Got it working. I think the key was that I had to generate the SSL key before changing the domain, and in order to do that, I had to add the following line:
mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"