Untrusted Certificate - Docker

I already have a certificate installed. I am using the Docker image. Web version runs great. I tried adding my bundle (chain) certificate and get no errors on startup. When I try to connect with the app, I get an untrusted certificate error. This is the entry I have in my .env file:

GITLAB_PKI_CHAIN_PATH=./volumes/web/cert/pki_chain.pem
CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/key-no-password.pem

and in my docker-compose.yml file:

- ${GITLAB_PKI_CHAIN_PATH}:/mattermost/docker/volumes/web/cert/pki_chain.pem:ro

Can anyone think of anything I am missing?

Hi Mark,

the untrusted certificate could also be caused by a not-matching SiteURL. Since you said the web version is working and I’m assuming you’re accessing the Mattermost server via web and the app on the same system, the certificate store of the client system can also be ruled out, so please check your Mattermost server’s config.json for the SiteURL parameter and make sure it matches the correct path to your setup (including the protocol and the domain name that’s covered by your certificate). The new desktop app versions query the SiteURL parameter and try to connect there instead of what you entered during the server setup in the app.
After changing the SiteURL a restart of the Mattermost server might be necessary.

I added my SiteURL (which wasn’t there at all) under service settings, but I noticed a couple of other things. I am using port 4443. Do I need to update the ListenAddress or add the port to the SiteURL? What about TLSCertFile and TLSKeyFile? Should I set those to my cert and key file? When I tested with the settings as is and the SiteURL set as below, the web version (browser version) worked fine with the certificate we purchased, but the mobile app still says untrusted certificate.

"ServiceSettings": {
        "SiteURL": "https://services.et3.dev",
        "WebsocketURL": "",
        "LicenseFileLocation": "",
        "ListenAddress": ":8065",
        "ConnectionSecurity": "",
        "TLSCertFile": "",
        "TLSKeyFile": "",
        "TLSMinVer": "1.2",
        "TLSStrictTransport": false,
        "TLSStrictTransportMaxAge": 63072000,
        "TLSOverwriteCiphers": [],
        "UseLetsEncrypt": false,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": false,

If you’re using the port 4443, you will also need to add it to the siteurl. I assume you’re using a reverse proxy (maybe nginx) in front of your Mattermost installation, right? In this case, you do not have to change the ListenAddress or the TLS* configuration options, since most likely nginx will listen on 4443 and “forward” the requests to Mattermost which is running on port 8065 then.

May I ask why you have your roundcube running on port 443 and mattermost on 4443 instead of using two subdomains like webmail.et3.dev and chat.et3.dev, both on port 443?