RocketChat Docker with Traefik to enable https

KallerTobias · March 14, 2024, 7:50am

Hi,

i have problems getting a certificate from Let's Encrypt.

I have a server running only the Docker Containters for RocketChat, Database and Traefik.
This is are my config files:
config.yml

volumes:
  mongodb_data: { driver: local }

services:
  rocketchat:
    image: registry.rocket.chat/rocketchat/rocket.chat:${RELEASE:-latest}
    restart: always
    labels:
      traefik.enable: "true"
      traefik.http.routers.rocketchat.rule: Host(`${DOMAIN:-}`)
      traefik.http.routers.rocketchat.tls: "true"
      traefik.http.routers.rocketchat.entrypoints: https
      traefik.http.routers.rocketchat.tls.certresolver: le
    environment:
      MONGO_URL: "${MONGO_URL:-\
        mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}/\
        ${MONGODB_DATABASE:-rocketchat}?replicaSet=${MONGODB_REPLICA_SET_NAME:-rs0}}"
      MONGO_OPLOG_URL: "${MONGO_OPLOG_URL:\
        -mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}/\
        local?replicaSet=${MONGODB_REPLICA_SET_NAME:-rs0}}"
      ROOT_URL: ${ROOT_URL:-http://localhost:${HOST_PORT:-3000}}
      PORT: ${PORT:-3000}
      DEPLOY_METHOD: docker
      DEPLOY_PLATFORM: ${DEPLOY_PLATFORM:-}
      REG_TOKEN: ${REG_TOKEN:-}
    depends_on:
      - mongodb
    expose:
      - ${PORT:-3000}
    ports:
      - "${BIND_IP:-0.0.0.0}:${HOST_PORT:-3000}:${PORT:-3000}"

  mongodb:
    image: docker.io/bitnami/mongodb:${MONGODB_VERSION:-5.0}
    restart: always
    volumes:
      - mongodb_data:/bitnami/mongodb
    environment:
      MONGODB_REPLICA_SET_MODE: primary
      MONGODB_REPLICA_SET_NAME: ${MONGODB_REPLICA_SET_NAME:-rs0}
      MONGODB_PORT_NUMBER: ${MONGODB_PORT_NUMBER:-27017}
      MONGODB_INITIAL_PRIMARY_HOST: ${MONGODB_INITIAL_PRIMARY_HOST:-mongodb}
      MONGODB_INITIAL_PRIMARY_PORT_NUMBER: ${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}
      MONGODB_ADVERTISED_HOSTNAME: ${MONGODB_ADVERTISED_HOSTNAME:-mongodb}
      MONGODB_ENABLE_JOURNAL: ${MONGODB_ENABLE_JOURNAL:-true}
      ALLOW_EMPTY_PASSWORD: ${ALLOW_EMPTY_PASSWORD:-yes}

traefik.yml

version: '3.7'

volumes:
  traefik: { driver: local }

services:
  traefik:
    image: docker.io/traefik:${TRAEFIK_RELEASE:-v2.11.0}
    restart: always
    command:
     - --api.insecure=false
     - --providers.docker=true
     - --providers.docker.exposedbydefault=false
     - --entrypoints.web.address=:80
     - --entrypoints.web.http.redirections.entryPoint.to=https
     - --entrypoints.web.http.redirections.entryPoint.scheme=https
     - --entrypoints.https.address=:443
     - --certificatesresolvers.le.acme.tlschallenge=true
     - --certificatesresolvers.le.acme.email=kallertobias@gmail.com
     - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
     - --log.level=DEBUG
     - --log.filePath=/logs/traefik.log
    ports:
      - 80:80
      - 443:443
    volumes:
      - traefik:/letsencrypt:rw
      - /run/docker.sock:/var/run/docker.sock:ro
      - ./logs/:/logs/

.env:

### Rocket.Chat configuration

# Rocket.Chat version
# see:- https://github.com/RocketChat/Rocket.Chat/releases
#RELEASE=
# MongoDB endpoint (include ?replicaSet= parameter)
#MONGO_URL=
# MongoDB endpoint to the local database
#MONGO_OPLOG_URL=
# IP to bind the process to
#BIND_IP=127.0.0.1
# URL used to access your Rocket.Chat instance
#ROOT_URL=https://hive.buckfast-bayern.de
# Port Rocket.Chat runs on (in-container)
#PORT=
# Port on the host to bind to
#HOST_PORT=

