self-signed ssl certificate with slack/mattermost integration
Description
I'm having trouble getting the Slack integration to work with a Mattermost install that is behind a self-signed ssl cert.
After setting up the Slack/Mattermost configuration, I save and then click "Test Settings" - at this point i get a 500 error
The logs show:
Started GET "/namespace/project/services/slack/test" for 10.110.11.76 at 2016-11-16 15:37:48 -0500
Processing by Projects::ServicesController#test as HTML
Parameters: {"namespace_id"=>"namespace", "project_id"=>"project", "id"=>"slack"}
Started POST "/ci/api/v1/builds/register.json" for 10.110.36.158 at 2016-11-16 15:37:48 -0500
Completed 500 Internal Server Error in 669ms (ActiveRecord: 2.9ms)
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
app/models/project_services/slack_service.rb:79:in `execute'
app/models/service.rb:115:in `test'
app/controllers/projects/services_controller.rb:33:in `test'
lib/gitlab/request_profiler/middleware.rb:15:in `call'
lib/gitlab/middleware/go.rb:16:in `call'
Which states there is an issue with the certificate verification.
What I've Tried
Adding the self-signed cert to the operating system
I added the self-signed cert to the system's trusted certificate list.
Testing w/ CuRL shows that it installed OK for the system -
hhellbusch at gitlab-host in /etc/gitlab/trusted-certs (02:31 PM)
$ curl -vvvv -o /dev/null -L mattermost.awesomeCompany.com
* About to connect() to proxy proxy.awesomeCompany.com port 8080 (#0)
* Trying 137.201.129.1... connected
* Connected to proxy.awesomeCompany.com (137.201.129.1) port 8080 (#0)
> GET http://mattermost.awesomeCompany.com/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: mattermost.awesomeCompany.com
> Accept: */*
> Proxy-Connection: Keep-Alive
>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/1.1 301 Moved Permanently
< Date: Wed, 16 Nov 2016 19:31:47 GMT
< Server: nginx/1.10.1
< Location: https://mattermost.awesomeCompany.com/
< Content-Type: text/html
< Content-Length: 185
< Proxy-Connection: Keep-Alive
<
* Ignoring the response-body
{ [data not shown]
185 185 185 185 0 0 354 0 --:--:-- --:--:-- --:--:-- 404* Connection #0 to host proxy.awesomeCompany.com left intact
* Issue another request to this URL: 'https://mattermost.awesomeCompany.com/'
* About to connect() to proxy proxy.awesomeCompany.com port 8080 (#1)
* Trying 137.201.129.1... connected
* Connected to proxy.awesomeCompany.com (137.201.129.1) port 8080 (#1)
* Establish HTTP proxy tunnel to mattermost.awesomeCompany.com:443
> CONNECT mattermost.awesomeCompany.com:443 HTTP/1.1
> Host: mattermost.awesomeCompany.com:443
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
185 185 185 185 0 0 205 0 --:--:-- --:--:-- --:--:-- 205* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: E=dudeThatMadeTheCert@awesomeCompany.com,CN=mattermostmostnode01.awesomeCompany.com,OU=I&O,O="awesomeCompany, Inc.",L=city,ST=state,C=US
* start date: Aug 23 17:04:00 2016 GMT
* expire date: Aug 23 17:04:00 2018 GMT
* common name: mattermostmostnode01.awesomeCompany.com
* issuer: CN=awesomeCompany Issuing CA,DC=na,DC=awesomeCompany,DC=com
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: mattermost.awesomeCompany.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.1
< Date: Wed, 16 Nov 2016 19:31:47 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 2161
< Connection: keep-alive
< Accept-Ranges: bytes
< Cache-Control: no-cache, max-age=31556926, public
< Content-Security-Policy: frame-ancestors 'self'
< Last-Modified: Wed, 14 Sep 2016 13:10:35 GMT
< X-Cluster-Id:
< X-Frame-Options: SAMEORIGIN
< X-Ratelimit-Limit: 10
< X-Ratelimit-Remaining: 9
< X-Ratelimit-Reset: 1
< X-Request-Id: xkqfm54du7biim1gbe788gayac
< X-Version-Id: 3.4.0.3.4.0.a7515e79177a87258014be83efac7124
<
{ [data not shown]
102 2161 102 2161 0 0 1740 0 0:00:01 0:00:01 --:--:-- 5828* Connection #1 to host proxy.awesomeCompany.com left intact
* Closing connection #0
* Closing connection #1
/etc/gitlab/trusted-certs/
and ran gitlab-ctl reconfigure
Add self-signed cert to I found the docs at
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8-13-stable/doc/common_installation_problems/README.md#install-custom-certificate-authorities
and followed the instructions. Issue still persists though
Checked /opt/gitlab/embedded/ssl/certs/
and it looks like it created the symlink OK?
hhellbusch at gitlab-host in /etc/gitlab/trusted-certs (02:23 PM)
$ ll /opt/gitlab/embedded/ssl/certs/
total 264
-rw-r--r-- 1 root root 263536 Nov 8 18:29 cacert.pem
lrwxrwxrwx 1 root root 44 Nov 16 14:22 e62859c4.0 -> /etc/gitlab/trusted-certs/my-self-signed-cert.crt
-rw-r--r-- 1 root root 147 Jun 30 11:32 README