[Solved] Mobile App(Android) TLS handshake error

Troubleshooting
13

Since the comments haven’t really told HOW to fix this, I figured I’d share the way I got it working, only took me about 3mon to figure it out.

With this, I have the Windows 10 MatterMost app working properly, I have the web [and mobile] browsers working properly, and I have the Android app working properly. I don’t have an iPhone to test it’s app, however I would assume since Apache is providing the SSL verification Correctly, it should work as well.

I’m running MM behind a regular linux apache service (mod_proxy). I have the following in place:

  • Apache 2.4 with mod_ssl listening on port 443
  • Wildcard SSL certificate (I have the key and crt issued by an CA, not self-signed)
  • MM on port 8065

I have essentially set:
config.json (or MM configuration):

  "ListenAddress":":8065",
  "ConnectionSecurity":"TLS",
  "TLSCertFile":"CRT file issued by my CA",
  "TLSKeyFile":"My key file for my CSR and CRT",
  "TLSMinVer":"1.2",
  "Forward80To443":false,
  "WebsocketSecurityPort":8065,
 ......

I don’t believe I changed anything else within it.

I have my key, issues CRT, and CA-Bundle in /etc/pki/tls/.

I have my apache config setup as /etc/httpd/conf.d/mattermost.conf

<VirtualHost *:443>
	ServerName mychatserver.com
	SSLEngine on
	
	SSLCertificateFile /etc/pki/tls/........crt
	SSLCertificateKeyFile /etc/pki/tls/........key
	SSLCertificateChainFile /etc/pki/tls/........ca-bundle
	
	ProxyRequests Off
	ProxyPreserveHost On
	SSLProxyEngine On
	RequestHeader Set Front-End-Https "On"
	
	ProxyPass / https://127.0.0.1:8065/
	ProxyPassReverse / https://127.0.0.1:8065/
	ProxyPassReverseCookieDomain 127.0.0.1 mychatserver.com
	
	# Set web sockets
	RewriteEngine On
	RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC]
	RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
	RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
	RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

	<Location />
		Require all granted
		ProxyPass https://127.0.0.1:8065/
		ProxyPassReverse https://127.0.0.1:8065/
		ProxyPassReverseCookieDomain 127.0.0.1 mychatserver.com
	</Location>
</VirtualHost>

Now the tag may not be needed, but I hadn’t removed it to test it… if it ain’t broke, don’t fix it.

I hope this helps someone else out down the road!