[Solved] Mobile App(Android) TLS handshake error

Troubleshooting
1

I’ve got Mattermost server version 5.9 with configured SSL(my own certificate, issued by rapidssl).
Windows application works fine, IOS application also works fine. But android application cannot connect to server, on the server side in log messages I see:

{“level”:“info”,“ts”:1554454773.874336,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:29159: remote error: tls: unknown certificate”,“source”:“httpserver”}
{“level”:“info”,“ts”:1554454774.1127157,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:39251: remote error: tls: unknown certificate”,“source”:“httpserver”}
{“level”:“info”,“ts”:1554454774.7795985,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:57096: remote error: tls: unknown certificate”,“source”:“httpserver”}
{“level”:“info”,“ts”:1554454775.319641,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from 176.59.64.125:4419: remote error: tls: unknown certificate”,“source”:“httpserver”}

Although thru browser chat works(on Android). This problem affects all Android devices(I’ve tried at least 5).

Here is server configuration:

"ServiceSettings": {
    "SiteURL": "https://chat.mydomain.com",
    "WebsocketURL": "",
    "LicenseFileLocation": "",
    "ListenAddress": "XXX.XXX.XXX.XXX:443",
    "ConnectionSecurity": "TLS",
    "TLSCertFile": "/opt/mattermost/cert/public.crt",
    "TLSKeyFile": "/opt/mattermost/cert/private.key",
    "TLSMinVer": "1.2",
    "TLSStrictTransport": false,
    "TLSStrictTransportMaxAge": 63072000,
    "TLSOverwriteCiphers": [],
    "UseLetsEncrypt": false,
    "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
    "Forward80To443": true,

The server works directly without proxy.

2

Hi @AndreyChe,

Have you had a chance to take a look at this troubleshooting doc: https://docs.mattermost.com/mobile/mobile-troubleshoot.html#i-keep-getting-a-message-cannot-connect-to-the-server-please-check-your-server-url-and-internet-connection?

3

Thank you, now it works. I had to put full chain in certificate file.

4

may i know what was the solution

5

Hi, @vijaymadan7851

I believe that the solution was based on @AndreyChe’s response earlier:

You need to include the entire chain (including root, intermediate, and end user) in the certificate file while you set up TLS on your instance.

6

How did You put full chain?

I’ve got wildcard certificate for my domain, so i put crt and key, like at other apache, etc. servers. Everything works perfect for Windows App and web clients, but my mobile app gets error:

{“level”:“info”,“ts”:1585167084.414385,“caller”:“http/server.go:1763”,“msg”:“http: TLS handshake error from xxx.xxx.xxx.xxx:12345: tls: first record does not look like a TLS handshake”,“source”:“httpserver”}

7

Hello, @czarek

Is your wildcard certificate self signed? If yes, it might be related to this issue. You might want to consider Let’s Encrypt as an alternative.

Also, can you please perform the certificate check in SSL Labs and share the result here?

8

No, it’s released by ESET SSL CA :slight_smile: so it is globally trusted certificate.

SSL Labs doesn’t support random ports, which I am using :slight_smile:

As i mentioned before, web client works fine, without any prompt about incorrect cert or potential danger, as it happen when You use self signed.

Also i didn’t write, that without SSL, Android App was working perfect

9

The most funny, is that one of my test employee succesfully connect via Adnroid App with server without any ssl isssue.

For me, on both phones same error

May i get some solution, about merging root cert with intermediete and end-user

SSL reported:

Additional Certificates (if supplied)
Certificates provided 3 (3599 bytes)
Chain issues Incomplete

OK, so i got PFX with all i need, but how to extract full chain cert for mattermost

10

For PFX file:

openssl pkcs12 -in cert.pfx -out cert.crt -nodes

The most funny is that everywhere PEM is full chain cert, but pem generated with same command, wasn’t work

Problem solved

2 Likes
11

I had the same error. I am running mattermost 5.31 on ubuntu with an Apache SSL proxy (cert issued by GoDaddy). Connections were working via Chrome on Windows and the Windows app however I got a “untrusted certificate” error on the Android app. I added:

SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt

to my Apache conf and it worked without issue.

1 Like
12

Where? Where? Where did you put in the Full Chain Certificate? I see people saying this but no one says where they added it. I can only add the crt and key in the console->environment->web server

Are you adding it via a config file?

13

Since the comments haven’t really told HOW to fix this, I figured I’d share the way I got it working, only took me about 3mon to figure it out.

With this, I have the Windows 10 MatterMost app working properly, I have the web [and mobile] browsers working properly, and I have the Android app working properly. I don’t have an iPhone to test it’s app, however I would assume since Apache is providing the SSL verification Correctly, it should work as well.

I’m running MM behind a regular linux apache service (mod_proxy). I have the following in place:

  • Apache 2.4 with mod_ssl listening on port 443
  • Wildcard SSL certificate (I have the key and crt issued by an CA, not self-signed)
  • MM on port 8065

I have essentially set:
config.json (or MM configuration):

  "ListenAddress":":8065",
  "ConnectionSecurity":"TLS",
  "TLSCertFile":"CRT file issued by my CA",
  "TLSKeyFile":"My key file for my CSR and CRT",
  "TLSMinVer":"1.2",
  "Forward80To443":false,
  "WebsocketSecurityPort":8065,
 ......

I don’t believe I changed anything else within it.

I have my key, issues CRT, and CA-Bundle in /etc/pki/tls/.

I have my apache config setup as /etc/httpd/conf.d/mattermost.conf

<VirtualHost *:443>
	ServerName mychatserver.com
	SSLEngine on
	
	SSLCertificateFile /etc/pki/tls/........crt
	SSLCertificateKeyFile /etc/pki/tls/........key
	SSLCertificateChainFile /etc/pki/tls/........ca-bundle
	
	ProxyRequests Off
	ProxyPreserveHost On
	SSLProxyEngine On
	RequestHeader Set Front-End-Https "On"
	
	ProxyPass / https://127.0.0.1:8065/
	ProxyPassReverse / https://127.0.0.1:8065/
	ProxyPassReverseCookieDomain 127.0.0.1 mychatserver.com
	
	# Set web sockets
	RewriteEngine On
	RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC]
	RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
	RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
	RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

	<Location />
		Require all granted
		ProxyPass https://127.0.0.1:8065/
		ProxyPassReverse https://127.0.0.1:8065/
		ProxyPassReverseCookieDomain 127.0.0.1 mychatserver.com
	</Location>
</VirtualHost>

Now the tag may not be needed, but I hadn’t removed it to test it… if it ain’t broke, don’t fix it.

I hope this helps someone else out down the road!