Set up SSL access with Mattermost server to enable Calls

Hi,
i’ve set up Mattermost server on my qnap via docker and with mariaDB.
I am not really into programing so i’ve had some dificulties setting it up but in the end i succeeded and it works fine.

It is accessible on ip and port 8065. i’d like to start using calls at least on lan but i can’t make it work.

MM is behind a firewall and it’s network is set to bridged with qnap…
i tried with this settings in config.json but it didnt work:
“ServiceSettings”: {
“SiteURL”: “https://xxx.xxx.xxx.xxx:443”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:443”,
“ConnectionSecurity”: “TLS”,
“TLSCertFile”: “”,
“TLSKeyFile”: “”,
“TLSMinVer”: “1.2”,
“TLSStrictTransport”: false,
“TLSStrictTransportMaxAge”: 63072000,
“TLSOverwriteCiphers”: ,
“UseLetsEncrypt”: true,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: true,
Can you give me some advice?

Thanks
Urh

Hey,

What are the error messages you’re getting when you try to start the server with this configuration? There should be logs for the container availble or if you have access to the filesystem, you should also see them somwehwere in the docker container’s base directory (subdirectory volumes/app/mattermost/logs probably).

{“timestamp”:“2023-03-23 08:08:05.381 Z”,“level”:“error”,“msg”:“http: TLS handshake error from’‘ip of machine that i want to Access mattermost srv with’':63121: acme/autocert: missing server name”,“caller”:“log/log.go:195”,“source”:“httpserver”}
{“timestamp”:“2023-03-23 08:08:05.390 Z”,“level”:“error”,“msg”:“http: TLS handshake error from’‘ip of machine that i want to Access mattermost srv with’':63122: acme/autocert: missing server name”,“caller”:“log/log.go:195”,“source”:“httpserver”}
{“timestamp”:“2023-03-23 08:08:05.400 Z”,“level”:“error”,“msg”:“http: TLS handshake error from’‘ip of machine that i want to Access mattermost srv with’':63124: acme/autocert: missing server name”,“caller”:“log/log.go:195”,“source”:“httpserver”}
{“timestamp”:“2023-03-23 08:08:05.411 Z”,“level”:“error”,“msg”:“http: TLS handshake error from’‘ip of machine that i want to Access mattermost srv with’':63125: acme/autocert: missing server name”,“caller”:“log/log.go:195”,“source”:“httpserver”}

And this are logs of server restart wit that configuration:

{“timestamp”:“2023-03-23 08:07:24.293 Z”,“level”:“info”,“msg”:“Server is initializing…”,“caller”:“platform/service.go:165”,“go_version”:“go1.18.1”}
{“timestamp”:“2023-03-23 08:07:24.293 Z”,“level”:“info”,“msg”:“Pinging SQL”,“caller”:“sqlstore/store.go:240”,“database”:“master”}
{“timestamp”:“2023-03-23 08:07:24.297 Z”,“level”:“warn”,“msg”:“MariaDB detected. You are using an unsupported database. Please consider using MySQL or Postgres.”,“caller”:“sqlstore/store.go:1172”}
{“timestamp”:“2023-03-23 08:07:24.347 Z”,“level”:“info”,“msg”:“Pinging SQL”,“caller”:“sqlstore/store.go:240”,“database”:“master”}
{“timestamp”:“2023-03-23 08:07:24.660 Z”,“level”:“info”,“msg”:“Starting websocket hubs”,“caller”:“platform/web_hub.go:95”,“number_of_hubs”:8}
{“timestamp”:“2023-03-23 08:07:24.667 Z”,“level”:“info”,“msg”:“Loaded system translations”,“caller”:“i18n/i18n.go:93”,“for locale”:“en”,“from locale”:“/mattermost/i18n/en.json”}
{“timestamp”:“2023-03-23 08:07:24.744 Z”,“level”:“info”,“msg”:“Current version is 7.8.1 (7.8.1/Wed Mar 1 15:04:11 UTC 2023/0340fc6060dfcdbe49483011d10b88858eb4a140/none)”,“caller”:“app/server.go:397”,“current_version”:“7.8.1”,“build_number”:“7.8.1”,“build_date”:“Wed Mar 1 15:04:11 UTC 2023”,“build_hash”:“0340fc6060dfcdbe49483011d10b88858eb4a140”,“build_hash_enterprise”:“none”}
{“timestamp”:“2023-03-23 08:07:24.745 Z”,“level”:“info”,“msg”:“Team Edition Build”,“caller”:“app/server.go:408”,“enterprise_build”:false}
{“timestamp”:“2023-03-23 08:07:24.745 Z”,“level”:“info”,“msg”:“Printing current working”,“caller”:“app/server.go:412”,“directory”:“/mattermost”}
{“timestamp”:“2023-03-23 08:07:24.745 Z”,“level”:“info”,“msg”:“Loaded config”,“caller”:“app/server.go:413”,“source”:“file:///mattermost/config/config.json”}
{“timestamp”:“2023-03-23 08:07:24.759 Z”,“level”:“info”,“msg”:“Starting workers”,“caller”:“jobs/workers.go:48”}
{“timestamp”:“2023-03-23 08:07:24.760 Z”,“level”:“info”,“msg”:“Starting schedulers.”,“caller”:“jobs/schedulers.go:47”}
{“timestamp”:“2023-03-23 08:07:24.788 Z”,“level”:“error”,“msg”:“License key from https://mattermost.com required to unlock enterprise features.”,“caller”:“platform/license.go:106”,“error”:“resource: License id: “}
{“timestamp”:“2023-03-23 08:07:26.067 Z”,“level”:“info”,“msg”:“Starting up plugins”,“caller”:“app/plugin.go:213”}
{“timestamp”:“2023-03-23 08:07:26.067 Z”,“level”:“info”,“msg”:“Syncing plugins from the file store”,“caller”:“app/plugin.go:294”}
{“timestamp”:“2023-03-23 08:07:35.717 Z”,“level”:“warn”,“msg”:“plugin configured with a nil SecureConfig”,“caller”:“plugin/hclog_adapter.go:72”,“plugin_id”:“com.mattermost.nps”}
{“timestamp”:“2023-03-23 08:07:35.835 Z”,“level”:“info”,“msg”:“Ensuring Feedbackbot exists”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“com.mattermost.nps”}
{“timestamp”:“2023-03-23 08:07:37.991 Z”,“level”:“warn”,“msg”:“plugin configured with a nil SecureConfig”,“caller”:“plugin/hclog_adapter.go:72”,“plugin_id”:“com.mattermost.apps”}
{“timestamp”:“2023-03-23 08:07:38.307 Z”,“level”:“info”,“msg”:“activated”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“com.mattermost.apps”,“plugin_caller”:“server/plugin.go:135”}
{“timestamp”:“2023-03-23 08:07:41.223 Z”,“level”:“warn”,“msg”:“plugin configured with a nil SecureConfig”,“caller”:“plugin/hclog_adapter.go:72”,“plugin_id”:“playbooks”}
{“timestamp”:“2023-03-23 08:07:41.800 Z”,“level”:“info”,“msg”:“registered collection and topic type”,“caller”:“app/collection.go:33”,“plugin_id”:“playbooks”,“collection_type”:“run”,“topic_type”:“status”}
{“timestamp”:“2023-03-23 08:07:41.801 Z”,“level”:“info”,“msg”:“registered collection and topic type”,“caller”:“app/collection.go:33”,“plugin_id”:“playbooks”,“collection_type”:“run”,“topic_type”:“task”}
{“timestamp”:“2023-03-23 08:07:45.887 Z”,“level”:“warn”,“msg”:“plugin configured with a nil SecureConfig”,“caller”:“plugin/hclog_adapter.go:72”,“plugin_id”:“com.mattermost.calls”}
{“timestamp”:“2023-03-23 08:07:45.964 Z”,“level”:“info”,“msg”:”[ERROR] call to OnConfigurationChange failed, error: setConfiguration: configuration is not valid: UDPServerAddress parsing failed”,“caller”:“io/io.go:428”,“plugin_id”:“com.mattermost.calls”,“source”:“plugin_stderr”}
{“timestamp”:“2023-03-23 08:07:46.143 Z”,“level”:“info”,“msg”:“rtc: server is listening on udp :8443”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“com.mattermost.calls”,“origin”:“main.(*logger).Info log.go:95”}
{“timestamp”:“2023-03-23 08:07:46.145 Z”,“level”:“info”,“msg”:“rtc: server is listening on udp :8443”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“com.mattermost.calls”,“origin”:“main.(*logger).Info log.go:95”}
{“timestamp”:“2023-03-23 08:07:46.148 Z”,“level”:“info”,“msg”:“rtc: server is listening on udp :8443”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“com.mattermost.calls”,“origin”:“main.(*logger).Info log.go:95”}
{“timestamp”:“2023-03-23 08:07:46.153 Z”,“level”:“info”,“msg”:“rtc: server is listening on udp :8443”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“com.mattermost.calls”,“origin”:“main.(*logger).Info log.go:95”}
{“timestamp”:“2023-03-23 08:07:46.966 Z”,“level”:“warn”,“msg”:“plugin configured with a nil SecureConfig”,“caller”:“plugin/hclog_adapter.go:72”,“plugin_id”:“focalboard”}
{“timestamp”:“2023-03-23 08:07:47.050 Z”,“level”:“info”,“msg”:“connectDatabase”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”,“dbType”:“mysql”}
{“timestamp”:“2023-03-23 08:07:47.087 Z”,“level”:“info”,“msg”:“{"level":"info","msg":"Pinging SQL","fields":{"database":"master"}}\n”,“caller”:“io/io.go:428”,“plugin_id”:“focalboard”,“source”:“plugin_stderr”}
{“timestamp”:“2023-03-23 08:07:47.759 Z”,“level”:“info”,“msg”:“Initialized notification backend”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”,“name”:“notifyMentions”}
{“timestamp”:“2023-03-23 08:07:47.763 Z”,“level”:“info”,“msg”:“Initialized notification backend”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”,“name”:“notifySubscriptions”}
{“timestamp”:“2023-03-23 08:07:47.767 Z”,“level”:“info”,“msg”:“Initialized notification backend”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”,“name”:“notifyLogger”}
{“timestamp”:“2023-03-23 08:07:47.797 Z”,“level”:“info”,“msg”:“Focalboard server”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”,“version”:“7.8.2”,“edition”:“plugin”,“build_number”:“4164951632”,“build_date”:“"Mon Feb 13 15:23:12 UTC 2023"”,“build_hash”:“1e35878351f9ab75fe6fd9c7562fb4cfdc566027”}
{“timestamp”:“2023-03-23 08:07:47.798 Z”,“level”:“info”,“msg”:“Server.Start”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”}
{“timestamp”:“2023-03-23 08:07:47.839 Z”,“level”:“info”,“msg”:“Boards product successfully started.”,“caller”:“app/plugin_api.go:973”,“plugin_id”:“focalboard”}
{“timestamp”:“2023-03-23 08:07:47.893 Z”,“level”:“info”,“msg”:“Starting Server…”,“caller”:“app/server.go:880”}
{“timestamp”:“2023-03-23 08:07:47.893 Z”,“level”:“info”,“msg”:“Server is listening on [::]:443”,“caller”:“app/server.go:952”,“address”:“[::]:443”}

Logs below are with the configuration that i posted and i can not even access mattermost, but if i leave this config empty/as default it works over ip:8065.

Thank you in advance

This is the culprit - Let’s encrypt is only able to create SSL certificates for hostnames, not for IP addresses, so if your SiteUrl is set to https://1.2.3.4 (as indicated by your example), this is not going to work, it needs to be set to https://mattermost.yourdomain.tld (f.ex.) and this hostname needs to be publicly available and accessible from the internet and needs to point to your server that’s going to host Mattermost, that’s how Let’s encrypt works (they connect to you and verify that the challenge matches).

Ok, thx for your reply…
and calls plugin only works with https://?

Regards

Yes, but you do not need to use Let’s encrypt if you want to just use the setup internally, you can either purchase a public certificate (but the domain name needs to be public then) and install it to your server or you can generate a self signed certificate and use that (you just need to make sure that this certificate is trusted on all devices that connect to your Mattermost server then).

Thx a lot for your help @agriesser i’ll try to import self signed cert to MM server and see what happens.
Can u point me to how to import that cert to MM server?

Here’s the documentation from openssl for how to create a self signed certificate:

Once you have the files ( domain.key and domain.crt) you can point the configuration of your System console from Environment → Webserver → TLS Certificate File & TLS Key File to these two files. Make sure that “Use Let’s Encrypt” is set to false then, “Connection security” is set to TLS, “SiteUrl” is https://<domain> (where domain is the name you created the certificate for) and “ListenAddress” to :443.

I installed the openssl cert and now i get this error:

{“timestamp”:“2023-03-24 08:01:43.708 Z”,“level”:“info”,“msg”:“Starting Server…”,“caller”:“app/server.go:880”}
{“timestamp”:“2023-03-24 08:01:43.709 Z”,“level”:“info”,“msg”:“Server is listening on [::]:443”,“caller”:“app/server.go:952”,“address”:“[::]:443”}
{“timestamp”:“2023-03-24 08:01:43.710 Z”,“level”:“fatal”,“msg”:“Error starting server”,“caller”:“app/server.go:1064”,“error”:“tls: failed to parse private key”}

Thank you

Your private key is in a wrong format or the Mattermost application server is unable to read it. Please make sure that the user which the Mattermost application is running at (should be user mattermost by default) has read access to the private key. Let’s assume your Mattermost server is running as user mattermost because you followed the official installation instructions and the private key file you created when following the OpenSSL tutorial now belongs to a different user (maybe root or your local user), then you will see something like this in the console:

# openssl genrsa -out domain.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................+++++
..........................................................................+++++
e is 65537 (0x010001)

# ls -lh domain.key
-rw------- 1 root root 1.7K Mar 25 05:30 domain.key

As you can see, I generated a private key without password (forgot to mention that you also need to do that, sorry, Mattermost does NOT support passwords on private keys, so please use the key generation command without the -des3 parameter) and this file now is owned by root and only root is able to read and write to it. In order for the Mattermost application account to be able to read this file, you need do change the owner to it:

# chown mattermost: domain.key
# # ls -lh domain.key
-rw------- 1 mattermost mattermost 1.7K Mar 25 05:30 domain.key

Now the mattermost user is also able to read it. Do the same with the .crt file later on and try again then please.

It works!… permissions were ok but i used -des3 encryption, so that was the case…

Thx a lot @agriesser

Awesome - good to hear and thanks for confirming the solution

U gave me very good support so thx again!

And one more question.
I’ve set up our firewall now and on ios app it works only if i use http://:8065, but if i use https://:433
app says couldn’t connect to the server… Is it because i use self signed cert?

Thank you

You will have to import the CA certificate you created manually on your phone and then the applications should trust the self signed certificate:

You should probably also be able to send it to you via Mail and follow these instructions then:
https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS

I did import the cert (some other instructions) but it stil doesn’t work (rootCA.crt and myMM.crt) i’ll try this one.

Thank you

Had to dig a little bit more into ‘‘how to create self-signed certificate’’ and with your help and help from this video i managed to make it all work.

Now it works over ssl from lan, wan, browser and apps.

Thank you again for the support.

Thanks for sharing the video and glad to hear you’re up and running now!