Mattermost first setup with Nginx and Let's Encrypt

Hey!

I’m setting up a dockerized Mattermost according to the production install procedure

The doc does not advise to make the best choice between with nginx or without nginx. Except the obvious case where you already have a running nginx, in which situations would you select these two?

Let’s that I assume I use docker-compose.nginx.yml in the next steps.

Let’encrypt topic: The doc redirects to that markdown file to get a LE cert. First, for the technical part:

If we reach the directory docker and run the cerbot, the cert is produced at docker/certs/etc/letsencrypt/live/mysite.org/fullchain.pem

However, this is out of the reach of the dockerized nginx so even if we assign CERT_PATH and KEY_PATH to the above path in .env, nginx will eventually fail to load the cert

Since the default path for these vars is ./volumes/web/cert/, I assume that it’s a good idea to move the cert and key there, but web does not exist in ./volumes (only app and db exist). Should we create the path web/cert ?

I did it and it works, Mattermost starts well on port 443. But in the admin UI the “Let’s encrypt” option is greyed and cannot be activated. I would like to activate auto renewals of the cert by Mattermost. I have the feeling that the LE UI options are somehow incompatible with the cert-related variables in the .env

Second questions, I would like to improve the docs on that LE topic:

  • The markdown mentions mattermost-docker that is obsolete, are the instructions the same for repo docker?
  • Shouldn’t we include these instructions in the docs instead (for example [here](docs.mattermost. REMOVE THIS com/install/install-docker.html) or [here](docs.mattermost. REMOVE THIS com/install/config-tls-mattermost.html)) of a redirection to a markdown on GitHub?

PS: Sorry I had to fake the URLs because Discourse does not true me and limits the number of URLs.

Hi daddo and welcome to the Mattermost forums!

Thanks for your remarks with regards to the documentation.
The Let’s Encrypt option is greyed out because it’s only available as part of the paid subscriptions as you can see here:
https://docs.mattermost.com/configure/environment-configuration-settings.html#use-let-s-encrypt

If you’re using the free subscriptions, you need to take care of renewing the certificates on your own or outside Mattermost and that’s one of the things an nginx reverse proxy container could do for you, so you do not have to take care of fiddling around with the SSL settings inside Mattermost and restarting the application everytime you renew your certificate, f.ex.
The documentation also explains what you need to do with the LE generated files and yes, wou will need to copy them (see point 4 in this documentation).

Which instructions did you follow? I think you’re using some outdated documentation here, could you try to follow Deploy Your Self-Hosted Mattermost Server | Mattermost (the lower part talking about the production deployment)? Ths will set you up with a docker compose based setup consisting of two containers (mattermost + postgres). If you need TLS then or a proxy, follow the link at the bottom of the page.

Hi, thank you for your reply.

I followed the documentation that you pointed, so it is not outdated, but I think I got confused by the section “TLS & Nginx” here: docs/install-docker.rst at master · mattermost/docs · GitHub that points to docker/issuing-letsencrypt-certificate.md at main · mattermost/docker · GitHub and the latter seems outdated, at least because of the “mattermost-docker” repo name.

Since it is not clear in my mind when Nginx must or must not be used I only followed these instructions. Any advice about that topic nginx vs no-nginx?

The Let’s Encrypt option is greyed out because it’s only available as part of the paid subscriptions as you can see here:

Thanks that’s clear now. Maybe display a bubble not instead of just greying the options not available in the free version?