Error enabling TLS with LetsEncrypt

I’m following Install Mattermost on Ubuntu 20.04 LTS — Mattermost documentation to install MatterMost on a Ubuntu 20.04 LTS system with mysqld.

As per “Configure TLS on the Mattermost server” I set the Listen Address to :443, choose TLS, forward 80 to 443, and set “Use Let’s Encrypt” to true. Save config. At that point I get:

{“timestamp”:“2022-11-08 17:14:40.970 Z”,“level”:“warn”,“msg”:“Unrecognized config permissions tag value.”,“caller”:“api4/config.go:431”,“tag_value”:“sysconsole_write_*_read”}

Stop and restart the server. Logs indicate it has satrted:

{“timestamp”:“2022-11-08 17:15:35.169 Z”,“level”:“info”,“msg”:“Starting Server…”,“caller”:“app/server.go:1151”}
{“timestamp”:“2022-11-08 17:15:35.169 Z”,“level”:“info”,“msg”:“Server is listening on [::]:443”,“caller”:“app/server.go:1224”,“address”:“[::]:443”}

But when I try to access it:

{“timestamp”:“2022-11-08 17:16:08.781 Z”,“level”:“error”,“msg”:“http: TLS handshake error from w.x.y.z:59094: acme/autocert: missing certificate”,“caller”:“log/log.go:195”,“source”:“httpserver”}

It looks like there is one or more missing steps to actually get a certificate issued.

Hi jnojr!

You can ignore this error, this is a known issue which is irrelevant and just confusing.
Most likely the error you’re seeing is caused by the certbot configuration not working properly as documented at Install Mattermost on Ubuntu 20.04 LTS — Mattermost documentation.

When you ran certbot for the first time as mentioned in step 11, did it ask you for the domain name and was it able to generate a certificate or have there been any error messages?

Aside from that you might want to look at an easier deployment method called Omnibus Deployment. It boils down to a single apt install mattermost-omnibus on a supported Ubuntu platform and the rest of the setup will happen almost automatically and you do not have to go through the hassle of manually configuring stuff.

OK, that helps… I see certboot mentioned much lower in the docs, under configuring nginx. I’ll play with it, see if I can get it working, and maybe I can suggest a change to the docs to make it obvious to someone like me who has never done this before!

As for the omnibus install… I had tried that before installing from the tarball. It bombed out with errors about not being able to reach a path on the web server. While troubleshooting that, I wound up with a message about having run it too many times. It was weird, because the path it complained about ( .well-known/acme-challenge/YRM6syUmJXGcbUWtDi1EPeqFjmYtZVBwNtgJ0QIw3ZU: ) I was able to create manually and access in the browser. I was just getting to the point of tailing the error_log to figure out what was going on when I got locked out.

How would you expect the documentations to be at this point? Setting up the reverse proxy and https is part of the documentation and comes at the end, because you can omit it if you do not want to use https for your deployment, but if you do, this is the way to go (including all the stuff around certbot).
I think the documentation might be a bit clearer on the steps required to achieve a specific goal here, but on the other hand it seems you just dropped off reading it after the application server was running :slight_smile:

This is not the Omnibus install. The Omnibus install only comes with a debian package, if you use the tar ball, then we’re talking about the binary installation which is not what I meant.
Trust me, I think the Omnibus installation is exactly what you need - you will have to start over on a fresh Ubuntu system (or wipe what you have here so far) and it will set up everything for you (nginx with SSL, the database server including the user accounts, permissions, etc. and of course, Mattermost).
Also updating is as easy as apt update && apt upgrade later on. This is the most hassle free deployment you can get.

Update: Oh, wait - maybe I misunderstood you. You meant you tried the Omnibus installation BEFORE you actually tried the binary installation we’re talking about in here? If so, sorry, mixed your words up obviously.
The Mattermost Omnibus installation uses Let’s encrypt to automatically generate a SSL certificate for your installation, so it is necessary that the domain you choose for the setup is publically reachable so that the Let’s encrypt verification servers can access it. If your Mattermost installation is internal only and if you do not want to use Let’s Encrypt, let me know, we’ll find a way around that then (if it’s not possible to temporarily open http/https public during the installation in order to generate the certificate).