Mattermost SSO doesn't pick-up custom CA certs from /etc/gitlab/trusted-certs during OAUTH token POST
Docker image: 10.3.2-ce.0
I have successfully set-up HTTPS using custom certificates on my GitLab UI, GitLab Docker and GitLab Mattermost URL's. All these URL are working fine with my custom CA certificate using the following folders:
# ls -la /etc/gitlab/trusted-certs
total 4
drwxr-xr-x. 3 root root 100 Dec 29 16:32 .
drwxrwsr-x. 6 root 2004 4096 Dec 29 15:09 ..
drwxr-xr-x. 2 root root 60 Dec 29 16:32 ..129812_29_12_17_32_05.675294905
lrwxrwxrwx. 1 root root 33 Dec 29 16:32 ..data -> ..129812_29_12_17_32_05.675294905
lrwxrwxrwx. 1 root root 29 Dec 29 16:06 DigicertBundle.crt -> ..data/DigicertBundle.crt
# ls -la /etc/gitlab/ssl
total 4
drwxrwxrwt. 3 root root 200 Dec 29 16:06 .
drwxrwsr-x. 6 root 2004 4096 Dec 29 15:09 ..
drwxr-xr-x. 2 root root 160 Dec 29 16:06 ..129812_29_12_17_06_40.771912950
lrwxrwxrwx. 1 root root 33 Dec 29 16:06 ..data -> ..129812_29_12_17_06_40.771912950
lrwxrwxrwx. 1 root root 53 Dec 29 16:06 docker-gitlab.mydomain.com.crt -> ..data/docker-gitlab.mydomain.com.crt
lrwxrwxrwx. 1 root root 53 Dec 29 16:06 docker-gitlab.mydomain.com.key -> ..data/docker-gitlab.mydomain.com.key
lrwxrwxrwx. 1 root root 46 Dec 29 16:06 gitlab.mydomain.com.crt -> ..data/gitlab.mydomain.com.crt
lrwxrwxrwx. 1 root root 46 Dec 29 16:06 gitlab.mydomain.com.key -> ..data/gitlab.mydomain.com.key
lrwxrwxrwx. 1 root root 50 Dec 29 16:06 mattermost.mydomain.com.crt -> ..data/mattermost.mydomain.com.crt
lrwxrwxrwx. 1 root root 50 Dec 29 16:06 mattermost.mydomain.com.key -> ..data/mattermost.mydomain.com.key
# tail -n 5 /var/log/gitlab/mattermost/current
2017-12-29_16:15:08.27549 segment 2017/12/29 16:15:08 error sending request: Post https://api.segment.io/v1/batch: dial tcp 54.68.145.115:443: i/o timeout
2017-12-29_16:26:18.42395 [2017/12/29 16:26:18 UTC] [EROR] AuthorizeOAuthUser: Token request failed, Post https://gitlab.mydomain.com/oauth/token: x509: certificate signed by unknown authority
2017-12-29_16:26:58.35365 [2017/12/29 16:26:58 UTC] [EROR] AuthorizeOAuthUser: Token request failed, Post https://gitlab.mydomain.com/oauth/token: x509: certificate signed by unknown authority
2017-12-29_16:27:55.60548 [2017/12/29 16:27:55 UTC] [EROR] AuthorizeOAuthUser: Token request failed, Post https://gitlab.mydomain.com/oauth/token: x509: certificate signed by unknown authority
2017-12-29_16:31:43.77154 [2017/12/29 16:31:43 UTC] [EROR] AuthorizeOAuthUser: Token request failed, Post https://gitlab.mydomain.com/oauth/token: x509: certificate signed by unknown authority
As one can see in the above traces, the Mattermost process is not picking up this valid CA certificate chain, during it's OAUTH SSO cycle at token POST'ing. I am pretty sure the CA bundle is correct, otherwise the other working HTTPS endpoints would not work as well.
PS: I have manually created a symlink within /etc/ssl/certs, as suggested by several reported issues on this matter, followed by a gitlab-ctl reconfigure, buts this does work either.
Edited by Bart Van Bos