A post about how I installed Rocket.Chat with Ansible and a trusted certificate from Let's Encrypt on Ubuntu 15.04

rocketchat_with_ansible.md

It’s more a reminder than an actual guide in order to install Rocket.Chat behing an Nginc proxy with Ansible and a trusted certificate from Let’s Encrypt on an Ubuntu 15.04 VM (or dedicated server).

I used Ubuntu 15.04 (and not the 14.04 LTS) because the 14.04 only has Python 2.7.6 in the repository whereas the 15.04 has Python 2.7.9 which is the minimum required for some of the libraries used for Let’s Encrypt (and I prefered to use a more recent release of Ubuntu rather than doing some apt-pinning).

Disclaimer

I am not at all an expert in any of the technologies and softwares used here so this post may contain some instructions that are not consider best practices, or even mistakes so don't take this post as a master guide, this is just the way I did it and it worked for me so ¯_(ツ)_/¯

Prerequisite

It is preferable to have a fresh install of Ubuntu, however it is totally possible to do this in a rather clean install. I'm mostly gonna consider that the commands are run as root (I know it may not be recommanded by some people but since it's mostly a big post-it for me and I'm only going to use this VM for this purpose I'll do it this way).

I'd recommand doing doing all this in a screen if it's done through SSH (in case the connection gets cut in the middle of a step). If it's not yet installed on the server:

apt-get install screen

And to start a screen:

screen -S myScreenName

To resume a detached screen:

screen -x myScreenName

For the rest the man should answer all the questions.

Before beginning it’s best to be sure to be up-to-date by running:

apt-get update && apt-get upgrade

If it is not yet installed on the server it is necessary to install git, pip for Python and python2.7-dev (for some future libraries):

apt-get install git python-pip python2.7-dev

You will also need wget or curl to be installed (at least one of them is installed on most servers but just in case).

Installing Ansible

This procedure is based on the documentation of Ansible and I am going to install it from the source (in the repository there only is the 1.7.2 release but the 1.9.6 or any later release is required, if you want to be able to easily and/or automatically update Rocket.Chat go for any version higher than 2.0).

First let's install the few Python libraries for Ansible:

pip install paramiko PyYAML Jinja2 httplib2 six

Go wherever you want to install Ansible, for example /opt and do:

git clone git://github.com/ansible/ansible.git --recursive
cd ./ansible
source ./hacking/env-setup

Since we are going to install Rocket.Chat on the same server as Ansible (a little overkill maybe I know) we only need 1 host. In /opt/ansible let's create a file names hosts with your favourite text editor (I won't judge I promise) with the following content:

[local]
localhost       ansible_connection=local

And then let's inform Ansible where his host file is:

export ANSIBLE_INVENTORY=/opt/ansible/hosts

Let's do a little check to see if everything went right and run:

ansible -m ping all

or

ansible -m ping local

And if everything went fine you should get the following output:

localhost | SUCCESS => {
    "changed": false,
    "ping": "pong"
   }

Installing RocketChat with Ansible

Importing the RocketChat.server role

Now we are going to import the role that we are going to use to install Rocket.Chat with Ansible from Ansible Galaxy

Let's create a new directory /etc/ansible/role/chat and inside a file requirements.yml with:

- src: RocketChat.Server
    version: v2.0
    path: roles/external

Then run :

ansible-galaxy install -r roles/chat/requirements.yml

It should be located in the folder /etc/ansible/role/RocketChat.server

Creating our role

Let's create the role which is going to call the one we just dowloaded. we are going to create a role named chat.yml inside /etc/andisble/role/chat with the following content:

- hosts: local
    vars:
        rocket_chat_automatic_upgrades: True
        rocket_chat_application_path: /var/lib/rocketchat.backup
    roles:
        - RocketChat.server

Change True to False if you don't want the automatic updates. DOn't forget to create the folder /var/lib/rocketchat.backup before proceding to the next step. There are many other options available feel free to change those you want in this role and not in RocketChat.server (like if you already have an internal or external MongoDB you may want to exclude it from the script or if you want to install RocketChat on a specific alias of the server).

Installing RocketChat.server

Now that we are all set we are going to run our role, it will do the following things:

• Install MongoDB
• Install RocketChat
• Install a Nginx proxy for RocketChat
• Generate self-signed certificate

The command to run (which may take some time) is the following:

ansible-playbook /etc/ansible/roles/chat/chat.yml

If this step fails during the installation of RocketChat you may delete the content of the folder /var/lib/rocketchat correct the eventual problem and run the previous command again.

If the intallation happens without any error (and you'll know if you have errors) you should see the following lines on the bottom of the console:

PLAY RECAP *********************************************************************
localhost                  : ok=32   changed=14   unreachable=0    failed=0
```

That's it Rocket.Chat is installed!

### Creating the 1st (admin) user
If you go to https://myserver.mydomain.tld you should get a security alert because the certificate used are self-signed, you may ignore this one.
Now create a new user and since it is the first user created it will also be the 1st admin of Rocket.Chat!

There are a few other things you may want to configure now, like the SMTP server to send the invitation email) but it may very well be done later.
NOTE: You may need to restart the Rocket.Chat server after you set the SMTP parameters to see the effects (Administration --> General --> Restart).

## Adding trusted certificate from Let's Encrypt to Rocket.Chat

### Installing Let's Encrypt

The following procedure is extracted from [Let's Encrypt documentation](https://letsencrypt.readthedocs.org/en/latest/using.html#installation).

Let's install it from the sources:
```
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
```

Then to run the client we are going to need to put ourselves as root (like the true root user not just being suod as yourself), it has to do with running pip ans root and the fact that you home does not belong to root (the may be a better way to do it but I found this way that works):
```
sudo -sE -H
```
Then for the first run it's gonne need to install some dependencies so let's juste run:
```
./letsencrypt-auto
```
If all end well (it may also be a long process don't worry) you should have this "error" message telling you you didn't specify it to do anything:
```
No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command
```

### Creating you certificate

And that's precisely what we are going to do next, but be sure to stop nginx (or anything running on the port 80 for this step):
```
./letsencrypt-auto certonly
```
And let's follow the wizzard that is going to ask us for an email address, to agree to the Terms of Services, the domain name(s) you want your certificate for.

### Using you trusted certificate with Rocket.Chat

Your newly generated certificate are now located in /etc/letsencrypt/live/myserver.mydomain.tld with 4 files:
* cert.pem
* chain.pem
* fullchain.pem
* privkey.pem
We are going to use the last 2 files for nginx.
NOTE: Since Let's Encrypt is in beta for now you only have certificates for 90 days (but the newest ones for you domain will always remaain in this folder).

If you go to /etc/nginx you will see among the files and folders:
* rocket_chat.crt (--> fullchain.pem)
* rocket_chat.key (--> privkey.pem)

There are 2 methods that can be used from here:
* Change the path of the certificate in /etc/nginx/conf.d/rocket_chat.conf
* Create a symbolic link from the certificate and the /etc/nginx folder

I am going to use the 2nd one (it is a personnal choice and I don't know what would the best practice be).

First I'd suggest backuping you self-signed certificates (just is case). Then delete rocket_chat.crt and rocket_chat.key and run:
```
ln -s /etc/letsencrypt/live/myserver.mydomain.tld/fullchain.pem /etc/nginx/rocket_chat.crt
ln -s /etc/letsencrypt/live/myserver.mydomain.tld/privkey.pem /etc/nginx/rocket_chat.key
```

Now restart both services (rocketchat and nginx) and you should be able to acess Rocket.Chat via your browser just like before, but also through the desktop and mobile apps!

## Update Rocket.Chat server

To easily update the server when a new master release is out we are going back to /opt/ansible (or wherever ansible is installed) and run:
```
source ./hacking/env-setup
export ANSIBLE_INVENTORY=/opt/ansible/hosts
```

Now let's get the latest Ansible role to get the latest tarball hash (among other things).
```
ansible-galaxy remove RocketChat.Server
ansible-galaxy install -r roles/chat/requirements.yml
```

Finally just as if you were intalling the server for the 1st time run the role
```
ansible-playbook /etc/ansible/roles/chat/chat.yml
```

Wait for the role to finish the update and that's it you're all set!

## Conclusion

I hope this "guide" helped a few and if there are thing I should heve done differently or if you see a mistake feel free to contact me!

Just so you're aware version: v2.0 refers to a specific git tag, since the original author hadn't yet merge'd the branch compatible with version 2.0 of ansible. It's fine to keep using that if you don't have any problems with it, but you can get the latest version of the playbook by using ansible-galaxy -f -r requirements.yml to force-replace (upgrade) the role requirements. If you look on our ansible-galaxy page: https://galaxy.ansible.com/RocketChat/Server/ you can easily see the version progression.