Rocket Chat SSL Configuration using Letsencrypt on Google Cloud ☁🔒️🚀

If you have an instance of Rocket Chat on your Google Cloud virtual machine, this guide figure out how you can install and configure the SSL certificate generated with the Let’Encrypt service.

Requirements ⚠️

• domain name with editable DNS
• google cloud VM with Rocket Chat

NOTE: this guide refers to Rocket Chat configured with Nginx

Step -1- Config DNS 🔗

Point the dns domain to the VM ip on DNS manager, and check the Rocket Chat responds in the right way.

Step -2- Connect through SSH 💻

Open a SSH connection to your VM, web client is reachable with Menu (1) → Computer Engine (2) → VM Instances (3), on the left list click on SSH button (4)

Otherway if you have configured the VM, use putty

Step -3- Install Certbot 🤖

Install certbot on the VM typing the following commands.

# sudo wget https://dl.eff.org/certbot-auto -P /usr/local/bin
# sudo chmod a+x /usr/local/bin/certbot-auto

Step -4- Generate certificate 🔒

Set your variable DOMAIN and EMAIL_ALERT a generates your SSL certificate

# export DOMAIN="yourdomain.com"
# export EMAIL_ALERT="admin@yourdomain.com"
# /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN  --preferred-challenges http --agree-tos -n -m  $EMAIL_ALERT --keep-until-expiring

Take note where certbot generates your certificates

Step -5- Edit Nginx config 🛠️

First of all backup the configuration of Nginx, typing

# sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.back

And after do that you can edit the configuration file

# sudo nano /etc/nginx/sites-available/default

Append this configuration at the end of file, remember to replace yourdomain.com with your domain, save and exit

# Upstream definition
upstream backend {
    server 127.0.0.1:3000;
}
# http to https redirection
server {
  listen 80;
  server_name yourdomain.com;
  rewrite ^ https://$server_name$request_uri? permanent;
}
# HTTPS Server
server {
    listen 443;
    server_name yourdomain.com;
    error_log /var/log/nginx/rocket-chat.access.log;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
    location / {
        proxy_pass http://backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;
    }
}

Now stop Nginx, check the correctness of the configuration and restart the service

# sudo service nginx stop
# sudo nginx -t
# sudo service nginx restart

Step -6- Certbot auto-renew certificate 📆

This is the last step of this guide, is optional but recommended for avoid to renew manually the certificate, type:

# sudo certbot-auto renew

copy the certbot folder to /etc/letsencrypt/ an then edit cron for executing your job periodically

# sudo mv certbot-auto /etc/letsencrypt/
# sudo crontab -e

add the following command at the end of file and save and exit

45 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew && /etc/init.d/nginx restart

That’s it

If you want you can check your SSL certificate with the following tool

Tool 🛠

• https://www.sslshopper.com/ssl-checker.html

❤🍺 If you like this article buy me a beer 🍺❤

powered by simobox.it

Bibliography 📚

• https://docs.rocket.chat/installation/manual-installation/configuring-ssl-reverse-proxy
• https://technologyrss.com/how-to-setup-rocket-chat-ssl-configuration-using-letsencrypt-for-nginx/
• https://onepagezen.com/free-ssl-certificate-wordpress-google-cloud-click-to-deploy/#step8