I have this same issue, but wanted to document how I solved this issue since this is one of the top google search results regarding the
x509: certificate signed by unknown authority issue.
I read through all the other links / issues mentioned here and did run across a couple others
But ultimately, I would recommend reading the following blog post that describes why SSL certs are different on different systems and why this causes so much headache:
In my specific use case, we run a RHEL / Centos 6 server.
While I had already added my Internal CA root certificate to the
/etc/pki/ca-trust/source/anchors/ directory and then ran the
update-ca-trust as root. This updates certificates in the
After updating this and forcing the GitLab CA certificate to point to this extracted certificate, I still could not get Mattermost to connect properly:
[root@server /]# ls -la /opt/gitlab/embedded/ssl/certs/
drwxr-xr-x. 2 root root 4096 Jul 21 13:19 .
drwxr-xr-x. 4 root root 4096 Jul 21 12:47 ..
lrwxrwxrwx. 1 root root 55 Jul 21 13:02 cacert.pem -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
It wasn’t until I saw that there was another certs directory from the HappyAssassin blog post that was not being updated. The
/etc/ssl/certs is a sym link to
/etc/pki/tls/certs and in here these certificates did not have my internal root CA certificate.
It seems that to enforce these other certificates you need to run the following:
update-ca-trust enabled, which enables this to override all certificates to use the extracted ones
update-ca-trust extract, which will extract your custom ca source certifcates into the the combined/extracted certificate path.
It wasn’t until I updated these then did one more gitlab reconfigure that Mattermost would finally recognize the certificates from GitLab.
I’m not sure if this is something that is encoded into Mattermost or possibly one of its dependencies, but this was pretty difficult to track down especially since every system does SSL certificates differently and applications/software all look for these in different ways.
Hopefully this helps someone else or at least provides them with background on the SSL issues since that blog post really helped me figure out the core issue here.