- Print
- DarkLight
- PDF
Supporting SSL for development on Rocket.Chat
- Print
- DarkLight
- PDF
The server must support SSL when working with mobile apps. As a "middle-tier application server," Rocket.Chat does not handle SSL itself. However, it works well with several industrial-grade reverse proxy servers you can configure to handle SSL.
Your Rocket.Chat server may or may not be publicly accessible on the internet. Below are the instructions for configuring SSL for both scenarios.
Rocket.Chat server is publicly accessible on the internet
If your server is publicly accessible, it is recommended that you use a service like Let's Encrypt to obtain your SSL certificates.
For Ubuntu users, it can be configured automatically using Snaps.
Rocket.Chat server is not accessible on the internet
If your server is not accessible on the internet, you need to provide self-signed certificates to configure SSL on the server. The steps highlighted below are adapted from the resource "Self-Signed Certificate with Custom Root CA."
Create root CA
Create root key
The root key is crucial for signing certificate requests. Keep it secure, as it can sign certificates on your behalf.
openssl genrsa -des3 -out Rocket.Chat-root.key 4096
If you want a non-password-protected key, remove the
-des3
option.Create and self-sign the root certificate
Create the root certificate with the root key and distribute it to all computers that should trust you.
openssl req -x509 -new -nodes -key Rocket.Chat-root.key -sha256 -days 1024 -out Rocket.Chat-root.crt
Do not distribute this root certificate in production, as a breach could compromise all devices that trust it.
Create an SSL certificate
Create the certificate key
openssl genrsa -out mydomain.com.key 2048
Replace
mydomain.com
with your IP address. Bonjour local domains also work!Create the certificate signing request
While creating the certificate signing request, it is important to specify the
Common Name
providing the IP address or URL for the service; otherwise, the certificate cannot be verified.openssl req -new -key mydomain.com.key -out mydomain.com.csr
Generate the SSL certificate
Use the
mydomain.com
CSR, along with theRocket.Chat-root
CA.openssl x509 -req -in mydomain.com.csr -CA Rocket.Chat-root.crt -CAkey Rocket.Chat-root.key -CAcreateserial -out mydomain.com.crt -days 365 -sha256
Configuring SSL for Rocket.Chat
The mydomain.com.crt
and mydomain.com.key
files generated above are used as the certificate and the private key to configure SSL.
To learn more about configuring your choice of SSL Reverse proxy servers, see configuring SSL reverse proxy.
Trusting certificate authority
All the devices that need to communicate with the server during development must trust the root certificate generated earlier (Rocket.Chat-root.crt
).
For Apple devices, see installing a CA’s root certificate on your test device.
For Android devices, see add & remove certificates.
Once the root certificate has been installed successfully, the device can access Rocket.Chat over SSL.
If your device is not able to connect over SSL, ensure that the URL has
https://
explicitly typed out before it.