Firewall ports for Lets Encrypt

Community Support
1

New to RocketChat and I have RocketChat working using Docker on Debian.

I wish to enable LetsEncrypt and have followed this guide but it does not work.

I am wondering if the firewall is blocking Lets Encrypt which needs port 80 & 443

Checking the firewall I can only see port 22 as allowed which raises the question of how RocketChat can be accessed on port 3000?

16.04.2024_17.17.06_REC
16.04.2024_17.17.06_REC878×460 11 KB

If there anything special with Docker & ufw I need to do to enable LetsEncrypt?

When I update my ROOT_URL in the .env file the logs still how my Site URL as http not https

rocketchat-1  | +--------------------------------------------------------------+
rocketchat-1  | |                        SERVER RUNNING                        |
rocketchat-1  | +--------------------------------------------------------------+
rocketchat-1  | |                                                              |
rocketchat-1  | |  Rocket.Chat Version: 6.7.0                                  |
rocketchat-1  | |       NodeJS Version: 14.21.3 - x64                          |
rocketchat-1  | |      MongoDB Version: 5.0.24                                 |
rocketchat-1  | |       MongoDB Engine: wiredTiger                             |
rocketchat-1  | |             Platform: linux                                  |
rocketchat-1  | |         Process Port: 3000                                   |
rocketchat-1  | |             Site URL: http://chat.mydomain.com.au:3000       |
rocketchat-1  | |     ReplicaSet OpLog: Enabled                                |
rocketchat-1  | |          Commit Hash: 5eb3cbb768                             |
rocketchat-1  | |        Commit Branch: HEAD                                   |
rocketchat-1  | |                                                              |
rocketchat-1  | +--------------------------------------------------------------+

p.s. I am using the community version if that makes a difference. I have tried to upg to Starter but now sure how and have sent a request to support.

2

wiped. started over. working.

3

Yes you need 80 and 443 open for Letsencrypt, but you should be running Rocket on localhost 3000 behind a reverse proxy (if using the docker compose from the docs then it would be traefik as your reverse proxy) so you access Rocket.Chat via 443 with the letsencrypt certificate.

Never expose port 3000 directly to the outside world.

4

It appears that RocketChat/Docker permits 80, 443 and 3000 by default

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.19.0.4           tcp dpt:3000

I was using port 3000 before I configured LE and now it works on 443 however I suspect 80 and 3000 are still open even if nothing is listening on 3000 other than localhost

root@SVR11245:~# sudo lsof -i -P -n | grep LISTEN
sshd       820   root    3u  IPv4  15777      0t0  TCP *:22 (LISTEN)
sshd       820   root    4u  IPv6  15795      0t0  TCP *:22 (LISTEN)
docker-pr 1026   root    4u  IPv4  16517      0t0  TCP *:443 (LISTEN)
docker-pr 1031   root    4u  IPv6  16523      0t0  TCP *:443 (LISTEN)
docker-pr 1045   root    4u  IPv4  16556      0t0  TCP *:80 (LISTEN)
docker-pr 1050   root    4u  IPv6  16561      0t0  TCP *:80 (LISTEN)
docker-pr 1350   root    4u  IPv4  17686      0t0  TCP 127.0.0.1:3000 (LISTEN)
5

It has opened 22, 443 and 80 remotely, and then 3000 to localhost only.

That is normal.

(Personally I disable docker from messing with firewalls so I know exactly what is going on!)

This is wrong though:

http://chat.mydomain.com.au:3000

It should JUST be:

https://chat.mydomain.com.au