Supporting SSL for development on Rocket.Chat

The server must support SSL when working with mobile apps. As a "middle-tier application server,"  Rocket.Chat does not handle SSL itself. However, it works well with several industrial-grade reverse proxy servers you can configure to handle SSL.

Your Rocket.Chat server may or may not be publicly accessible on the internet. Below are the instructions for configuring SSL for both scenarios.

Rocket.Chat server is publicly accessible on the internet

If your server is publicly accessible, it is recommended that you use a service like Let's Encrypt to obtain your SSL certificates.

For Ubuntu users, it can be configured automatically using Snaps.

Rocket.Chat server is not accessible on the internet

If your server is not accessible on the internet, you need to provide self-signed certificates to configure SSL on the server. The steps highlighted below are adapted from the resource "Self-Signed Certificate with Custom Root CA."

1. Create root CA

   Create root key

   The root key is crucial for signing certificate requests. Keep it secure, as it can sign certificates on your behalf.

   openssl genrsa -des3 -out Rocket.Chat-root.key 4096

   If you want a non-password-protected key, remove the -des3 option.

   Create and self-sign the root certificate

   Create the root certificate with the root key and distribute it to all computers that should trust you.

   openssl req -x509 -new -nodes -key Rocket.Chat-root.key -sha256 -days 1024 -out Rocket.Chat-root.crt

   Do not distribute this root certificate in production, as a breach could compromise all devices that trust it.

2. Create an SSL certificate

   Create the certificate key

   openssl genrsa -out mydomain.com.key 2048

   Replace mydomain.com with your IP address. Bonjour local domains also work!

   Create the certificate signing request

   While creating the certificate signing request, it is important to specify the Common Name providing the IP address or URL for the service; otherwise, the certificate cannot be verified.

   openssl req -new -key mydomain.com.key -out mydomain.com.csr

   Generate the SSL certificate

   Use the mydomain.com CSR, along with the Rocket.Chat-root CA.

   openssl x509 -req -in mydomain.com.csr -CA Rocket.Chat-root.crt -CAkey Rocket.Chat-root.key -CAcreateserial -out mydomain.com.crt -days 365 -sha256

Configuring SSL for Rocket.Chat

The mydomain.com.crt and mydomain.com.key files generated above are used as the certificate and the private key to configure SSL.

To learn more about configuring your choice of SSL Reverse proxy servers, see configuring SSL reverse proxy.

Trusting certificate authority

All the devices that need to communicate with the server during development must trust the root certificate generated earlier (Rocket.Chat-root.crt).

• For Apple devices, see installing a CA’s root certificate on your test device.

• For Android devices, see add & remove certificates.

Once the root certificate has been installed successfully, the device can access Rocket.Chat over SSL.

If your device is not able to connect over SSL, ensure that the URL has https:// explicitly typed out before it.