[Solved] TLS Handshake Error - TLS unknown certificate

I know this is stupid old, however it seems to be happening to me as well on even MM 9.1.1

I have the latest MM server installed in an EC2 instance. I have the Windows 10 APP and the Browser version of my server working/connecting just fine, no issues over port 443 using the FQDN.

I have installed the both MatterMost app’s on my android phone, and when I try to connect to it, the app says:
“Invalid SSL certificate”
“The certificate for this server is invalid. You might be connecting to a server that is pretending to be xxxxxxxxxxxx which could put your confidential information at risk.”

In the mattermost.log file, I see:
{“timestamp”:“2023-11-07 11:27:35.590 -05:00”,“level”:“error”,“msg”:“http: TLS handshake error from xxx.xxx.xxx.xxx:38324: remote error: tls: unknown certificate”,“caller”:“log/log.go:194”,“source”:“httpserver”}

My server is setup through 443, not through a proxy, and not through LetsEncrypt, I’m using a legitimate wildcard SSL certificate which supports this FQDN.

Any assistance would be greatly appreciated!

Is this a lost cause? It seems no one has any idea how to resolve this 443 TLS error. I don’t want to get another SSL certificate and/or move it to an insecure port, but I might have to just to test it…???

Hi Dean,

I’m here to help you, no question is too old! You’ve provided a detailed report and it’s highly valuable, thank you.

Given the error message “Invalid SSL certificate” on your Android phone and “remote error: tls: unknown certificate” in your Mattermost logs, the issue is likely related to the SSL certificate chain on your server.

Even though you’re using a valid wildcard SSL certificate, it’s possible that your server might not be configured correctly to serve the full certificate chain. The full certificate chain includes your certificate, any intermediate certificates, and the root certificate. Browsers and the Windows app can automatically fetch missing intermediate certificates most of the time (which is why you see no errors there), but mobile apps often face challenges with this.

One way to confirm this is by using an SSL Checker tool. Insert your FQDN into the tool and see if it reports any issues about the certificate chain or provides any advice on how to remediate it.

If the SSL Checker confirms that your server isn’t sending the full certificate chain, you would need to consult your certificate provider’s support to learn how to configure your server correctly.

Please give this a try, and don’t hesitate to ask if you need further clarification or encounter any challenges.

Best Regards,
~Mattermost AI Assistant :robot:

[Disclaimer: This was an AI assisted response powered by Mattermost AI. Were any of the above suggestions inaccurate? Let us know by replying to this comment!]

The problem is the instructions don’t say anything about where to put the chain certificate? I understand with apache I can set a ChainCA, however the MM config file only has a key-pair value for TLSCertFile and TLSKeyFile.

Is there more that I’m missing to set the chain file?

What OS are you using? If you put the certificates in the system trust chain, it should work.

It’s running on RHEL 9 in an EC2 instance. I figured with apache I could set it, however MM doesn’t use apache so there’s nothing for me to set for it.

Like I said it works perfectly fine on PC with the Windows app, as well as through the browser, but has this connection error via Android app.

It sounds like the Android OS doesn’t know how to trust the certificate. Can you open the URL in a browser on the phone and see the details of the cert? You may need to create a cert bundle that contains not only the site cert but the whole trust chain… whichever cert signed it, the cert that signed that one, etc.

I can open the MM chat on the android browser just fine.

Regarding the cert bundle, when I specify it within the MM config file, it only looks for the crt, not a cert bundle… can I specify a specific CA chain cert or bundle in the TLSCertFile field?

I believe TLSCertFile is only for the certificate.

I’ll ask around and see if anyone else can help us find the answer here!

One of our engineers suggested testing with https://www.ssllabs.com/ssltest/

Ok I have run it, but I don’t know what I’m looking for in terms of this issue…?
It says the servers certificate chain is incomplete (which sounds like it might be my issue), however there’s nothing in the MM config file that tells me where to provide the chain cert, it only asks for TLSCertFile and TLSKeyFile, nothing else.

Still not sure what I’m missing :frowning:

Any idea from the DEVs on this one? It seems like we should be able to provide the CAChain cert in the configuration somewhere like we do with apache… but there’s nothing about it anywhere.

Should I try to open another ticket for this? This still isn’t resolved at all.

Hey Dean. Sorry, this isn’t a “ticket”… if you have a paid Mattermost license you can open one at https://support.mattermost.com/hc/en-us/requests/new This Forum is for community best-effort support.

I am far from a PKI expert, and am pretty rusty! I know you can use the openssl command to test the validity of certificates. I think you may need to have the authority that signed your certificate (and it’s parents, if any) in your OS trust anchor. Maybe whomever issued the cert can help?

I would also suggest trying the Let’s Encrypt instructions to make sure you can get TLS working correctly with something other than the cert you have. I just ran into someone else who had their cert in a format that required them to add a blank line at the top, and once they did that it started working.

Thanks John for the response.

I realized that my SSL certificate wasn’t the problem, but that MM wasn’t providing a method for delivering the CA bundle cert that was issued with my certificate.

So I decided to try something a little different. I am now hosting the MM server behind an apache proxy (which I can provide my cert, my key, and my ca-bundle cert). Now the browsers and mobile apps are working properly!

I have posted a detailed explanation of what I did within this support page (that I found thanks to you!!!).
[solved] Mobile App(Android) TLS handshake error - Troubleshooting - Mattermost Discussion Forums

@uncdubdiver I am an idiot! We have doc around setting up an nginx proxy and I should have thought of that. Glad you came up with a solution!

No no, I am. I was trying basically trying to fix the same thing over and over and expecting a different response.
…what’s the definition of insanity again…?

Thanks again for your help on this one, it’s much appreciated!