Automatic renewal of certificates

kali · November 14, 2020, 7:31pm

Hi,
yesterday i posted jitsi server for conferences.
I have read this guide: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart

to install the certificates i ran this script: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

The server is a VM of my datacenter where i work.

How can i update the certificates automatically?

Ubuntu server 20.04.1 and nginx!

Help me please...

Thank you!

Osiris · November 14, 2020, 8:15pm

From the install script you're referring to yourself:

This script will:

(…)

Add command in weekly cron job to renew certificates regularly

schoen · November 14, 2020, 8:18pm

github.com

jitsi/jitsi-meet/blob/b814827df1da975ced7995b84c7ff125d8204d8a/resources/install-letsencrypt-cert.sh

#!/bin/bash

set -e

DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
DOMAIN="${DEB_CONF_RESULT##*:}"
# remove whitespace
DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"

echo "-------------------------------------------------------------------------"
echo "This script will:"
echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
echo "- Configure and reload nginx or apache2, whichever is used"
echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
echo "- Add command in weekly cron job to renew certificates regularly"
echo ""
echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "

This file has been truncated. show original

Check if it successfully created the file /etc/cron.weekly/letsencrypt-renew. (It doesn't look like this script has made any provision to restart the Jitsi server when the certificate renewal happens, so that might still have to be done manually, or we could try to modify the script to add a deploy-hook option?)

Osiris · November 14, 2020, 8:24pm

I do see a --deploy-hook being used at least once?

kali · November 14, 2020, 8:30pm

#!/bin/bash
/usr/bin/certbot renew >> /var/log/le-renew.log
service nginx reload

Only reload nginx.

I could with crontab set a script start date.

it's right?

kali · November 14, 2020, 8:33pm

I need to install certbot ....

kali · November 14, 2020, 8:37pm

the script i can edit and add:
service restart prosody
service restart jicofo
service restart jitsi-videobridge2

schoen · November 14, 2020, 9:57pm

Oh, I missed that! Yes, I think the script's use of --deploy-hook is appropriate.

@kali, the idea of the --deploy-hook is that usually certbot renew will not renew your certificate (because it will decide that your certificate has enough validity time left that it doesn't need to be renewed yet)—so --deploy-hook provides a script that Certbot runs only in the minority of cases where the certificate was, in fact, renewed. Whatever actions need to be taken in that case can be specified there.

If you put something like service nginx reload in the cron task, then nginx would be reloaded whenever the cron task runs, even if it was unnecessary because no certificate renewal took place.

The Certbot developers intended for certbot renew to be run very often (twice per day is suggested!), because it doesn't attempt renewals until it's "necessary". That way you don't have to choose a time to schedule your renewal for; the renewal schedule is based on the current certificates' expiration time rather than on a schedule manually chosen by the user.

kali · November 14, 2020, 10:13pm

So i could use this guide: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

it's right?

Thank you!

schoen · November 14, 2020, 10:14pm

Yes, just consider that the command to restart your Jitsi server application (if it's necessary) is not mentioned in that guide because that guide doesn't talk about anything about Jitsi.

Osiris · November 14, 2020, 10:24pm

I thought the Jitsi script actually used certbot? So I'd think installing and using certbot manually isn't necessary...

As far as I can tell, you don't have to do anything after running the jitsi script..

kali · November 14, 2020, 10:27pm

I quickly read the guide.
The configuration is only for nginx as you told me.
Finally there is the command to execute to check the operation.

Once you have performed the steps from "snapd" to " 1. ln -s /snap/bin/certbot /usr/bin/certbot"

This command "certbot --nginx" i don't need it because it installs a certificate.

Ok, i think i understand!

Thank you!

kali · November 14, 2020, 10:30pm

I did not know this!

I immediately ask for info in the community!

thank you too...

kali · November 16, 2020, 12:13pm

You were right!

The jitsi script creates a weekly check for certificates!

Thank you all!

system · December 16, 2020, 12:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.