[solved] Android app not connecting

Mattermost was all set up and working but I had to move it to a new server which meant I could no longer use the default SSL port, which meant I could no longer use LetsEncrypt, so I bought a new SSL certificate.

It works using the browser and the Windows app, but the Android app says Cannot connect to the server. Please check your server URL and internet connection.

Doing a systemctl status mattermost.service gives me

http: TLS handshake error from remote error: tls: unknown certific

I looked through similar issues in this forum and saw that the problem might be intermediate CAs - the certificate came with a ca-bundle file but I wasn’t sure what to do with it.

The SSL provider (Sectigo) doesn’t provide any specific instructions for Mattermost.

Based on the conversations in the forums I tried renaming the bundle to .crt, copying it to /usr/local/share/ca-certificates and running sudo update-ca-certificates but it didn’t help.

Hi @ghosttie, here are some troubleshooting steps that might help: https://docs.mattermost.com/mobile/mobile-troubleshoot.html#i-keep-getting-a-message-cannot-connect-to-the-server-please-check-your-server-url-and-internet-connection.

Yeah I did all that, and it says that if none of that works to open a topic in the forums, so here we are :slight_smile:

Hi @ghosttie,

Wondering if this earlier thread might help: [solved] Mobile App(Android) TLS handshake error.

These docs might also help:

Hi @ghosttie, a response from a community member: Hard to say without more details (e.g. the app’s log output), but maybe something like this: https://stackoverflow.com/a/11340510.

Thanks, the solution was to combine the server’s certificate with the intermediate certificate bundle from the provider.

It was confusing for a while because if you put the server’s certificate at the end of the intermediate certificate file then openssl says it’s valid but mattermost says the private key doesn’t match, but if you put the server’s certificate at the beginning of the intermediate certificate file then openssl says it isn’t valid but mattermost works.

1 Like

hi @ghosttie ,
can you share with a bit more detail on what you did?

I am facing this issue with some of my devices. My samsung Galaxy Note 8 running Android 9 connects but on my colleague’s Galaxy note 5 running Android 7 doesn’t connect. App requires minimum android 7. The last it connected on v1.21.0, v1.21.1 doesn’t connect.

Web browser from the phone connects but not the app.

I’m just checking if this can the be problem before starting another thread on connection issue.

@yanuk it might not be the same problem because in your case it is working for some devices.

First of all to check if it’s the same problem, if you do systemctl status mattermost.service and see tls: unknown certific then it’s probably the same problem - apparently browsers automatically look up intermediate CAs (which is why it works in browsers) but other TLS clients may not, so you need to provide all of the certificates.

Here’s what I did to fix it:

From my SSL provider I received a .crt file which was the certificate for my server and a .ca-bundle file which had the certificates for the intermediate CAs in it.

If you look in those files you’ll see that they’re just text files so you can manipulate them with a text editor. Assuming you have a file with the intermediate CAs in it, you can see that it’s just a series of certificates one after another.

All I did was open the .crt file in a text editor and copy its contents, then open the bundle file in the text editor and paste the certificate at the top of the file. So the bundle file is still a series of certificates one after another, but with your server’s certificate as the first one.

If you don’t have an intermediate CA file from your provider you’ll need to figure out what intermediate CAs your certificate needs, get those certificates and put them in a file yourself (in the right order). Your SSL provider should provide this information to you, but some are more user friendly than others.

got it. It didn’t solve my issue so I guess it’s a different issue.
Thank you for the input! I hope it will help others. I shall start a new thread.

@alanrogger007 this doesn’t sound the same as my problem

@ghosttie thank you, it did the trick, now it’s working for me as well…THANK YOU VERY for your post

1 Like

This is the key right here; the chain certificate has to be in the correct order. In my case, the server’s certificate came at the end of the file we got from InCommon. Once I finally found this post and changed the order, the key error went away, and it started working from the Android app!

This should really be documented somewhere.

THANK YOU!!! I spent hours trying to get this working this morning. I had tried concatenating the files but I had my certificate under the ca-bundle.

Some search terms to maybe help folks find this in the future.
certificate chain
mattermost untrusted certificate
android app
android mattermost untrusted certificate