Configuring TLS on Mattermost Server

You have two options if you want users to connect with HTTPS:

  1. Set up TLS on Mattermost Server.
  2. Install a proxy such as NGINX and set up TLS on the proxy.

The easiest option is to set up TLS on the Mattermost Server, but if you expect to have more than 200 users, use a proxy for better performance. A proxy server also provides standard HTTP request logs.

Configure TLS on the Mattermost Server:

  1. In the System Console > General > Configuration in prior versions or System Console > Environment > Web Server in versions after 5.12.
  1. Change the Listen Address setting to :443.
  2. Change the Connection Security setting to TLS.
  3. Change the Forward port 80 to 443 setting to true.
  1. Activate the CAP_NET_BIND_SERVICE capability to allow Mattermost to bind to low ports.
sudo setcap cap_net_bind_service=+ep /opt/mattermost/bin/mattermost
  1. Install the security certificate. You can use Let’s Encrypt to automatically install and setup the certificate, or you can specify your own certificate.

To use a Let’s Encrypt certificate:

The certificate is retrieved the first time that a client tries to connect to the Mattermost server. Certificates are retrieved for any hostname a client tries to reach the server at.

  1. Change the Use Let’s Encrypt setting to true.
  2. Restart the Mattermost server for these changes to take effect.

Note

If Let’s Encrypt is enabled, forward port 80 through a firewall, with Forward80To443 config.json setting set to true to complete the Let’s Encrypt certification.

To use your own certificate:

  1. Change the Use Let’s Encrypt setting to false.
  2. Change the TLS Certificate File setting to the location of the certificate file.
  3. Change the TLS Key File setting to the location of the private key file.
  4. Restart the Mattermost server for these changes to take effect.