Mattermost, Inc.

Mattermost can't read certificate file due to its default root-only permissions

Summary

Mattermost can’t read my (lets encrypt) certificate file due to its default root-only permissions.

Steps to reproduce

I’ve used certbot to create a certificate on my server. Its default file/folder permissions are root:root, which seems correct enough, especially for the private key. My mattermost log file shows:

[CRIT] Error starting server, err:open /etc/letsencrypt/live/example.com/cert.pem: permission denied

  • Is one expected to change the permissions of these files?
  • Is one expected to copy these files somewhere mattermost can read them?
  • Something else?

Thanks,

Sean

Hi @seanm,

Thanks for your questions!

I’m not sure whether this doc might help?

You can also take a look at this doc

Let us know if this helps…

Thanks for your response. I read those before posting here, I’m afraid they don’t help. I haven’t actually set UseLetsEncrypt to true mind you, because it’s not at all clear what it does or how it works. It purports to be magical it seems. :slight_smile: My server already had a LE cert setup, so I worry setting that will request a new one, or revoke my old one, or who knows; it seems not to be documented.

So instead I just point TLSCertFile and TLSKeyFile to the files in /etc/letsencrypt/live/example.com/, but those files are root:root so mattermost can’t read them. For the moment I’ve just copied the files elsewhere so mattermost can access them, but I’d still like to know the kosher way of doing it…

Thanks for the feedback @seanm,

I’ll ask one of our engineers to help troubleshoot :slight_smile:

Hi @seanm!

If you choose to use the UseLetsEncrypt configuration within Mattermost, it will automatically manage those certificate files on your behalf.

If you choose to have the certificates managed by another process, you’ll need to ensure they are readable by the user/group assigned to mattermost. If you followed our install guides, they recommend creating mattermost: mattermost, and thus definitely won’t have access to something only root can read.

I can’t speak to Certbot best practices, but I’d recommend simply chown’ing these files to be readable by mattermost:mattermost.