Https access problem

crostif · April 17, 2020, 6:32pm

Hi,
I have installed Mattermost on a VPS. It was working well.
Then I created a domain (see SiteURL in blockquotes) that i directed to the IP adress of my server. I created letsencrypt certificates, and ths diagnostic was OK on ssllabs.
I configured Mattermost to listen to the port 443, which is opened.
Then it doesn’t work anymore (either ssllabs).

The true adress of the server is https://vps701695.ovh.net.

I don’t understand what’s wrong.
Here is the first lines of config.json :

“SiteURL”: “https://www.talk.rohou.fr”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “/etc/letsencrypt/live/talk.rohou.fr/fullchain.pem”,
“TLSKeyFile”: “/etc/letsencrypt/live/talk.rohou.fr/privkey.pem”,
“TLSMinVer”: “1.2”,
“TLSStrictTransport”: false,
“TLSStrictTransportMaxAge”: 63072000,
“TLSOverwriteCiphers”: ,
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
“TrustedProxyIPHeader”: [
“X-Forwarded-For”,
“X-Real-IP”
],

Is there someone with an idea ?
Thanks.

marcokundt · April 21, 2020, 8:57am

Is the mattermost binary running as an unprivileged user? You can’t just bind 443 without being root or withoutsetting capabilities. It’s advisable to use an reverse proxy like nginx instead of the http server inside mattermost though. Instructions can be found here https://docs.mattermost.com/install/config-proxy-nginx.html and an nginx conf generator https://ssl-config.mozilla.org/. In this case you need to revert all the changes and let mattermost listen on 8065 and proxy request to this port.

crostif · May 30, 2020, 4:09pm

I don’t understand where my problem comes from…
I tried to get rid of apache and i installed nginx.
nginx is working fine, but mattermost refuse to start because of port 443 already used… The only tree applications on the server are webmin, nginx and mattermost…
The test on ssllabs for mydomain (talk.rohou.fr) is now right.

[mydomain] is talk.rohou.fr and its ip is 51.91.248.71

The mattermost file in sites-enabled begins with :

upstream backend {
   server 51.91.248.71:8065;
   keepalive 32;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
   listen 80 default_server;
   server_name   [mydomain] ;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name    [mydomain] ;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/[mydomain]/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/[mydomain]/privkey.pem;

And the mattermost’s config.json begins with :

"ServiceSettings": {
        "SiteURL": "[mydomain]",
        "WebsocketURL": "",
        "LicenseFileLocation": "",
        "ListenAddress": ":443",
        "ConnectionSecurity": "TLS",
        "TLSCertFile": "/etc/letsencrypt/live/[mydomain]/fullchain.pem",
        "TLSKeyFile": "/etc/letsencrypt/live/[mydomain]/privkey.pem",
        "TLSMinVer": "1.2",
        "TLSStrictTransport": false,
        "TLSStrictTransportMaxAge": 63072000,
        "TLSOverwriteCiphers": [],
        "UseLetsEncrypt": true,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": true,

When i do a curl on localhost:80, it gives :

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

When i do a curl on localhost:443, it gives :

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

When i do a curl on localhost:8065, it gives :

curl: (7) Failed to connect to localhost port 8065: Connexion refusée

I’m lost…

marcokundt · June 4, 2020, 10:18am

Hey,
you need to change the ListenAddress in the Mattermost config according to the port specified in nginx (in your case 8065. Mattermost will listen on this port on localhost and nginx will proxy requests, which came in on 443, to 8065. With your configuration now nginx binds 443 and Mattermost tries to bind 443 too (ot the other way around).

Best regards,
Marco

crostif · June 5, 2020, 10:01am

Thanks for this. I will try.
I succeeded to make it work by stopping nginx. Mattermost is on 443 and nginx off.
It would certainly be nicer to make nginx work using your solution. I’ll try.

Topic		Replies	Views
Unable to reach my server with TLS/Let's Encrypt option enabled Troubleshooting	4	1169	April 18, 2019
TLS Issues with lets encrypt Command Line Interface	2	881	June 5, 2019
Letsencrypt on RHEL Troubleshooting	4	1231	June 12, 2017
Issues with TLS Troubleshooting	6	1324	May 10, 2018
[SOLVED] Unable to connect to Matermost server when secure connection is Enabled Troubleshooting	6	4641	January 23, 2018

Https access problem

Related topics