Mattermost, Inc.

SSL certificate for dockerized Mattermost installation

Hi all - I was renewing the certificate from docker installation of Mattermost, following those instructions:

I renewed the certificate using certbot, then copied the cert.pem file to ./volumes/web/cert/cert.pem, and privkey.pem to ./volumes/web/cert/key-no-password.pem

but when I run docker-compose up, the app container fails. The error being:

Error: failed to load: invalid config: Config.IsValid: model.config.is_valid.tls_cert_file.app_error,

I think it’s because of the file permissions on the cert files, but I’m not sure.

$ sudo ls -al volumes/web/cert/
total 12
drwxrwxr-- 2 majdal docker   70 May  2 11:26 .
drwxr-xr-x 3 root   root     18 Sep 17  2018 ..
-rwxrwxr-- 1 majdal docker 1919 May  2 10:19 cert.pem
-rwxrwxr-- 1 majdal docker 3566 May  2 11:26 fullchain.pem
-rwxrwxr-- 1 majdal docker 1704 May  2 10:19 key-no-password.pem

Many thanks!

Hi @majdal,

Would you be open to creating an issue on the docker project and the project creators will be able to assist you:

Hey @amy.blais - I definitely can, but should we first make sure that it’s not an obvious problem that could be resolved here first?

@pichouk Can you help take a look at this one?

1 Like

In theory the certificate is only mounted on the web container so I don’t think that a permission issue will trigger an error message in Mattermost application.

This Mattermost application log message is on this part of the Mattermost code, but I don’t know what it means. If a Mattermost developper could help to explain what conditions triggers this message, maybe we would find the issue.

1 Like

Is there someone we could mention here to follow up?

Did you configured your Mattermost app to use TLS ? Because in your setup it’s the web container that terminate TLS so your Mattermost application should be configured to not using TLS. That’s maybe your trouble.

@pichouk I did no changes beyond the basic setup described in the docker tutorial

Do you mean changing those lines? I tried both commented and uncommented versions, neither resolve the issue.

Can you please provide the content of your config.json file please ?
Especially those keys :

  • ServiceSettings.ListenAddress
  • ServiceSettings.ConnectionSecurity
  • ServiceSettings.TLSCertFile
  • ServiceSettings.TLSKeyFile
  • ServiceSettings.UseLetsEncrypt
  • ServiceSettings.LetsEncryptCertificateCacheFile
  • ServiceSettings.Forward80To443

Hello - late reply, but the problem persists:

    "ListenAddress": ":8000",
    "ConnectionSecurity": "TLS",
    "TLSCertFile": "",
    "TLSKeyFile": "",
    "UseLetsEncrypt": false,
    "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
    "Forward80To443": false,

I didn’t now about the UseLetsEncrypt option. I changed it from false to true, changed Forward80To443 to true, and ListenAddress to :443, but now I get this error:

ERROR: relation "idx_teams_description" does not exist

I guess it has to do with migrating to a later version of mattermost?

Ah, actually, the error is the following:

Error: Unable to forward port 80 to port 443 while listening on port 8000: disable Forward80To443 if using a proxy server

You should not enable those settings, because it’s the web container that terminate TLS, not Mattermost.

Try to rollback to the configuration you paste, and change ConnectionSecurity to an empty string. I guess it should works.

1 Like

That solved it! I set

ConnectionSecurity: “”

Many thanks!