@moomoo wrote:
Summary
Using apache2 vhosts for gitlab + mattermost on the same machine, letsencrypt for SSL, gitlab SSO fails with "Bad token type"
Steps to reproduce
On a clean Ubuntu 16.04, install gitlab-ce [ GitLab Community Edition 8.14.1 e45bf3d ] and letsencrypt. Have DNS for example.com, git.example.com, and chat.example.com all pointing to that same machine, and get certs for all three. Configure gitlab's nginx to run on port 8001, and mattermost by default runs the service on localhost:8065. This is the /etc/gitlab/gitlab.rb:
external_url 'https://git.example.com' gitlab_rails['gitlab_email_from'] = 'gitlab@example.com' nginx['enable'] = true nginx['ssl_certificate'] = "/etc/letsencrypt/live/example.com/fullchain.pem" nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/example.com/privkey.pem" nginx['listen_port'] = 8001 mattermost_external_url 'https://chat.example.com' mattermost['enable'] = true mattermost['service_use_ssl'] = true mattermost_nginx['enable'] = falseApache2 vhosts are used to redirect https://git.example.com and https://chat.example.com to the right ports:
<VirtualHost *:443> ServerName git.example.com <Proxy *> Require all granted </Proxy> SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyRequests Off ProxyPass / https://127.0.0.1:8001/ ProxyPassReverse / https://git.example.com/ RewriteEngine on RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteRule .* https://127.0.0.1:8001%{REQUEST_URI} [P,QSA] # needed for downloading attachments DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost>and
<VirtualHost *:443> ServerName chat.example.com SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf ServerSignature Off ProxyPreserveHost On ProxyRequests Off # Ensure that encoded slashes are not decoded but left in their encoded state. # http://doc.gitlab.com/ce/api/projects.html#get-single-project AllowEncodedSlashes NoDecode DocumentRoot /var/opt/gitlab/mattermost RewriteEngine on RewriteCond %{REQUEST_URI} ^/api/v1/websocket [NC,OR] RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR] RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L] RequestHeader set X-Forwarded-Proto "https" <Location /api/v1/websocket> Require all granted ProxyPassReverse http://127.0.0.1:8065 ProxyPassReverseCookieDomain 127.0.0.1 chat.example.com </Location> <Location /> Require all granted ProxyPassReverse http://127.0.0.1:8065 ProxyPassReverseCookieDomain 127.0.0.1 chat.example.com </Location> </VirtualHost>Expected behavior
You can log in to Mattermost using Gitlab SSO
Observed behavior
Clicking on Gitlab Single-Sign-On sends me to Gitlab [ git.example.com ] to log in, which succeeds.
I get a prompt to "Authorize GitLab Mattermost to use your account?"
I click "authorize", which sends me back to chat.example.com with the error:GitLab Mattermost needs your help:
Bad token type
Go back to MattermostIn the logfile /var/log/gitlab/mattermost/mattermost.log, I have the error
[EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=<###> uid= ip=<###> Bad token type [details: token_type=, response_body=]
Posts: 1
Participants: 1