Rocketchat works only in self_signed "mode"

our rocketchat works since a few days just in tls self_signed mode.
when we try to start it without self_signed tls it doesn´t start.

we are not sure whether it is a caddy problem, but it seems like a problem between caddy and letsencrypt.

here is the relevant part of the log:
Mär 29 10:35:46 Rocket rocketchat-server.rocketchat-caddy[6680]: Activating privacy features… 2018/03/29 10:35:46 open /root/snap/rocketchat-server/1239/.caddy/acme/acme-v02.api.letsencrypt.org
Mär 29 10:35:46 Rocket systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Main process exited, code=exited, status=1/FAILURE
Mär 29 10:35:46 Rocket systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Unit entered failed state.
Mär 29 10:35:46 Rocket systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Failed with result ‘exit-code’.
Mär 29 10:35:46 Rocket systemd[1]: snap.rocketchat-server.rocketchat-caddy.service: Service hold-off time over, scheduling restart.
Mär 29 10:35:46 Rocket systemd[1]: Stopped Service for snap application rocketchat-server.rocketchat-caddy.

What’s your Caddyfile?

Caddy’s recent update necessitates a full refresh of certificates (since LetsEncrypt updated their ACME protocol to version 2, and we store TLS assets differently now).

I’d wager there’s some issue with the ACME challenge process, but the logs don’t seem to show it. Try altering the startup command to -log /path/to/caddy.log, reproduce the error again, and see if the log file has more information.

Caddyfile:

https://sub.domain.tld {
tls self_signed
proxy / 127.0.0.1:3000 {
websocket
transparent
}
}
sure we replaced sub.domain.tld
when we start rocketchat with this tls self_signed it works…

when we start it without, it tries to get cert from letsencrypt acme V2 but it fails.
there is no cert in the folder:
/root/snap/rocketchat-server/1238/.caddy/acme/acme-v02.api.letsencrypt.org/sites/…

We really need a process log from Caddy, which should report back exactly what error it’s running into during the cert requisitioning process. It doesn’t like your current log is showing the full output.

Run Caddy manually from the command line, with the -log flag pointed to a new log file just for this issue, and let us know what you get.

@allnatura Aaron from the Rocket.Chat team here

I’m working through this same thing with a few other people here:

Since you are using the snap its not as easy as caddy -log file. But… You can use this to do the same

sudo HOME=/root/snap/rocketchat-server/current /snap/rocketchat-server/current/bin/caddy -conf=/var/snap/rocketchat-server/current/Caddyfile -log /tmp/caddy.log   

Thankfully caddy is written in go so we don’t have to manually hook up dependencies

Setting HOME sets the home directory to where snaps do, that way your .caddy folder containing your old certs will be used.

After you run this and it crashes… you can then grab contents from /tmp/caddy.log to post here.

2018/03/30 18:29:00 [INFO][example.com] acme: Obtaining bundled SAN certificate 2018/03/30 18:29:01 [INFO][] Certificate written to disk: /root/snap/rocketchat-server/current/.caddy/acme/acme-v02.api.letsencrypt.org/sites/.crt

This is logs from one of the guys on the ticket on our side.

Confirmed it’s putting /.crt and not just removing for privacy

Can you build from the latest master? Although I am mobile and haven’t looked into this in detail, I remember seeing a similar behavior in my testing and I believe I pushed a fix, but whether it is the same root cause is just speculation on my part right now. If you build and test from master, that will help confirm.

Have you found any resolution to this issue? I’m having the same problem. Thanks!

Make sure to use the latest version of Caddy 0.10.14 or newer. It resolves that issue.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.