Rocketchat not renew https after 3 months

Community Support
1

Description

After 3 months RC doesnt renew https certificate. How repair it? Help please!

Server Setup Information

  • Version of Rocket.Chat Server: 7.13.5
  • Operating System: ubuntu
  • Deployment Method: snap
  • Number of Running Instances:
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version:
  • Proxy: apache
  • Firewalls involved:

Any additional Information

Immagine 2026-05-11 113629
Immagine 2026-05-11 1136291263×317 208 KB

2

First I can’t see what is broken with renewal - you need more logs.

Your ulimit error:

You should migrate off snaps as soon as possible - they are not a supported install anymore. Docker/Podman should be used.

As per this:

Rocket.Chat provides no support for these additional deployment methods. Using them may lead to unexpected challenges or compatibility issues.

3

Hi reetp, solved the ulimits but now dont know how generate the cert.

Here the snap logs caddy:

2026-05-11T15:38:00+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“info”,“ts”:1778506680.2406948,“logger”:“tls”,“msg”:“served key authentication certificate”,“server_name”:“rocket.myserver.it”,“challenge”:“tls-alpn-01”,“remote”:“13.50.14.197:58348”,“distributed”:false}
2026-05-11T15:38:00+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“info”,“ts”:1778506680.5527573,“logger”:“tls”,“msg”:“served key authentication certificate”,“server_name”:“rocket.myserver.it”,“challenge”:“tls-alpn-01”,“remote”:“3.137.156.132:52668”,“distributed”:false}
2026-05-11T15:38:00+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“info”,“ts”:1778506680.6158233,“logger”:“tls”,“msg”:“served key authentication certificate”,“server_name”:“rocket.myserver.it”,“challenge”:“tls-alpn-01”,“remote”:“54.179.213.147:62418”,“distributed”:false}
2026-05-11T15:38:00+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“info”,“ts”:1778506680.6475992,“logger”:“tls”,“msg”:“served key authentication certificate”,“server_name”:“rocket.myserver.it”,“challenge”:“tls-alpn-01”,“remote”:“54.200.80.116:27528”,“distributed”:false}
2026-05-11T15:38:01+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“error”,“ts”:1778506681.4214776,“logger”:“tls.issuance.acme.acme_client”,“msg”:“challenge failed”,“identifier”:“rocket.myserver.it”,“challenge_type”:“tls-alpn-01”,“status_code”:403,“problem_type”:“urn:ietf:params:acme:error:caa”,“error”:“While processing CAA for rocket.myserver.it: CAA record for myserver.it prevents issuance”}
2026-05-11T15:38:01+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“error”,“ts”:1778506681.4215336,“logger”:“tls.issuance.acme.acme_client”,“msg”:“validating authorization”,“identifier”:“rocket.myserver.it”,“error”:“[rocket.myserver.it] authorization failed: HTTP 403 urn:ietf:params:acme:error:caa - While processing CAA for rocket.myserver.it: CAA record for myserver.it prevents issuance”,“order”:“https://acme-staging-v02.api.letsencrypt.org/acme/order/291274553/37715054123",“attempt”:1,"max_attempts”:3}
2026-05-11T15:38:01+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“error”,“ts”:1778506681.4215693,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“rocket.myserver.it”,“issuer”:“acme-v02.api.letsencrypt.org-directory”,“error”:“HTTP 403 urn:ietf:params:acme:error:caa - While processing CAA for rocket.myserver.it: CAA record for myserver.it prevents issuance”}
2026-05-11T15:38:01+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“warn”,“ts”:1778506681.4217012,“logger”:“tls.issuance.zerossl”,“msg”:“missing email address for ZeroSSL; it is strongly recommended to set one for next time”}
2026-05-11T15:38:01+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“error”,“ts”:1778506681.5729482,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“rocket.myserver.it”,“issuer”:“acme.zerossl.com-v2-DV90”,“error”:“account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)”}
2026-05-11T15:38:01+02:00 rocketchat-server.rocketchat-caddy[1414]: {“level”:“error”,“ts”:1778506681.5730047,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:“[rocket.myserver.it] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)”,“attempt”:2,“retrying_in”:120,“elapsed”:68.679704411,“max_duration”:2592000}
root@Linux127:/home/administrator#

4

Not sure on your whole setup.

However your issue starts here - you should check your DNS.

CAA record for myserver.it prevents issuance

You also should read here, and the caddy docs.

5

Hi Reept, we use RC community edition since Covid era, 2022. Caddy renew on every 90 days certificates. This until last week, when Caddy must renew certs. About 2 months ago we have upgrade (automatically) RC to 7.13.5 I think the problem is in this release because RC-Caddy seems thinking as Caddy V2. I’ve included my Caddfile (the same since 2022). Thanks

Immagine 2026-05-12 155854
Immagine 2026-05-12 1558541237×712 130 KB

6

They look like the have prioritised v2 over v1 for some while.
You really need to keep up to date.

The Snap package includes both Caddy v2 (preferred) and Caddy v1 (end-of-life), with v2 prioritized.

I suspect you should be using this in your config file now:

reverse_proxy

Not I have never used it - just read the docs.

If your certs have expired I think you will need to go back to http, get a new cert and then back to https. See the Rocket docs.

7

Hi all, SOLVED. Just missing a CAA record in DNS. Added CAA with Letsencrypt.org au

Thanks all

8

vvvvvvvvvvvvvvvvvvvvvvvvvvvvv

Glad you got it fixed, but I would check your Caddy setup and get up to date.