Mattermost can’t read my (lets encrypt) certificate file due to its default root-only permissions.
Steps to reproduce
I’ve used certbot to create a certificate on my server. Its default file/folder permissions are root:root, which seems correct enough, especially for the private key. My mattermost log file shows:
Thanks for your response. I read those before posting here, I’m afraid they don’t help. I haven’t actually set UseLetsEncrypt to true mind you, because it’s not at all clear what it does or how it works. It purports to be magical it seems. My server already had a LE cert setup, so I worry setting that will request a new one, or revoke my old one, or who knows; it seems not to be documented.
So instead I just point TLSCertFile and TLSKeyFile to the files in /etc/letsencrypt/live/example.com/, but those files are root:root so mattermost can’t read them. For the moment I’ve just copied the files elsewhere so mattermost can access them, but I’d still like to know the kosher way of doing it…
If you choose to use the UseLetsEncrypt configuration within Mattermost, it will automatically manage those certificate files on your behalf.
If you choose to have the certificates managed by another process, you’ll need to ensure they are readable by the user/group assigned to mattermost. If you followed our install guides, they recommend creating mattermost: mattermost, and thus definitely won’t have access to something only root can read.
I can’t speak to Certbot best practices, but I’d recommend simply chown’ing these files to be readable by mattermost:mattermost.
My server already had a LE cert setup, so I worry setting that will request a new one, or revoke my old one, or who knows; it seems not to be documented.