Custom certificate is not applied to the WebSocket Connection

[marcoesposito1988]

I confirm (by marking "x" in the [ ] below: [x]):

• [x] This is not a troubleshooting question. Troubleshooting questions go here: https://docs.mattermost.com/install/troubleshooting.html.
• [x] This doesn't reproduce on web browsers (such as in Chrome). If it does, issue reports go to the Mattermost Server repository.
• [x] I have read contributing guidelines.

---

Summary Custom certificate is not applied to the WebSocket Connection

Environment

• Operating System: Ubuntu 22.04
• Mattermost Desktop App version: 5.2.0
• Mattermost Server version: irrelevant

Steps to reproduce

• add a custom certificate to /usr/local/share/ca-certificates/...
• run update-ca-certificates
• start Mattermost and set the server address to an HTTPS URL
• accept the "untrusted certificate" in the popup

Expected behavior

• Mattermost functioning as usual

Observed behavior

• Mattermost starts and messages can be sent, but incoming messages are not shown right away
• after a while, a red banner pops up with the message "server unreachable, check your WebSocket port"
• the .config/Mattermost/certificate.json file contains the custom certificate, but only for the https://... address
• the log contains the message [warn] Ignoring certificate for unmatched origin wss://..., will not trust

Possible fixes Manually copying the https:// section for wss:// as follows seems to fix the problem:

{
  "https://...": {
    "data": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----\n",
    "issuerName": "...",
    "dontTrust": false
  },
  "wss://...": {
    "data": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----\n",
    "issuerName": "...",
    "dontTrust": false
  }
}

[devinbinnie]

Thanks for the report, created a ticket here: https://mattermost.atlassian.net/browse/MM-48407

[tboulis]

@marcoesposito1988 can you please check if the server uses the same certificate (or any certificate at all) for the wss connection?

[NickoOwen]

Hi, sorry to jump in but in case this helps get it fixed I thought I should leave a comment.

I believe I have encountered this exact same issue. Older Mattermost clients would work as they added both the https://... and the wss://... entry to the certificate.json file when a user selects to trust an unknown certificate in the popup. Newer clients however appear to only add the https://... entry to certificate.json which results in the red banner appearing due to the WebSocket connection being blocked.

The workaround suggested above to manually add the wss://... entry to certificate.json has worked every time in my testing so far. Noting that the client needs to be properly closed and reloaded for the changes to take effect.

Hope this helps.

[Petaris]

I tried the suggested work around but it didn't work for me. It seems to re-write that file every time the client starts. I'm using 5.2.2 on Linux.

[tboulis]

Thank you for your feedback. This issue is addressed in this PR: https://github.com/mattermost/desktop/pull/2526

[devinbinnie]

Closing as the above PR was merged.