Mattermost, Inc.

Mattermost Recipe: Using Let's Encrypt for TLS certificates with `mattermost-docker`

Problem

You’re setting up Mattermost using Docker in production and want to use a Let’s Encrypt certificate. When you attempt to configure this via the System Console you get the following error:

p_1  | {"level":"error","ts":1562088526.1421692,"caller":"commands/server.go:77","msg":"listen tcp :443: bind: permission denied"} 

Solution

Note: This assumes you have a valid domain name for your Mattermost server. Replace mattermost.example.com with your domain name. This has also been tested on Ubuntu 18.04, but should work for any version of Linux that supports docker and certbot.

  1. Shut down Mattermost
cd ~/mattermost-docker
docker-compose stop
  1. Verify the following values in ~/mattermost-docker/volumes/config/config.json
“SiteURL”: “https://mattermost.example.com”,
“ListenAddress”: “:8000”,
“ConnectionSecurity”: “”,
“UseLetsEncrypt: false,
“Forward80To443” false,
  1. Install certbot from Let’s Encrypt
sudo apt-get install certbot
  1. Run certbot generate the certificate and key
sudo certbot certonly —standalone -d mattermost.example.com

Then follow the onscreen prompts to generate your new certificate

  1. Copy your certs to the correct path:
sudo cp /etc/letsencrypt/live/mattermost.example.com/fullchain.pem /home/ubuntu/mattermost-docker/volumes/web/cert/cert.pem

sudo cp /etc/letsencrypt/live/mattermost.example.com/privkey.pem /home/ubuntu/mattermost-docker/volumes/web/cert/key-no-password.pem 
  1. Start up docker in daemon mode so its stays running after logout
cd ~/mattermost-docker
docker-compose up -d

Your site should now be available on https://mattermost.example.com/

Discussion

Because the default mattermost-docker instructions include an Nginx reverse proxy server that runs on ports 80 and 443, and forwards requests to the Mattermost server that’s listening on port 8000. However, in order for Mattermost to handle the Let’s Encrypt negotiation it needs to run on 80 and 443 so it can respond to the authentication challenge.

If you have any questions or improvements to this recipe please let me know!