Wildcard certificates not valid for Gitlab token requests?


GitLab user here. I was just setting up the (now included) Mattermost service and seem to have run into a snag. This is an internal server and we have our own CA that signed the wildcard certificate (*.ourdomain.com) that is used for applications like this. Our CA is a valid root CA on the machine (CentOS 6 latest).

All seems to be fine until Mattermost does the token request, where I get the following logged:

2015-09-24_19:37:41.17151 [09/24/15 13:37:41] [EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=y7sb7mek93gitesqhf4qftqikh uid= ip= Token request to gitlab failed [details: Get https://gitlab.ourdomain.com.com/api/v3/user: x509: certificate is valid for *.com.com, com.com, not gitlab.ourdomain.com.com]

The duplicate .com.com stuff is in the actual log entry, which is odd also (but maybe just a log error?) The actual certificate should be valid for *.ourdomain.com on the system, so I’m guessing there is some logic in Mattermost that doesn’t respect wildcards? or something else?

Any guesses would be appreciated…



The line is logged at https://github.com/mattermost/platform/blob/master/api/user.go#L1488. The detailed error message of “x509: certificate is valid for *.com.com, com.com, not gitlab.ourdomain.com.com” is what we get from golang. See https://golang.org/src/crypto/x509/verify.go line 89, which would suggest the cert is improperly configured.