Let’s encrypt SSL to install Rocket.Chat on Ubuntu 20.04 LTS

You can download this article in PDF format via the link below to support us.
Download the guide in PDF format turn off

Rocket.Chat is an open source self-hosted chat platform that can replace Slack. It has many features you would like to have in a self-hosted environment, such as video conferencing, group chat, and integration with other platforms.

In this guide, we will discuss how to install Rocket.Chat server on Ubuntu 20.04 LTS using Let’s Encrypt.

We will use the following for installation:

Ubuntu 20.04 LTS server
Node.js
MongoDB
Nginx web server
Let’s encrypt the SSL certificate
Domain name – In this example, we use chat.hirebestengineers.com

Step 1-Update the Ubuntu system

Update your Ubuntu 20.04 system

sudo apt-get -y update

Step 2-Install the required package dependencies

Add MongoDB GPG signing key:

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -

Add MongoDB repository

echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list

Configure Node.js to be installed via the Ubuntu package manager:

sudo apt-get -y update && sudo apt-get install -y curl && curl -sL https://deb.nodesource.com/setup_12.x | sudo bash -

Install Node.js, MongoDB, build tools and graphicsmagick:

sudo apt-get install -y build-essential mongodb-org nodejs graphicsmagick

Installing a node version that is different from the installed base version will cause conflicts with Rocket.Chat in Ubuntu 20.04. You can only install the same version as the basic version, or create a symbolic link to the basic version. To check the installed version:

$ node --version

Install inheritance and n.

sudo npm install -g inherits n

Create a symbolic link for the node binary to

sudo ln -s /usr/bin/node /usr/local/bin/node

Step 3-Install Rocket.Chat on Ubuntu 20.04

Download the latest version of Rocket.Chat with the following content

curl -L https://releases.rocket.chat/latest/download -o /tmp/rocket.chat.tgz

Unzip the downloaded file to /tmp folder

tar -xzf /tmp/rocket.chat.tgz -C /tmp

Install Rocket.Chat into a directory of your choice.In this guide, we will install it on /opt table of Contents

cd /tmp/bundle/programs/server && npm install
sudo mv /tmp/bundle /opt/Rocket.Chat

Step 4-Create Rocketchat system user

Create a rocket chat user and assign ownership to the Rocket.Chat folder.

sudo useradd -M rocketchat && sudo usermod -L rocketchat
sudo chown -R rocketchat:rocketchat /opt/Rocket.Chat

After creating users, you can continue to create services.

Step 5-Create Rocket.Chat Service

Create Rocket.Chat service unit file.

cat << EOF |sudo tee /etc/systemd/system/rocketchat.service
[Unit]
Description=The Rocket.Chat server
After=network.target remote-fs.target nss-lookup.target nginx.target mongod.target
[Service]
ExecStart=/usr/local/bin/node /opt/Rocket.Chat/main.js
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rocketchat
User=rocketchat
Environment=MONGO_URL=mongodb://localhost:27017/rocketchat?replicaSet=rs01 MONGO_OPLOG_URL=mongodb://localhost:27017/local?replicaSet=rs01 ROOT_URL=http://localhost:3000/ PORT=3000
[Install]
WantedBy=multi-user.target
EOF

Configure the storage engine and replication for MongoDB, and then start the MongoDB service.

sudo sed -i "s/^#  engine:/  engine: mmapv1/"  /etc/mongod.conf
sudo sed -i "s/^#replication:/replication:n  replSetName: rs01/" /etc/mongod.conf

Start and enable MongoDB service

sudo systemctl enable mongod && sudo systemctl start mongod

test:

mongo --eval "printjson(rs.initiate())"

Start Rocket.Chat service:

sudo systemctl enable rocketchat && sudo systemctl start rocketchat

Check if the service is running:

$ systemctl status rocketchat
● rocketchat.service - The Rocket.Chat server
     Loaded: loaded (/lib/systemd/system/rocketchat.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2020-11-27 10:05:54 UTC; 31s ago
   Main PID: 28294 (node)
      Tasks: 11 (limit: 19076)
     Memory: 559.7M
     CGroup: /system.slice/rocketchat.service
             └─28294 /usr/local/bin/node /opt/Rocket.Chat/main.js

Nov 27 10:06:20 chat rocketchat[28294]: ➔ |      MongoDB Version: 4.0.21                      |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |       MongoDB Engine: mmapv1                      |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |             Platform: linux                       |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |         Process Port: 3000                        |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |             Site URL: http://0.0.0.0:3000/        |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |     ReplicaSet OpLog: Enabled                     |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |          Commit Hash: b471caf9c9                  |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |        Commit Branch: HEAD                        |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ |                                                   |
Nov 27 10:06:20 chat rocketchat[28294]: ➔ +---------------------------------------------------+

Step 6-Configure Nginx reverse proxy

Configure Nginx to act as a reverse proxy. We will also set “Let’s Encrypt” in the same configuration file

Install Nginx web server:

sudo apt install nginx

Before setting up SSL, please use the following configuration for reverse proxy settings.

sudo nano /etc/nginx/conf.d/rocketchat.conf

The file will have content similar to the following:

upstream rocket_backend {
  server 127.0.0.1:3000;
}

server {
    listen 80;
    server_name chat.hirebestengineers.com;
    access_log /var/log/nginx/rocketchat-access.log;
    error_log /var/log/nginx/rocketchat-error.log;

    location / {
        proxy_pass http://rocket_backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

where:

rocket.example.com Will be replaced with domain name

Check whether the Nginx configuration is correct.

$ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart and enable Nginx service

sudo systemctl restart nginx
sudo systemctl enable nginx

Step 7-Set up Let’s Encrypt SSL

Download and set up “Encrypted SSL Certificate”

sudo apt install certbot python3-certbot-nginx

Then run certbot to get the SSL certificate

$ certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: chat.hirebestengineers.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chat.hirebestengineers.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/chat.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/chat.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://chat.hirebestengineers.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=chat.hirebestengineers.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/chat.hirebestengineers.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/chat.hirebestengineers.com/privkey.pem
   Your cert will expire on 2021-02-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The final Nginx configuration after SSL should look like this:

upstream rocket_backend {
  server 127.0.0.1:3000;
}

server {
    server_name chat.hirebestengineers.com;
    access_log /var/log/nginx/rocketchat-access.log;
    error_log /var/log/nginx/rocketchat-error.log;

    location / {
        proxy_pass http://rocket_backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/chat.hirebestengineers.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/chat.hirebestengineers.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = chat.hirebestengineers.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name chat.hirebestengineers.com;
    return 404; # managed by Certbot
}

Check whether the Nginx configuration is correct.

$ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart and enable the Nginx service:

sudo systemctl restart nginx

It should now be possible to access the chat server via FQDN and using https.

Configure the server using the installation wizard

After successfully configuring the server, you can now access the site using the administrator credentials you created in the previous step.

We have successfully installed Rocket.Chat on the Ubuntu 20.04 server and configured it.

You can now view other related articles below:

How to install Rocket.Chat server on Debian/Ubuntu

Install Chatwoot on Ubuntu using “Let’s Encrypt SSL”