I've put together a rough tutorial to help anyone else who's stuck:
Setting up GitLab Mattermost with Let's Encrypt
This guide assumes you've already installed GitLab along with GitLab Mattermost.
The first step is to switch to the root user as you need to run Let's Encrypt as root:
sudi -i
Clone Let's Encrypt
cd /root
git clone https://github.com/letsencrypt/letsencrypt
Create a mattermost.ini
Make sure you're still in /root
, and run the following:
mkdir letsencrypt-config
nano letsencrypt-config/mattermost.ini
Paste the following in to this configuration file:
# Let's Encrypt config for Mattermost
# Use the webroot authenticator
authenticator = webroot
webroot-path = /var/www/letsencrypt
# Use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Generate certificates for the specified domain
domains = chat.yourdomain.com
# Register with the specified email address
email = youremail@yourdomain.com
# use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
Create the folder where authentication files will reside
mkdir -p /var/www/letsencrypt
Update gitlab.rb
to alias chat.yourdomain.com/.well-known/
to /var/www/letsencrypt/
Edit your gitlab.rb
:
nano /etc/gitlab/gitlab.rb
And add the following line:
mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
Reconfigure GitLab to initialize the new setting:
gitlab-ctl reconfigure
Generate the Certificates
/root/letsencrypt/letsencrypt-auto certonly -c /root/letsencrypt-config/mattermost.ini
Update gitlab.rb
to reflect live HTTPS settings
nano /etc/gitlab/gitlab.rb
Make the following changes:
mattermost_external_url 'https://chat.yourdomain.com'
mattermost['service_use_ssl'] = true
mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/chat.yourdomain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/chat.yourdomain.com/privkey.pem"
Then run:
gitlab-ctl reconfigure
Set up a cron job to auto update the certificates
nano /etc/cron.monthly/renew-ssl-certificates
Add the following:
#!/bin/bash
/root/.local/share/letsencrypt/bin/letsencrypt certonly -c /root/letsencrypt-config/mattermost.ini --renew-by-default
gitlab-ctl restart
And you're done!