Trouble installing new certificates

ken_bitnami 2019-02-10 20:28:13 UTC #1

Keywords: Mattermost - AWS - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: 62272843-57d5-56a3-2026-641e29bf2469
Description:
Hi,

I have created a Mattermost Bitnami instance on AWS and gone through the steps outlined in the "Generate And Install A Let's Encrypt SSL Certificate For A Bitnami Application" article to install proper security certificates but still get the "Your connection is not secure" message in my browser when navigating to the site. Clicking on the "View Certificate" option shows that the browser is still receiving the www.example.com certificate.

I've reviewed the "Troubleshoot SSL Issues" article but couldn't resolve the problem. I've also reviewed the recent post here and the solution that worked for boukobz. Unfortunately, that doesn't seem to be the solution in my case.

A few notes:

• I'm trying to use a subdomain for the Mattermost instance, e.g., foo (dot) bar (dot) com. I have bar (dot) com registered with a domain registrar other than AWS / Route 53. I have correctly pointed foo (dot) bar (dot) com to the public IP address of the AWS instance. Navigating to foo (dot) bar (dot) com causes the browser to load the Mattermost interface - but showing the IP address in the address bar (and the Not Secure warning).
• When I go through the steps in the Generate and Install... article, requesting a certificate for bar (dot) com fails but requesting a certificate for foo (dot) bar (dot) com seems to succeed.
• All of the steps in the article also seem to succeed except for sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old which returns a "file does not exist" error.
• This is probably a case of user error. This is my first time using any Linux distro and my knowledge is limited to what I have learned over the last ~6 hours of trying to troubleshoot this issue. I apologize in advance if I've made an obvious mistake.

Thanks for any help you can provide!

michiel 2019-02-11 12:26:55 UTC #2

Did you already configure the application URL after creating the certificates?

cd /opt/bitnami/apps/APP-NAME
./bnconfig --machine_hostname NAME

Please, click on if you think my answer was helpful

ken_bitnami 2019-02-11 15:02:32 UTC #3

Hi @michiel,

Thanks for the quick reply!

No, I had not done that. I had updated the "Site URL" field in Mattermost UI > System Console > Settings > Configuration but it didn't seem to have any effect.

When I try the ./bnconfig command you mention above, I get a "Permission denied" error. I also tried ./bnconfig --help and got the same error. Am I making a basic Linux mistake?

Thanks!
Ken

michiel 2019-02-12 10:15:22 UTC #4

It's my mistake . You need to run the command with sudo:

cd /opt/bitnami/apps/APP-NAME
sudo ./bnconfig --machine_hostname NAME

Please, click on if you think my answer was helpful

ken_bitnami 2019-02-12 14:07:25 UTC #5

Thanks, @michiel! That has solved the address bar problem. The URL now remains foo (dot) bar (dot) com, as desired. Unfortunately, I'm still getting the certificate error. What should I do next to resolve that?

Cheers,
Ken

michiel 2019-02-13 10:37:59 UTC #6

Can you first try running the SSL auto configuration script. The following guide describes how to do it:

https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#use-the-bitnami-auto-configuration-script

If it fails can you tell me the exact output?

Please, click on if you think my answer was helpful

ken_bitnami 2019-02-13 12:40:13 UTC #7

Hi @michiel,

When I attempt to run that command, I get the following error message: "sudo: /opt/bitnami/letsencrypt/scripts/generate-certificate.sh: command not found". Also, it appears that the opt/bitnami folder does not contain a letsencrypt subfolder.

Thanks!
Ken

michiel 2019-02-14 10:48:54 UTC #8

Can you try following the alternative approach, which is installing the lego client? The following guide explains how:

https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

Please, click on if you think my answer was helpful

ken_bitnami 2019-02-14 22:11:20 UTC #9

I went through those steps again and the only command that threw an error was

sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old

which produced

mv: cannot stat '/opt/bitnami/nginx/conf/server.csr': No such file or directory

At the end of the process, after I restarted all the services, the browser still throws the security warning and shows that it is receiving the original www.example.com dummy certificate.

Thanks for your continued help with this!
Ken

michiel 2019-02-15 11:24:51 UTC #10

Weird, to analyze your current configuration, could you please download and execute the bnsupport tool again:

How to Run the Bitnami Support Tool

ken_bitnami 2019-02-18 01:01:30 UTC #11

Sure, here you go: d0c8afac-f317-6605-b46f-5db4f15dc475

Thanks!
Ken

michiel 2019-02-18 11:45:30 UTC #12

Can you try executing the following commands:

First change the name of the default keys:

sudo mv /opt/bitnami/apps/mattermost/conf/certs/server.crt /opt/bitnami/apps/mattermost/conf/certs/server.crt.old
sudo mv /opt/bitnami/apps/mattermost/conf/certs/server.key /opt/bitnami/apps/mattermost/conf/certs/server.key.old

Then add a symbolic link pointing to the created cert and key:

sudo ln -s  /etc/lego/certificates/yourdomain.crt /opt/bitnami/apps/mattermost/conf/certs/server.crt 
sudo ln -s  /etc/lego/certificates/yourdomain.key /opt/bitnami/apps/mattermost/conf/certs/server.key

And then you restart Apache:

sudo /opt/bitnami/ctlscript.sh restart apache

Please, click on if you think my answer was helpful

ken_bitnami 2019-02-18 14:20:05 UTC #13

The first four commands worked fine. The Mattermost stack uses Nginx rather than Apache so I attempted to restart Nginx. I received this error:

nginx: [emerg] BIO_new_file("/opt/bitnami/apps/mattermost/conf/certs/server.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/opt/bitnami/apps/mattermost/conf/certs/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
/opt/bitnami/nginx/scripts/ctl.sh: 77: [: Illegal number:
/opt/bitnami/nginx/scripts/ctl.sh : Nginx could not be started

michiel 2019-02-19 16:49:14 UTC #14

Ok, thanks. Could you run the BnSupport tool again and paste the code, so I can check the current configuration?

ken_bitnami 2019-02-19 17:05:49 UTC #15

Yep, here you go: 34e489f2-9824-ca15-8fd0-38bff1bd1597

Thanks!
Ken

michiel 2019-02-20 12:44:59 UTC #16

Hi @ken_bitnami,

It seems the symbolic links are pointing to the wrong files. Could you run the following commands:

sudo ln -sf  /etc/lego/certificates/yourdomain.crt 
/opt/bitnami/apps/mattermost/conf/certs/server.crt 
sudo ln -sf  /etc/lego/certificates/yourdomain.key 
/opt/bitnami/apps/mattermost/conf/certs/server.key
sudo /opt/bitnami/ctlscript.sh restart nginx

Replacing yourdomain with your own domain.

Please, click on if you think my answer was helpful

ken_bitnami 2019-02-20 14:36:49 UTC #17

Thanks, @michiel! That fixed it. I apologize for not seeing the "yourdomain" placeholder in the previous post. I was in a rush and just copied and pasted without paying attention. Everything seems to be working properly now.

Ken

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!