To help troubleshoot this further, would you like to check the following documentation:
We have some important upgrade notes related to port80to443, if you look at sections for v4.9 and v4.6.2
Config settings - if you search for “TLS”, there might be settings relevant to the issue you are seeing. If you’re not sure which ones might be relevant, I can ask one of our engineers.
In the important upgrade notes, there are these following notes - I am not 100% sure if these are relevant to the issue you are seeing, but they might be relevant depending on what server version you are using - please let me know if these do not help:
“If using Let’s Encrypt without a proxy server, the server will fail to start with an error message unless the Forward80To443 config.json setting is set to true.”
“If forwarding port 80 to 443, the server will fail to start with an error message unless the ListenAddress config.json setting is set to listen on port 443.”
“If using Let’s Encrypt without a proxy server, forward port 80 through a firewall, with the Forward80To443 config.json setting set to true to complete the Let’s Encrypt certification.”
One of our amazing community members found a potential explanation. The error message Policy forbids issuing for name means that the domain you’re using has been blacklisted by Let’s Encrypt. They do this for a few reasons, but mainly to prevent impersonation of large sites.
To test this, try disabling your web server and then running this command:
I’ve decided to give the second server in AWS another try but this time with TLS private key instead of lets encrypt.
I have it up and running without TLS but just like before it fails when I try to enable TLS.
There are two issues happening.
The setcap isn’t working. I’m running MM with it’s own user and it seems setcap doesn’t take effect.
Running MM as root I’m getting a wierd behaviour. Web experience is unstable, I cant connect MM clients and IE and Edge accesses keep returning TLS error “EOF”
I have a .cert and .key created using openssl. They are at mm root directory.
Has anyone managed to get this working? Any support would be appreciated. Whats the best way to configure TLS in MM?
Hi @RbDev! I found this thread on a similar issue from a few months ago and there our engineers recommended configuring TLS on Apache and using separate certificates for each virtual host.
I’ve noticed that running nginx was just swapping one problem for many others so I’ve decided to go back and work on getting direct mattermost hosting working.
The good news is I got MM running on HTTPS (port 443). The trick is to run platform as root user. It’s bad for security but it won’t work any other way.
Ok so now we’ve got 3 issues.
Safari keeps complaining about websocket issues. Same issue we’ve seen before in the screenshot. Other browsers are fine. Any ideas?
Edge and IE keep flooding MM log with TLS EoF error.
{“level”:“info”,“ts”:1531464394.5365913,“caller”:“runtime/asm_amd64.s:2361”,“msg”:“http: TLS handshake error from XX.XX.XX.XX:62476: EOF”,“source”:“httpserver”}
I can log on MM clients using HTTP but not HTTPS. Any idea why?
prerelease server doesnt have these issues. Can you share the prerelease settings?
Reviving this topic again as I came across a user who is running into the same error. May I know if you were able to fix the problem and if yes, what was done on your end?
