Problem
You’re setting up Mattermost using Docker in production and want to use a Let’s Encrypt certificate. When you attempt to configure this via the System Console you get the following error:
p_1 | {"level":"error","ts":1562088526.1421692,"caller":"commands/server.go:77","msg":"listen tcp :443: bind: permission denied"}
Solution
Note: This assumes you have a valid domain name for your Mattermost server. Replace mattermost.example.com
with your domain name. This has also been tested on Ubuntu 18.04, but should work for any version of Linux that supports docker
and certbot
.
- Shut down Mattermost
cd ~/mattermost-docker
docker-compose stop
- Verify the following values in
~/mattermost-docker/volumes/config/config.json
“SiteURL”: “https://mattermost.example.com”,
“ListenAddress”: “:8000”,
“ConnectionSecurity”: “”,
“UseLetsEncrypt: false,
“Forward80To443” false,
- Install
certbot
from Let’s Encrypt
sudo apt-get install certbot
- Run certbot generate the certificate and key
sudo certbot certonly —standalone -d mattermost.example.com
Then follow the onscreen prompts to generate your new certificate
- Copy your certs to the correct path:
sudo cp /etc/letsencrypt/live/mattermost.example.com/fullchain.pem /home/ubuntu/mattermost-docker/volumes/web/cert/cert.pem
sudo cp /etc/letsencrypt/live/mattermost.example.com/privkey.pem /home/ubuntu/mattermost-docker/volumes/web/cert/key-no-password.pem
- Start up docker in daemon mode so its stays running after logout
cd ~/mattermost-docker
docker-compose up -d
Your site should now be available on https://mattermost.example.com/
Discussion
Because the default mattermost-docker
instructions include an Nginx reverse proxy server that runs on ports 80 and 443, and forwards requests to the Mattermost server that’s listening on port 8000. However, in order for Mattermost to handle the Let’s Encrypt negotiation it needs to run on 80 and 443 so it can respond to the authentication challenge.
If you have any questions or improvements to this recipe please let me know!