Untrusted Certificate - Docker

I already have a certificate installed. I am using the Docker image. Web version runs great. I tried adding my bundle (chain) certificate and get no errors on startup. When I try to connect with the app, I get an untrusted certificate error. This is the entry I have in my .env file:

GITLAB_PKI_CHAIN_PATH=./volumes/web/cert/pki_chain.pem
CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/key-no-password.pem

and in my docker-compose.yml file:

- ${GITLAB_PKI_CHAIN_PATH}:/mattermost/docker/volumes/web/cert/pki_chain.pem:ro

Can anyone think of anything I am missing?

Hi Mark,

the untrusted certificate could also be caused by a not-matching SiteURL. Since you said the web version is working and I’m assuming you’re accessing the Mattermost server via web and the app on the same system, the certificate store of the client system can also be ruled out, so please check your Mattermost server’s config.json for the SiteURL parameter and make sure it matches the correct path to your setup (including the protocol and the domain name that’s covered by your certificate). The new desktop app versions query the SiteURL parameter and try to connect there instead of what you entered during the server setup in the app.
After changing the SiteURL a restart of the Mattermost server might be necessary.

I added my SiteURL (which wasn’t there at all) under service settings, but I noticed a couple of other things. I am using port 4443. Do I need to update the ListenAddress or add the port to the SiteURL? What about TLSCertFile and TLSKeyFile? Should I set those to my cert and key file? When I tested with the settings as is and the SiteURL set as below, the web version (browser version) worked fine with the certificate we purchased, but the mobile app still says untrusted certificate.

"ServiceSettings": {
        "SiteURL": "https://services.et3.dev",
        "WebsocketURL": "",
        "LicenseFileLocation": "",
        "ListenAddress": ":8065",
        "ConnectionSecurity": "",
        "TLSCertFile": "",
        "TLSKeyFile": "",
        "TLSMinVer": "1.2",
        "TLSStrictTransport": false,
        "TLSStrictTransportMaxAge": 63072000,
        "TLSOverwriteCiphers": [],
        "UseLetsEncrypt": false,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": false,

If you’re using the port 4443, you will also need to add it to the siteurl. I assume you’re using a reverse proxy (maybe nginx) in front of your Mattermost installation, right? In this case, you do not have to change the ListenAddress or the TLS* configuration options, since most likely nginx will listen on 4443 and “forward” the requests to Mattermost which is running on port 8065 then.

May I ask why you have your roundcube running on port 443 and mattermost on 4443 instead of using two subdomains like webmail.et3.dev and chat.et3.dev, both on port 443?

I actually tested that line with port 4443 in it. I also tested with just 443 and I get the same error. Neither worked. Just to put this in some context, I tested with ONLY Mattermost running and listening on 443 and I still get a certificate error. When I test the chain certificate by itself, it comes up as valid. When I add it to my Mattermost config, it’s like nothing can see it. This is my config:

.env:
GITLAB_PKI_CHAIN_PATH=./volumes/web/cert/et3_fullchain.pem
CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/et3.key

docker-compose.nginx.yml:
volumes:
- ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro
- ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem
- ${CERT_PATH}:/cert.pem:ro
- ${KEY_PATH}:/key.pem:ro
- shared-webroot:/usr/share/nginx/html
environment:
# timezone inside container
- TZ
ports:
- 443:443
- 8080:80

docker-compose.yml
volumes:
- ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
- ${MATTERMOST_DATA_PATH}:/mattermost/data:rw
- ${MATTERMOST_LOGS_PATH}:/mattermost/logs:rw
- ${MATTERMOST_PLUGINS_PATH}:/mattermost/plugins:rw
- ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw
- ${MATTERMOST_BLEVE_INDEXES_PATH}:/mattermost/bleve-indexes:rw
- ${GITLAB_PKI_CHAIN_PATH}:/etc/ssl/et3_ssl/et3_fullchain.pem:ro

When I test it with an SSL checker via the web:
Server IP address : xxx.xxx.xxx.xxx
Server Type : nginx/1.23.1
Issuer : Sectigo RSA Domain Validation Secure Server CA
Expiring In : 302 Days
Chain Certificate Status: No Intermediate/Chain certificate were found.

it’s almost as if Nginx is not even picking it up from the config. Any ideas? Do I need to add it to Nginx directly or something? I am lost on this one.

Thanks

What exactly is the certificate error you’re seeing complaining about? When you click on the details for such messages, it will tell you why it’s failing (hostname mismatch, certificate expired, etc.).
I do still think that the problem is a redirect happening by the desktop app, but I’m not sure how to further debug that here without seeing your config.
Are you forwarding the MM_SERVICESETTINGS_SITEURL environment variable to your container and if so, is it set to exactly the same URL you used when you tested it with an external SSL checker?

Hi Mark,

just wanted to check back in to see if this is still an issue for you or if you managed to solve it already. Thanks!