Caddy fails when using SSL

Community Support
1

Description

Server Setup Information

Version 2.4.11

  • Operating System: uBUNTU 18.04
  • Deployment Method:
  • Number of Running Instances: 1

RocketChat was installed using snap. It works without SSL without problems.

The problems occur when I attempt to enable SSL on it. I did so using the snap/caddy instructions provided at
https://rocket.chat/docs/installation/manual-installation/ubuntu/snaps/autossl/

I followed those instructions to the letter.
When attempting to access RocketChat using SSL, I get different failures on different browsers – all of which seem to point to some SSL configuration error on the RocketChat server…

In order to determine what was going on, I took a look at the Caddy logs. I am seeing a weird failure whenever I attempt to use a cert. The latest content of my logs is below:

Mar 23 13:08:35 FamilyBox rocketchat-server.rocketchat-caddy[15230]: 2020/03/23 13:08:35 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:34 FamilyBox rocketchat-server.rocketchat-caddy[15230]: 2020/03/23 13:08:34 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:33 FamilyBox rocketchat-server.rocketchat-caddy[15230]: 2020/03/23 13:08:33 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:31 FamilyBox rocketchat-server.rocketchat-caddy[15230]: 2020/03/23 13:08:31 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:30 FamilyBox rocketchat-server.rocketchat-caddy[15230]: 2020/03/23 13:08:30 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:29 FamilyBox rocketchat-server.rocketchat-caddy[15230]: Activating privacy features... 2020/03/23 13:08:29 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:28 FamilyBox systemd[1]: Started Service for snap application rocketchat-server.rocketchat-caddy.
Mar 23 13:08:28 FamilyBox systemd[1]: Stopped Service for snap application rocketchat-server.rocketchat-caddy.
Mar 23 13:08:28 FamilyBox systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Scheduled restart job, restart counter is at 46.
Mar 23 13:08:28 FamilyBox systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Service hold-off time over, scheduling restart.
Mar 23 13:08:28 FamilyBox systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Failed with result 'exit-code'.
Mar 23 13:08:28 FamilyBox systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Main process exited, code=exited, status=1/FAILURE
Mar 23 13:08:28 FamilyBox rocketchat-server.rocketchat-caddy[15201]: 2020/03/23 13:08:28 failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:
Mar 23 13:08:27 FamilyBox rocketchat-server.rocketchat-caddy[15201]: 2020/03/23 13:08:27 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:26 FamilyBox rocketchat-server.rocketchat-caddy[15201]: 2020/03/23 13:08:26 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:24 FamilyBox rocketchat-server.rocketchat-caddy[15201]: 2020/03/23 13:08:24 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:23 FamilyBox rocketchat-server.rocketchat-caddy[15201]: 2020/03/23 13:08:23 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:22 FamilyBox rocketchat-server.rocketchat-caddy[15201]: 2020/03/23 13:08:22 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:21 FamilyBox rocketchat-server.rocketchat-caddy[15201]: Activating privacy features... 2020/03/23 13:08:21 [INFO] [web.soliannet.net] acme: Obtaining bundled SAN certificate
Mar 23 13:08:20 FamilyBox systemd[1]: Started Service for snap application rocketchat-server.rocketchat-caddy.

There appears to be an authentication problem with Let’s Encrypt (too many failed authentication attempts???), which is weird since I have not been making any attempts directly.

My Caddyfile is below:

https://web.soliannet.net:8304
proxy / localhost:3000 {
   websocket
   transparent
}

Note that the URL points to Port 8304. This is necessary because from the Internet access to the URL must be through that port.

Does anyone have any information that will help me get SSL working properly on my RocketChat server? Someone please advise.

2

I believe I know what the problem is, though I still have no solution.

The machine I am using to run Rocket.Chat can only receive requests on Port 8304 (for various reasons beyond my control). It appears that the procedure for setting up the SSL simply does not allow a user to specify a port for the domain when enabling SSL (in Snap or anywhere else). For this reason, LetsEncrypt’s challenge system fails to work properly because it cannot actually reach the Rocket.Chat server.

I am looking at setting up a cert for an nginx reverse proxy. Unfortunately, I am having the same problem generating the .crt and .key files that nginx needs.

Does anyone have any insights on how I might get some certs generated for nginx under these circumstances?