Edit on GitHub

Install the Mattermost push notification service

Now that the app can receive push notifications, we need to make sure that the Mattermost Push Notification Service is able to send the notification to the device. This guide will focus on installing and configuring the push notification service.


Install and upgrade 

For the sake of making this guide simple we located the files at /home/ubuntu/mattermost-push-proxy. We’ve also elected to run the Push Notification Service as the ubuntu account for simplicity. We recommend setting up and running the service under a mattermost-push-proxy user account with limited permissions.

  1. Download the Mattermost Push Notification Service (any version):

    wget https://github.com/mattermost/mattermost-push-proxy/releases/download/vX.X.X/mattermost-push-proxy.tar.gz (mattermost-push-proxy-X.X.X.tar.gz for releases earlier than v5.9)

    In this command, vX.X.X refers to the release version you want to download. See Mattermost Push Notification Service releases.

  2. If you’re upgrading a previous version of the Mattermost Push Notification Service make sure to back up your mattermost-push-proxy.json file before continuing.

  3. Unzip the downloaded Mattermost Push Notification Service using: tar -xvzf mattermost-push-proxy.tar.gz

  4. Configure the Mattermost Push Notification service by editing the mattermost-push-proxy.json file at /home/ubuntu/mattermost-push-proxy/config. Follow the steps in the Android and iOS sections to replace the values in the config file.

  5. Create a systemd unit file to manage the Mattermost Push Notification Services with systemd and log all output of the service to /var/log/syslog by running this command as root.

    echo "[Unit]
    Description=Mattermost Push Notification Service
    ExecStart=/bin/sh -c '/home/ubuntu/mattermost-push-proxy/bin/mattermost-push-proxy | logger'
    WantedBy=multi-user.target" >> /etc/systemd/system/mattermost-push-proxy.service

    To route the traffic through a separate proxy server, add Environment="HTTP_PROXY=<http://server>" under the [Service] section of the file. If you have an HTTPS server, then use HTTPS_PROXY. If you set both then HTTPS_PROXY will take higher priority than HTTP_PROXY.

  6. Start the service with sudo systemctl start mattermost-push-proxy or restart with sudo systemctl restart mattermost-push-proxy. Use sudo systemctl enable mattermost-push-proxy to have systemd start the service on boot.

Set up Mattermost push notification service to send Android push notifications 

  • Go to the Firebase Console and select the project you’ve created. Once in the dashboard, go to the project settings and select Service Accounts. image image

  • Click on Generate new private key and store the downloaded file. image

  • Open the mattermost-push-proxy.json file in the mattermost-push-proxy/config directory and look for the “ServiceFileLocation” entry under “AndroidPushSettings”. Paste the location of the file as its value.

    "ServiceFileLocation": "/path/to/downloaded_file"

Set up Mattermost push notification service to send iOS push notifications 

  • Double click the Push Notifications Certificate which is generated and downloaded while Setting up Push Notifications for iOS to add it to your Keychain Access. It downloads by default as aps.cer.

  • Open Keychain Access, select the login keychain and My Certificates from the side menu. image

  • Find the certificate you imported and then right click to export it as a .p12 file image

  • Enter a name for the filename and click Save image

  • Leave the password blank and then click OK image

  • Convert the downloaded certificate to .pem

    $ openssl x509 -in aps.cer -inform DER -out aps_production.pem
  • Extract the private key from the certificate you exported ..

    $ openssl pkcs12 -in Certificates.p12 -out aps_production_priv.pem -nodes -clcerts -passin pass: -legacy -rc2
  • Verify the certificate works with Apple

    $ openssl s_client -connect gateway.push.apple.com:2195 -cert aps_production.pem -key aps_production_priv.pem
  • Copy the private key file aps_production_priv.pem into your mattermost-push-proxy/config directory

  • Open the mattermost-push-proxy.json file under the mattermost-push-proxy/config directory and add the path to the private key file as the value for “ApplePushCertPrivate” and the value for “ApplePushTopic” with your Bundle Identifier


In the mattermost-push-proxy project there are some scripts to ease the process involved for updating the iOS notification certificates. Please check the README.md for further details.

Configure the Mattermost Server to use the Mattermost push notification service 

  • In your Mattermost instance, enable mobile push notifications.

    • Go to System Console > Notifications > Mobile Push.

