Mattermost is a flexible, open-source messaging platform that enables secure team collaboration. There is a Freebsd port: www/mattermost-server that allows you to host your own instance. Here is a manual on how to make Mattermost server work inside a jail with https. It takes about 5 minutes to set up. I did not include parts like how to make an update NS records or setup database. Let’s start!
Pre-steps and installation
First I did connect a jail IP address with a domain called mattermost.domain.com, made sure the firewall was opened on 443 and database port.
You should have already a database (MySQL or Postgress) installed somewhere where you need to create database and user(in my case MySQL) unless you want to install it on the same jail(yes you can):
create user 'mmuser'@'%' identified by 'mmuser-password';
create database mattermost;
grant all privileges on mattermost.* to 'mmuser'@'%';
Now let’s get into jail and start installing software:
pkg ins mattermost-server mattermost-webapp i18ntools
Configuration
cp /usr/local/etc/mattermost/config.json.sample /usr/local/etc/mattermost/config.json
sysrc mattermostd_enable="YES"
chown -R mattermost:mattermost /usr/local/www/mattermost/client/
Open favourite editor and edit /usr/local/etc/mattermost/config.json:
"DataSource": "mmuser:[email protected](10.1.1.36:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"SiteURL": "https://mattermost.domain.com",
SSL/TLS Certificate.
Most Unix systems have a limitation that user is not allowed to open ports below 1023. We want our server to be running on port 443 from a jail. On master host update setting if required:
#sysctl net.inet.ip.portrange.reservedhigh
1023
#sysctl net.inet.ip.portrange.reservedhigh=442
There are many ways of getting SSL working with Mattermost. I found LetsCrypt option proposed by Mattermost inside a jail is not working well as it is not able to verify IP. I used certbot with Cloudflare to generate a cert.
pkg install py37-certbot-dns-cloudflare-1.1.0
mkdir -p ~/.secrets/certbot/
vi ~/.secrets/certbot/cloudflare.ini
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = <[email protected]>
dns_cloudflare_api_key = <your_key>
:wq
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 10 \
-d mattermost.domain.com.
cp /usr/local/etc/letsencrypt/archive/mattermost.domain.com/* /usr/local/etc/mattermost/
chown -R mattermost:mattermost /usr/local/etc/mattermost/
I found that the last step fixes a problem with permissions of SSL certificate. Unfortunately, Mattermost is not able to read letscrypt folders as it is started by deamon by user mattermost.
"ServiceSettings": {
"ListenAddress": ":443",
"ConnectionSecurity": "TLS",
"TLSCertFile": "/usr/local/etc/mattermost/cert1.pem",
"TLSKeyFile": "/usr/local/etc/mattermost/privkey1.pem",
"TLSMinVer": "1.2",
"TLSStrictTransport": false,
"UseLetsEncrypt": false,
"Forward80To443": true,
Updated only settings that were required to get TLS working. Please check official TLS config for more information.
Start Mattermost and debug
To start service just type:
service mattermostd start
To see default log just tail a log file:
tail -f /usr/local/www/mattermost/mattermost.log