Automatic renewal of certificates

Hi,
yesterday i posted jitsi server for conferences.
I have read this guide: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart

to install the certificates i ran this script: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

The server is a VM of my datacenter where i work.

How can i update the certificates automatically?

Ubuntu server 20.04.1 and nginx!

Help me please...

Thank you!

From the install script you're referring to yourself:

This script will:

  • (…)
  • Add command in weekly cron job to renew certificates regularly
2 Likes

Check if it successfully created the file /etc/cron.weekly/letsencrypt-renew. (It doesn't look like this script has made any provision to restart the Jitsi server when the certificate renewal happens, so that might still have to be done manually, or we could try to modify the script to add a deploy-hook option?)

2 Likes

I do see a --deploy-hook being used at least once?

1 Like
#!/bin/bash
/usr/bin/certbot renew >> /var/log/le-renew.log
service nginx reload

Only reload nginx.

I could with crontab set a script start date.

it's right?

I need to install certbot ....

the script i can edit and add:
service restart prosody
service restart jicofo
service restart jitsi-videobridge2

Oh, I missed that! Yes, I think the script's use of --deploy-hook is appropriate.

@kali, the idea of the --deploy-hook is that usually certbot renew will not renew your certificate (because it will decide that your certificate has enough validity time left that it doesn't need to be renewed yet)—so --deploy-hook provides a script that Certbot runs only in the minority of cases where the certificate was, in fact, renewed. Whatever actions need to be taken in that case can be specified there.

If you put something like service nginx reload in the cron task, then nginx would be reloaded whenever the cron task runs, even if it was unnecessary because no certificate renewal took place.

The Certbot developers intended for certbot renew to be run very often (twice per day is suggested!), because it doesn't attempt renewals until it's "necessary". That way you don't have to choose a time to schedule your renewal for; the renewal schedule is based on the current certificates' expiration time rather than on a schedule manually chosen by the user.

So i could use this guide: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

it's right?

Thank you!

Yes, just consider that the command to restart your Jitsi server application (if it's necessary) is not mentioned in that guide because that guide doesn't talk about anything about Jitsi.

I thought the Jitsi script actually used certbot? So I'd think installing and using certbot manually isn't necessary...

As far as I can tell, you don't have to do anything after running the jitsi script..

I quickly read the guide.
The configuration is only for nginx as you told me.
Finally there is the command to execute to check the operation.

Once you have performed the steps from "snapd" to " 1. ln -s /snap/bin/certbot /usr/bin/certbot"

This command "certbot --nginx" i don't need it because it installs a certificate.

Ok, i think i understand!

Thank you!

I did not know this!

I immediately ask for info in the community!

thank you too...

You were right!

The jitsi script creates a weekly check for certificates!

Thank you all!

1 Like