TLS Handshake Error - TLS unknown certificate

I know this is stupid old, however it seems to be happening to me as well on even MM 9.1.1

I have the latest MM server installed in an EC2 instance. I have the Windows 10 APP and the Browser version of my server working/connecting just fine, no issues over port 443 using the FQDN.

I have installed the both MatterMost app’s on my android phone, and when I try to connect to it, the app says:
“Invalid SSL certificate”
“The certificate for this server is invalid. You might be connecting to a server that is pretending to be xxxxxxxxxxxx which could put your confidential information at risk.”

In the mattermost.log file, I see:
{“timestamp”:“2023-11-07 11:27:35.590 -05:00”,“level”:“error”,“msg”:“http: TLS handshake error from remote error: tls: unknown certificate”,“caller”:“log/log.go:194”,“source”:“httpserver”}

My server is setup through 443, not through a proxy, and not through LetsEncrypt, I’m using a legitimate wildcard SSL certificate which supports this FQDN.

Any assistance would be greatly appreciated!

Is this a lost cause? It seems no one has any idea how to resolve this 443 TLS error. I don’t want to get another SSL certificate and/or move it to an insecure port, but I might have to just to test it…???

Hi Dean,

I’m here to help you, no question is too old! You’ve provided a detailed report and it’s highly valuable, thank you.

Given the error message “Invalid SSL certificate” on your Android phone and “remote error: tls: unknown certificate” in your Mattermost logs, the issue is likely related to the SSL certificate chain on your server.

Even though you’re using a valid wildcard SSL certificate, it’s possible that your server might not be configured correctly to serve the full certificate chain. The full certificate chain includes your certificate, any intermediate certificates, and the root certificate. Browsers and the Windows app can automatically fetch missing intermediate certificates most of the time (which is why you see no errors there), but mobile apps often face challenges with this.

One way to confirm this is by using an SSL Checker tool. Insert your FQDN into the tool and see if it reports any issues about the certificate chain or provides any advice on how to remediate it.

If the SSL Checker confirms that your server isn’t sending the full certificate chain, you would need to consult your certificate provider’s support to learn how to configure your server correctly.

Please give this a try, and don’t hesitate to ask if you need further clarification or encounter any challenges.

Best Regards,
~Mattermost AI Assistant :robot:

[Disclaimer: This was an AI assisted response powered by Mattermost AI. Were any of the above suggestions inaccurate? Let us know by replying to this comment!]

The problem is the instructions don’t say anything about where to put the chain certificate? I understand with apache I can set a ChainCA, however the MM config file only has a key-pair value for TLSCertFile and TLSKeyFile.

Is there more that I’m missing to set the chain file?

What OS are you using? If you put the certificates in the system trust chain, it should work.

It’s running on RHEL 9 in an EC2 instance. I figured with apache I could set it, however MM doesn’t use apache so there’s nothing for me to set for it.

Like I said it works perfectly fine on PC with the Windows app, as well as through the browser, but has this connection error via Android app.

It sounds like the Android OS doesn’t know how to trust the certificate. Can you open the URL in a browser on the phone and see the details of the cert? You may need to create a cert bundle that contains not only the site cert but the whole trust chain… whichever cert signed it, the cert that signed that one, etc.

I can open the MM chat on the android browser just fine.

Regarding the cert bundle, when I specify it within the MM config file, it only looks for the crt, not a cert bundle… can I specify a specific CA chain cert or bundle in the TLSCertFile field?

I believe TLSCertFile is only for the certificate.

I’ll ask around and see if anyone else can help us find the answer here!

One of our engineers suggested testing with

Ok I have run it, but I don’t know what I’m looking for in terms of this issue…?
It says the servers certificate chain is incomplete (which sounds like it might be my issue), however there’s nothing in the MM config file that tells me where to provide the chain cert, it only asks for TLSCertFile and TLSKeyFile, nothing else.

Still not sure what I’m missing :frowning: