Mattermost-desktop Linux does not read the NSSDB

The Mattermost-desktop application does not read the user’s NSSDB in ~/.pki/nssdb/ so it’s unable to use the opensc module for smart card authentication. Is there a way to configure the chromium applet included with the application to use the NSSDB on RHEL 7?

Mattermost works in Chrome after adding the OpenSC module with “modutil -dbdir sql:~/.pki/nssdb/ -add “OpenSC” -libfile /usr/lib64/pkcs11/opensc-pkcs11.so”

Environment:
RHEL 7
Mattermost 5.2.2-26058
Chrome 108.0.5359.124-1
Firefox 102.5.0-1
Authentication: ADFS SAML

The need to run the application arises from several other conditions. We only run Firefox on our systems but Mattermost calls and screen sharing do not work in Firefox when the OS is configured in FIPS mode. This is a separate issue with should probably also be reported as a bug.

As a workaround we tried installing Chrome and it works perfectly after configuring OpenSC in the user’s NSSDB. Unfortunately, Chrome is not approved for installation in our organization. The Mattermost-Desktop app uses chromium so it would be viable but it doesn’t read the NSSDB so it fails to read the smartcard when authenticating through ADFS.

Any assistance would be greatly appreciated.

Hi WillD and welcome to the Mattermost forums!

While I cannot answer your questions, I’ve alerted the responsible teams for the desktop app and the calls feature to check out this post. Please stay tuned.

Short update with regards to the certificate:
This seems to be related to an electron bug - the Mattermost desktop app uses electron:

Further investigation ongoing.

After researching I do agree that this is an Electron bug, but not the one you listed. My issue relates to the PKCS11 smart card module in NSSDB.

Electron issues:
https://github.com/electron/electron/issues/20575

The original issue was incorrectly marked as deprecated version even though it’s still an issue on the current version, so it was re-created as a new issue that went stale.

https://github.com/electron/electron/issues/32668

Due to this, smart card authentication does not work at all in the desktop app on RHEL 7 even though it works on Windows.

I just discovered that this has been an open issue in Mattermost for 1.5 years now. A status update would be greatly appreciated.

https://github.com/mattermost/desktop/issues/1371

We only run Firefox on our systems but Mattermost calls and screen sharing do not work in Firefox when the OS is configured in FIPS mode. This is a separate issue with should probably also be reported as a bug.

@WillD It honestly sounds like a potential issue with Firefox but if there’s anything we can do to make Calls work I am happy to have look. Could you please create an issue at Issues · mattermost/mattermost-plugin-calls · GitHub with all the relevant details, and possibly some logs to show what’s failing? Thanks :slight_smile:

Trying to follow-up here: Has this issue been resolved or has an issue at GitHub been created which we could link here for future reference?

I did create a GitHub issue here: Calls fail in Firefox Linux when FIPS is enabled · Issue #290 · mattermost/mattermost-plugin-calls · GitHub

However, since Chrome is working we just moved forward with using Chrome instead so I haven’t tried the two suggestions provided in the issue response.

Alright, thanks for the followup and the link, I hope that this issue can be fixed in the future for Firefox users too.