Rocket.Chat's Community Open Call 🎤 Jan 19th, 2022 Join us!

Issues with Snap AutoSSL

We have been running an on-prem instance of Rocket.Chat for a while now, but I have never been able to get AutoSSL up and running.  The server is behind a firewall with rules set to send/receive all traffic with a dedicated external IP.  Originally, I was getting an "Error: Your public IP doesn’t match the one resolved for caddy-url, disabling https" error when attempting to run "sudo snap set rocketchat-server https=enable".

I found a similar issue on the forum (https://forums.rocket.chat/t/error-your-public-ip-doesnt-match-the-one-resolved-for-caddy-url-disabling-https/7570) that someone was able to remedy by adding their external IP/hostname to the /etc/hosts file.

My original /etc/hosts file looked like this:
127.0.0.1       localhost
127.0.1.1       ROCKETCHAT.INTERNAL.DOMAIN.LOCAL     ROCKETCHAT

Which I changed to:
127.0.0.1       localhost
127.0.1.1       ROCKETCHAT.INTERNAL.DOMAIN.LOCAL    ROCKETCHAT
XX.XXX.XXX.XXX  chat.domain.com

Making this change allowed the "https=enable" command to successfully run, however I am still unable to obtain a Let's Encrypt cert.

This is the output of the "journalctl -r | grep caddy | less" command:

> Dec 08 10:26:36 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Main process exited, code=exited, status=1/FAILURE
> Dec 08 10:26:36 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:36 failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:
> Dec 08 10:26:34 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:34 [INFO] [chat.domain.com] acme: Obtaining bundled SAN certificate
> Dec 08 10:26:33 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:33 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56650072330
> Dec 08 10:26:32 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:32 [INFO] [chat.domain.com] acme: Trying to solve TLS-ALPN-01
> Dec 08 10:26:32 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:32 [INFO] [chat.domain.com] acme: use tls-alpn-01 solver
> Dec 08 10:26:32 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:32 [INFO] [chat.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56650072330
> Dec 08 10:26:32 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:32 [INFO] [chat.domain.com] acme: Obtaining bundled SAN certificate
> Dec 08 10:26:30 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:30 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56650046520
> Dec 08 10:26:25 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:25 [INFO] [chat.domain.com] acme: Trying to solve TLS-ALPN-01
> Dec 08 10:26:25 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:25 [INFO] [chat.domain.com] acme: use tls-alpn-01 solver
> Dec 08 10:26:25 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:25 [INFO] [chat.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56650046520
> Dec 08 10:26:24 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:24 [INFO] [chat.domain.com] acme: Obtaining bundled SAN certificate
> Dec 08 10:26:23 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:23 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56650018030
> Dec 08 10:26:17 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:17 [INFO] [chat.domain.com] acme: Trying to solve HTTP-01
> Dec 08 10:26:17 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:17 [INFO] [chat.domain.com] acme: use http-01 solver
> Dec 08 10:26:17 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:17 [INFO] [chat.domain.com] acme: Could not find solver for: tls-alpn-01
> Dec 08 10:26:17 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:17 [INFO] [chat.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56650018030
> Dec 08 10:26:16 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:16 [INFO] [chat.domain.com] acme: Obtaining bundled SAN certificate
> Dec 08 10:26:15 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:15 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56649983790
> Dec 08 10:26:08 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:08 [INFO] [chat.domain.com] acme: Trying to solve HTTP-01
> Dec 08 10:26:08 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:08 [INFO] [chat.domain.com] acme: use http-01 solver
> Dec 08 10:26:08 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:08 [INFO] [chat.domain.com] acme: Could not find solver for: tls-alpn-01
> Dec 08 10:26:08 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:08 [INFO] [chat.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56649983790
> Dec 08 10:26:08 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:08 [INFO] [chat.domain.com] acme: Obtaining bundled SAN certificate
> Dec 08 10:26:06 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:06 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56649945950
> Dec 08 10:26:01 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:01 [INFO] [chat.domain.com] acme: Trying to solve HTTP-01
> Dec 08 10:26:01 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:01 [INFO] [chat.domain.com] acme: use http-01 solver
> Dec 08 10:26:01 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:01 [INFO] [chat.domain.com] acme: Could not find solver for: tls-alpn-01
> Dec 08 10:26:01 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: 2021/12/08 10:26:01 [INFO] [chat.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56649945950
> Dec 08 10:26:00 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL rocketchat-server.rocketchat-caddy[5175]: Activating privacy features... 2021/12/08 10:26:00 [INFO] [chat.domain.com] acme: Obtaining bundled SAN certificate
> Dec 08 10:26:00 ROCKETCHAT.INTERNAL.DOMAIN.LOCAL systemd[1]: Started Service for snap application rocketchat-server.rocketchat-caddy.




The authentication with Let's Encrypt fails and I am eventually locked out for an hour.

Server Information

- Version of Rocket.Chat Server:  3.18.3
- Operating System: Ubuntu 18.04.6 LTS
- Deployment Method: Snap
- Number of Running Instances: 1 
- NodeJS Version: 12.22.1 
- MongoDB Version: 3.6.14
- Proxy: Caddy
- Firewalls involved: Yes

I am hoping that someone can point me in the right direction.

Thanks!

My apologies for the format.

I had to post it as pre-formatted text because as a new user I am limited to posting 2 links.

Thanks

I figured out what my issue was.

When I initially set up Rocket.chat, I thought I needed to forward port 80 to 3000 within the firewall. This is obviously not the case as this is handled within Caddy. Removing the unnecessary firewall rule and adding the external IP and hostname to /etc/hosts allowed the SSL certificate to issue correctly.

Hopefully this helps someone down the road.

Thanks!

1 Like

Hi! Glad you were able to solve it.

I took a look yesterday, and was about to ask some more questions!

Thank you for also sharing the solution!!

1 Like