### MongoDB configuration
# MongoDB version/image tag
#MONGODB_VERSION=
# See:- https://hub.docker.com/r/bitnami/mongodb

### Traefik config (if enabled)
# Traefik version/image tag
#TRAEFIK_RELEASE=
# Domain for https (change ROOT_URL & BIND_IP accordingly)
#DOMAIN=hive.buckfast-bayern.de
# Email for certificate notifications
#LETSENCRYPT_EMAIL=kallertobias@gmail.com

Log File:

time="2024-03-13T18:33:33Z" level=info msg="Traefik version 2.9.8 built on 2023-02-15T15:23:25Z"
time="2024-03-13T18:33:33Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"https\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/logs/traefik.log\",\"format\":\"common\"},\"certificatesResolvers\":{\"le\":{\"acme\":{\"email\":\"kallertobias@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"tlsChallenge\":{}}}}}"
time="2024-03-13T18:33:33Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *traefik.Provider"
time="2024-03-13T18:33:33Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2024-03-13T18:33:33Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"web-to-https\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-https\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"redirect-web-to-https\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2024-03-13T18:33:33Z" level=debug msg="Starting TCP Server" entryPointName=web
time="2024-03-13T18:33:33Z" level=debug msg="Starting TCP Server" entryPointName=https
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-03-13T18:33:33Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *docker.Provider"
time="2024-03-13T18:33:33Z" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *acme.Provider"
time="2024-03-13T18:33:33Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"kallertobias@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"tlsChallenge\":{},\"ResolverName\":\"le\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2024-03-13T18:33:33Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2024-03-13T18:33:33Z" level=info msg="Testing certificate renew..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2024-03-13T18:33:33Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=le.acme
time="2024-03-13T18:33:33Z" level=debug msg="Provider connection established with docker 25.0.4 (API 1.44)" providerName=docker
time="2024-03-13T18:33:33Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-rocketchat-6bc89243d5b30af2e124716ada81ab248bf0cbcfea17a6cf466149ab272694eb
time="2024-03-13T18:33:33Z" level=debug msg="Filtering disabled container" providerName=docker container=mongodb-rocketchat-e2b07d20f97d8428c073ed7d0d4cbd1354889d87808ecc34fb7d1a97e43eec23
time="2024-03-13T18:33:33Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"rocketchat\":{\"entryPoints\":[\"https\"],\"service\":\"rocketchat-rocketchat\",\"rule\":\"Host(``)\",\"tls\":{\"certResolver\":\"le\"}}},\"services\":{\"rocketchat-rocketchat\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.3:3000\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-03-13T18:33:33Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-03-13T18:33:33Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Setting up redirection to https 443" entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal middlewareType=RedirectScheme
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2024-03-13T18:33:33Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-03-13T18:33:33Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal middlewareType=RedirectScheme
time="2024-03-13T18:33:33Z" level=debug msg="Setting up redirection to https 443" middlewareType=RedirectScheme entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=rocketchat@docker serviceName=rocketchat-rocketchat
time="2024-03-13T18:33:33Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=rocketchat@docker serviceName=rocketchat-rocketchat
time="2024-03-13T18:33:33Z" level=debug msg="Creating server 0 http://172.18.0.3:3000" routerName=rocketchat@docker serviceName=rocketchat-rocketchat serverName=0 entryPointName=https
time="2024-03-13T18:33:33Z" level=debug msg="child http://172.18.0.3:3000 now UP"
time="2024-03-13T18:33:33Z" level=debug msg="Propagating new UP status"
time="2024-03-13T18:33:33Z" level=debug msg="Added outgoing tracing middleware rocketchat-rocketchat" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=rocketchat@docker
time="2024-03-13T18:33:33Z" level=error msg="empty args for matcher Host, []" entryPointName=https routerName=rocketchat@docker
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=https
time="2024-03-13T18:33:33Z" level=debug msg="Adding route for  with TLS options default" entryPointName=https
time="2024-03-13T18:33:33Z" level=error msg="Error while adding route for host: empty args for matcher HostSNI, []"
time="2024-03-13T18:33:33Z" level=debug msg="Trying to challenge certificate for domain [] found in HostSNI rule" rule="Host(``)" providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker
time="2024-03-13T18:33:33Z" level=error msg="Unable to obtain ACME certificate for domains \"\": no domain was given" rule="Host(``)" providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker
time="2024-03-13T18:35:36Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:35:37Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:36:31Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:36:32Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:37:23Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:21Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:22Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:24Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:24Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:40:36Z" level=debug msg="http: TLS handshake error from 198.235.24.57:53622: tls: client offered only unsupported versions: [302 301]"
time="2024-03-13T18:40:51Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-03-13T18:40:51Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:51Z" level=debug msg="http: TLS handshake error from 165.154.36.91:45346: EOF"
time="2024-03-13T18:40:51Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:51Z" level=debug msg="http: TLS handshake error from 165.154.36.91:45732: EOF"
time="2024-03-13T18:40:52Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:52Z" level=debug msg="http: TLS handshake error from 165.154.36.91:46408: tls: no cipher suite supported by both client and server"
time="2024-03-13T18:40:52Z" level=debug msg="http: TLS handshake error from 165.154.36.91:46922: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])"
time="2024-03-13T18:40:52Z" level=debug msg="http: TLS handshake error from 165.154.36.91:47432: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])"
time="2024-03-13T18:40:53Z" level=debug msg="http: TLS handshake error from 165.154.36.91:48246: tls: client offered only unsupported versions: [302 301]"
time="2024-03-13T18:40:53Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:53Z" level=debug msg="http: TLS handshake error from 165.154.36.91:48828: read tcp 172.18.0.4:443->165.154.36.91:48828: read: connection reset by peer"
time="2024-03-13T18:40:53Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:53Z" level=debug msg="http: TLS handshake error from 165.154.36.91:49414: EOF"
time="2024-03-13T18:40:54Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:54Z" level=debug msg="http: TLS handshake error from 165.154.36.91:49800: EOF"
time="2024-03-13T18:40:54Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:54Z" level=debug msg="http: TLS handshake error from 165.154.36.91:50172: read tcp 172.18.0.4:443->165.154.36.91:50172: read: connection reset by peer"
time="2024-03-13T18:40:54Z" level=debug msg="Serving default certificate for request: \"34.77.189.226\""
time="2024-03-13T18:40:54Z" level=debug msg="http: TLS handshake error from 165.154.36.91:50508: EOF"
time="2024-03-13T18:41:27Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:41:28Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:27Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:28Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:30Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:31Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:52Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:52Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:43:33Z" level=warning msg="A new release has been found: 2.11.0. Please consider updating."
time="2024-03-13T18:45:31Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-03-13T18:45:32Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-03-13T18:45:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:45:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:05Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:05Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:23Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:24Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:51Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:52Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:05Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:06Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:59Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:59Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""

