Mattermost was all set up and working but I had to move it to a new server which meant I could no longer use the default SSL port, which meant I could no longer use LetsEncrypt, so I bought a new SSL certificate.
It works using the browser and the Windows app, but the Android app says Cannot connect to the server. Please check your server URL and internet connection.
Doing a systemctl status mattermost.service gives me
Thanks, the solution was to combine the server’s certificate with the intermediate certificate bundle from the provider.
It was confusing for a while because if you put the server’s certificate at the end of the intermediate certificate file then openssl says it’s valid but mattermost says the private key doesn’t match, but if you put the server’s certificate at the beginning of the intermediate certificate file then openssl says it isn’t valid but mattermost works.
hi @ghosttie ,
can you share with a bit more detail on what you did?
I am facing this issue with some of my devices. My samsung Galaxy Note 8 running Android 9 connects but on my colleague’s Galaxy note 5 running Android 7 doesn’t connect. App requires minimum android 7. The last it connected on v1.21.0, v1.21.1 doesn’t connect.
Web browser from the phone connects but not the app.
I’m just checking if this can the be problem before starting another thread on connection issue.
@yanuk it might not be the same problem because in your case it is working for some devices.
First of all to check if it’s the same problem, if you do systemctl status mattermost.service and see tls: unknown certific then it’s probably the same problem - apparently browsers automatically look up intermediate CAs (which is why it works in browsers) but other TLS clients may not, so you need to provide all of the certificates.
Here’s what I did to fix it:
From my SSL provider I received a .crt file which was the certificate for my server and a .ca-bundle file which had the certificates for the intermediate CAs in it.
If you look in those files you’ll see that they’re just text files so you can manipulate them with a text editor. Assuming you have a file with the intermediate CAs in it, you can see that it’s just a series of certificates one after another.
All I did was open the .crt file in a text editor and copy its contents, then open the bundle file in the text editor and paste the certificate at the top of the file. So the bundle file is still a series of certificates one after another, but with your server’s certificate as the first one.
If you don’t have an intermediate CA file from your provider you’ll need to figure out what intermediate CAs your certificate needs, get those certificates and put them in a file yourself (in the right order). Your SSL provider should provide this information to you, but some are more user friendly than others.
This is the key right here; the chain certificate has to be in the correct order. In my case, the server’s certificate came at the end of the file we got from InCommon. Once I finally found this post and changed the order, the key error went away, and it started working from the Android app!