Automate tls certificate renewal
The website certificate should be renewed automatically (e.g. by a Cron-job or the Let's Encrypt client) because it expired multiple times already
The LetsEncrypt client proves ownership of the domain by storing a token at a well-known path. The nginx config files for GitLab and Mattermost need to be modified to make the token retrievable via HTTP. However, the config files are auto-generated by GitLab each time it's upgraded/reconfigured, overwriting any manual modifications. The cron job will need to check whether the modifications have been overwritten, and if so, reapply them before running the LetsEncrypt client.
The cron job should also set the mode and ownership of the new private key after running the LetsEncrypt client, which for some reason leaves the key world-readable.