bluepuma77 · March 15, 2024, 7:06am

I would start by cleaning the whole thing up: use a shared Docker network, don't expose any ports except for Traefik, enable http-to-https redirection on "web" entrypoint and TLS with LetsEncrypt on "websecure/https" entrypoint. See simple Traefik example.

The log states level=error msg="empty args for matcher Host, so I assume the DOMAIN env var is not set up correctly, which you use:

KallerTobias · March 15, 2024, 3:32pm

Hi thanks for the reply,

I was sticking to the rocket.chat documentation. I have now moved to set it up with nginx there I have some work done before. I got it running there.
So we can close it.

Kind Regards,

Tobias

Topic		Replies	Views
Traefik fails to generate valid Let's Encrypt certificate Traefik v2 docker , letsencrypt-acme	6	2290	February 13, 2024
HTTPS let's encrypt not working Traefik v2 docker , letsencrypt-acme	2	4386	November 15, 2019
Help with treafik 2.3 and letsencrypt. Unknown certificate Traefik v2 docker , letsencrypt-acme	0	590	January 13, 2021
Traefik + Docker + Let's Encrypt Traefik v2 docker , letsencrypt-acme	4	823	April 6, 2021
V2, TLS, Let's Encrypt and http --> https - SUCCESS! Traefik v2 docker	3	964	November 12, 2019

RocketChat Docker with Traefik to enable https

Related topics