Run HTTPS using certificates from local CA


I am trying to run HTTPS using certificates from my local network CA so I can connect mobile devices to my chat server. As this is running on an internal network I need everything to resolve properly on the local corporate network, even though the server can get to the open Internet. While I do own the domain I am using, it does not resolve to any address other than the domain naming host if RocketChat attempts to resolve the name externally not using the local DNS.

I have followed the instructions for setting up HTTPS with local certificates, but have been unable to get this to properly function. So I have two basic questions:

  1. How does RocketChat/Caddy perform name resolution so I can validate that it is pointing to the proper location.
  2. How should this be configured, if what I have done is incorrect, to enable use of a local certificate authority?

Below follows a summary of the installation.


I installed RocketChat on a new Ubuntu 18.04 LTS system using the snap
sudo snap install rocketchat-server

Then I enabled caddy as follows:
sudo snap set rocketchat-server caddy-url=
sudo snap set rocketchat-server caddy=enable
sudo snap run rocketchat-server.initcaddy

After this I edited the Caddy File:
/var/snap/rocketchat-server/current/Caddyfile to point to my certificates so it now looks like the following:
tls /etc/ssl/ /etc/ssl/
proxy / {

The root CA for these certificates is installed on all systems on my local network.

When I run the commands:

sudo snap set rocketchat-server caddy=enable
~$ sudo snap set rocketchat-server https=enable

I get the following error message
error: cannot perform the following tasks:

  • Run configure hook of “rocketchat-server” snap (run hook “configure”: Error: Your public IP doesn’t match the one resolved for caddy-url, disabling https …)

The ip address delivered by DNS on my local network is
on the server I have updated the /etc/hosts file so that local name resolution returns the same address, with no change in results

Server Setup Information


Version 2.4.11
Apps Engine Version 1.11.2
Database Migration 170
Database Migration Date April 17, 2020 4:01 PM
Installed at April 17, 2020 12:28 PM
Uptime 3 hours, 52 minutes, 1 seconds
Deployment ID NtEnC8JhCvmRxgSuA
PID 19501
Running Instances 1
OpLog Enabled


Hash 8bc295e01ef53075a625cb781e61946568fc7689
Date Wed Feb 26 17:36:45 2020 -0300
Branch HEAD
Tag 2.4.11
Author Diego Sampaio
Subject Bump version to 2.4.11

Runtime Environment

OS Type Linux
OS Platform linux
OS Arch x64
OS Release 4.15.0-96-generic
Node Version v8.17.0
Mongo Version 3.6.14
Mongo Storage Engine wiredTiger
OS Uptime 7 hours, 49 minutes, 32 seconds
OS Load Average 0.01, 0.04, 0.02
OS Total Memory 7.79 GB
OS Free Memory 5.28 GB
OS CPU Count 1

Build Environment

OS Platform linux
OS Arch x64
OS Release 4.19.76-linuxkit
Node Version v8.17.0
Date February 27, 2020 5:12 AM
  • Version of Rocket.Chat Server:
  • Operating System:
  • Deployment Method:
  • Number of Running Instances:
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version:
  • Proxy:
  • Firewalls involved:

Any additional Information

It would appear that perhaps this is not possible to do using Caddy. I found a post here Snap caddy https that seemed to imply that one way to make this work is to install and run nginx instead. I am not quite sure how to do that when rocketchat is installed using snaps. Perhaps someone can let me know if this is possble, and perhaps a pointer as to what is managing the web site in the snap so I can redirect it to nginx.

So it appears that RocketChat or Caddy do an IP validation using This is a bad plan for Intranets as the only address it will find is the outward facing ip of the corporate router or firewall, which is most certainly not the address associated with the corporate server. Hence the snap install of RocketChat/Caddy will never work on an isolated corporate network with https enabled. I do hope that at some point this will get fixed, but until that time the only option appears to be doing a manual install and using nginx (or something else) as an https proxy. Too bad there is not a switch to allow caddy to use only the local dns server for ip validation.