1

I have successfully installed RocketChat on a private server, running Ubuntu 16.04, Apache 2.4, but I can't get SSL to work.

Background: The example.com has existing LetsEncrypt ceritificates. example.com has a website running on it with SSL and RocketChat needs to be at https://chat.example.com. There are two Apache VirtualHosts for example.com and chat.example.com, both enabled.

Settings are as follows:

example.com.conf

<VirtualHost example.com:80>
        ServerName example.com
        ServerAlias www.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/example

        Alias /examplestaging /var/www/html/examplestaging

        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/example-error.log
        CustomLog ${APACHE_LOG_DIR}/example-access.log combined

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =example.com [OR]
        RewriteCond %{SERVER_NAME} =www.example.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

example.com-le-ssl.conf 

<IfModule mod_ssl.c>
    <VirtualHost example.com:443>
        ServerName example.com
        ServerAlias www.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/example

        Alias /examplestaging /var/www/html/examplestaging

        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/example-error.log
        CustomLog ${APACHE_LOG_DIR}/example-access.log combined
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    </VirtualHost>
</IfModule>

chat.example.com.conf

<VirtualHost *:443>
    ServerName chat.example.com
    ServerAdmin webmaster@localhost

    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    ErrorLog /var/log/chat.example.com_error.log
    TransferLog /var/log/chat.example.com_access.log
    LogLevel info

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

    SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+$
    SSLHonorCipherOrder on
    SSLCompression off
    SSLOptions +StrictRequire

    <Location />
        Order allow,deny
        Allow from all
    </Location>

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*) ws://localhost:3000/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*) http://localhost:3000/$1 [P,L]

    ProxyPassReverse / http://localhost:3000/
</VirtualHost>

<VirtualHost *:80>
    ServerName chat.example.com
    ServerAdmin webmaster@localhost
    UseCanonicalName Off

    ErrorLog /var/log/chat.example.com_error.log
    TransferLog /var/log/chat.example.com_access.log
    LogLevel info

    <Location />
        Order allow,deny
        Allow from all
    </Location>

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*) ws://localhost:3000/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*) http://localhost:3000/$1 [P,L]

    ProxyPassReverse / http://localhost:3000/
</VirtualHost>

The instructions I went by are

https://rocket.chat/docs/installation/manual-installation/ubuntu/

https://rocket.chat/docs/installation/manual-installation/configuring-ssl-reverse-proxy/#running-behind-an-apache-ssl-reverse-proxy

https://asperti.com/en/bglug-slack-to-rocket-chat

All vhosts above are enabled. All apache proxy mods are enabled (according to instructions).

http://www.example.com:3000 works and I can login. I have changed the URL in the settings to https://chat.example.com.

The service file /lib/systemd/system/rocketchat.service is

[Unit]
Description=The Rocket.Chat server
After=network.target remote-fs.target nss-lookup.target nginx.target mongod.target
[Service]
ExecStart=/usr/local/bin/node /opt/Rocket.Chat/main.js
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rocketchat
User=rocketchat
Environment=MONGO_URL=mongodb://localhost:27017/rocketchat?replicaSet=rs01 MONGO_OPLOG_URL=mongodb://localhost:27017/local?replicaSet=rs01 ROOT_URL=https://chat.example.com PORT=3000
[Install]
WantedBy=multi-user.target

Whenever I make any changes, I restart rocketchat and apache2 services.

When entering https://chat.example.com or http://chat.example.com, it instantly throws a server unavailable error, so it would seem that the reverse proxy isn't working (?). I do not have any errors in the log files for example.com-error.log, nor chat.example.com_error.log, nor error.log.

chat.example.com_error.log does include this info

[Tue Aug 13 21:25:47.062881 2019] [ssl:info] [pid 22553] AH01914: Configuring server chat.example.com:443 for SSL protocol
[Tue Aug 13 21:25:47.063611 2019] [ssl:info] [pid 22553] AH02568: Certificate and private key chat.example.com:443:0 configured from /etc/letsencrypt/live/example.com/cert.pem and /etc/letsencrypt/live/example.com/privkey.pem

What could be wrong with this setup?

Fid
  • 462
  • 4
  • 21

2 Answers2

0

  1. Install Caddy on the server

  2. Redirect the URLs to https://your RocketChat URL

  3. Everything will be fine.

4b0
  • 21,981
  • 30
  • 95
  • 142
Olga
  • 1
0

Did you try to generate via certbot?

sudo certbot --apache -d example.com -d chat.example.com
Mihir Bhatt
  • 3,019
  • 2
  • 37
  • 41