    • Under Send Push Notifications, select Manually enter Push Notification Service location.

    • Enter the location of your Mattermost Push Notification Service in the Push Notification Server field.


  • (Optional) Customize mobile push notification contents.

    • Go to System Console > Notifications > Mobile Push.

    • Select an option for Push Notification Contents to specify what type of information to include in the push notifications.

    • Most deployments choose to include the full message snippet in push notifications unless they have policies against it to protect confidential information.


  • Finally, start your Mattermost Push Notification Service, and your app should start receiving push notifications.

Test the Mattermost push notification service 

  • Verify that the server is functioning normally and test the push notification using curl: curl -X POST -H "Content-Type: application/json" -d '{"type": "message", "message": "test", "badge": 1, "platform": "PLATFORM", "server_id": "MATTERMOST_DIAG_ID", "device_id": "DEVICE_ID", "channel_id": "CHANNEL_ID"}'

    • Replace MATTERMOST_DIAG_ID with the value found by running the SQL query:
      SELECT * FROM Systems WHERE Name = 'DiagnosticId';
    • Replace DEVICE_ID with your device ID, which can be found using (where your_email@example.com is the email address of the user you are logged in as):
         Email, DeviceId
         Sessions.UserId = Users.Id
            AND DeviceId != ''
            AND Email = 'your_email@example.com';
    • Replace CHANNEL_ID with the Town Square channel ID, which can be found using:
      SELECT Id FROM Channels WHERE DisplayName = 'Town Square';
  • You can also verify push notifications are working by opening your Mattermost site and mentioning a user who has push notifications enabled in Settings > Notifications > Mobile Push Notifications.

To view the log file, use:

$ sudo tail -n 1000 /var/log/upstart/mattermost-push-proxy.log


High Sierra Apple Developer keys 

Follow these instructions if you run into an error like below:

2018/04/13 12:39:24 CRIT Failed to load the apple pem cert err=failed to parse PKCS1 private key for type=apple_rn
panic: Failed to load the apple pem cert err=failed to parse PKCS1 private key for type=apple_rn
  1. Follow the directions at developer.apple.com to generate an Apple Push Notification service SSL Certificate, this should give you an aps_production.cer
  2. Convert the certificate format to .pem:
    • openssl x509 -in aps.cer -inform DER -out aps_production.pem
  3. Double click aps_production.cer to install it into the keychain tool
  4. Right click the private cert in keychain access and export to .p12
  5. Extract the private key from the certificate into an intermediate state:
    • openssl pkcs12 -in Certificates.p12 -out intermediate.pem -nodes -clcerts
  6. Generate an intermediate RSA private key
    • openssl rsa -in intermediate.pem -out intermediate_rsa_priv.pem
  7. Remove the private key information from intermediate.pem
    • sed -i '/^-----BEGIN PRIVATE KEY-----$/,$d' intermediate.pem
  8. Combine intermediate.pem and intermediate_rsa_priv.pem to create a valid bundle
    • cat intermediate.pem intermediate_rsa_priv.pem >> aps_production_priv.pem && rm intermediate.pem intermediate_rsa_priv.pem
  9. Verifying the certificate works with Apple:
    • openssl s_client -connect gateway.push.apple.com:2195 -cert aps_production.pem -key aps_production_priv.pem

For iOS / Apple Push Notifications: If the logs are reflecting DeviceTokenNotForTopic (error 400) this may be because you’re using an older / previous Device ID. Re-run the queries you need to get device IDs and test.

This could also be because you generated a certificate for the wrong bundle ID. The bundle ID used in mattermost-push-proxy.json should be the same one as the app, and should be for the same app it was generated for.

TLS: Unknown Certificate Authority error 

For iOS / Apple Push Notifications: If you see a message in the push proxy log that includes tls: unknown certificate authority for iOS devices, it’s likely Apple has invalidated your client certificate, or you’re using a client certificate without the correct certificate authority. To resolve this, follow these instructions to generate a new certificate, and then upload it to your push proxy server.

Reporting issues 

For issues with repro steps, please report to https://github.com/mattermost/mattermost/issues

Did you find what you were looking for?

Thank you! We appreciate your feedback.

Tell us more

Your feedback helps us improve the Mattermost developer documentation.

Have a feature request? Share it here.

Having issues? Join our Community server.