In this article, I show how to deploy a meteor app (Rocketchat) with tls/ssl encryption using self-signed certificates:
- https between client and the app server
- tls/ssl between the app server and mongodb
- the server running docker is a debian server
- the app server and mongodb can be running either on a single or different machines
- the containers are in a virtual network running on a single machine
- the certificates are self-signed
- stud is used for https, other solutions can be used.
The steps are applicable to any framework and app using mongodb as a database.
The commands below are available in the git securingMeteorWithSSL.
- Install docker
- Generate certificates
- Create the docker images
- Setup Mongodb
- Setup the app server (RocketChat)
My server runs Debian Jessie, so I install docker from the jessie repo:
The private virtual network is intranet 172.18.0.0/16.
3 certificates are needed for this setup:
- a Certificate Authority (CA) to sign the certificates
- a certificate for the app server (https)
- a certificate for mongodb
Creating a Certificate Authority (CA)
Creating a certificate for the app server (https)
The CN in the CSR can be any address in a private network.
Creating a certificate for mongodb
Same steps as before with 127.0.0.1 as CN (in my setup mongodb doesnt take the hostname I provide neither with docker nor with my dns server):
Create the docker images
Copy CA and mongodb certificate to new mongodb image, the CA is then added to the truststore:
Add stud and run as root to connect to port 443:
Build the images with:
docker build -t example/mongo .
docker build -t example/rocketchat .
Create mongo admin and chatdb user with mongoCreateAdmin.js and mongoChatAccess.js (NOTE: change the passwords):
Add the users in mongodb:
Setup the app server (RocketChat)
By default, the chat container exposes the port 443 but I already have a server running at this port, so I change the port to 3443.
The ROOT_URL is: https://127.0.0.1:3443
On the MONGO_URL, we need to give the mongodb user and password for the chatdb database and ssl is enabled with
The rocketchat container runs in the same network as the mongodb container:
--net intranet --ip 172.18.0.3
- Add the exampleCA.crt CA to your browser truststore:
Rocketchat is available at: