwb1smjc”,“status_code”:500}

And an error message is raised in the mattermost current log:

2017-05-25_10:30:18.81999 [2017/05/25 10:30:18 UTC] [EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=urc7pnxmwpgd5p6xs73botb3gr uid= ip=192.168.10.2, 192.168.10.101 Token request failed [details: Post https://git.mydomain.com/oauth/token: x509: certificate is not valid for any names, but wanted to match git.mydomain.com]

I’ve no glue, what could cause this error. gitlab is running fine with the certificate on the proxy server. I also copied the git.mydomain.com.crt from the haproxy server to the config/ssl dir of gitlab because it also contains the ca’s cert. But the error persists.

Does someone have any hint about the issue?

Thanks a lot.

Solved it. At least partially. The container dns-resolved git.mydomain.com and chat.mydomain.com to the external address which gets nat’ed and then forwarded with haproxy. For some reason there is an issue with sso in that scenario. I’ve temporary extended the /etc/hosts of the container to contain the mapping of git.mydomain.com and chat.mydomain.com to the internal address of haproxy. This made the sso working. But it would be nice to know about the reason for this behaviour.

Thanks for posting your solution @expatcz,

I’ve asked one of our devs for feedback on the reason for the behaviour and once I hear back I’ll post here

Sorry about the long delay @expatcz, the devs are a little busy with the current release which is due out on June 16th but they should have feedback for you soon

I’ve the same error. But I’m not behind a proxy. I’m in internal network.

I’ve the same error. But behind nginx proxy.

Hi @expatcz @Positron and @mkzaker,

Thanks for your feedback and apologies for the delayed response. We’ve just shipped v3.10 release so our devs should be more available to help.

FYI, I did come across this GitLab Mattermost Install Guide that might have some help for your issue. We also have this ticket open which may be affecting your installation.

I had this error once too. It was because when I created the certificate, I left the Common Name blank. It seems that Mattermost rejects the certificate if you don’t specify the correct FQDN in the certificate. In your case, that would be git.mydomain,com.

After a day’s effort scrambling to understand why my gitlab runner wouldn’t register, this 3 sentence comment solved my issue. Thank you sir!