Yes, the unsecure notification disappeared
I have no clue. This is what the config file says. I don't see anything about restarting nginx? I could be wrong. Initially I used the certbot install package that suppose to be a one stop shop for renewal. But with all the misconfigs I'm not sure if it will work?
#!/bin/sh
set -e
COTURN_CERT_DIR="/etc/coturn/certs"
TURN_CONFIG="/etc/turnserver.conf"
# create a directory to store certs if it does not exists
if [ ! -d "$COTURN_CERT_DIR" ]; then
mkdir -p $COTURN_CERT_DIR
chown -R turnserver:turnserver /etc/coturn/
chmod -R 700 /etc/coturn/
fi
# This is a template and when copied to /etc/letsencrypt/renewal-hooks/deploy/
# during creating the Let's encrypt certs script
# cv-meet.kozow.com will be replaced with the real domain of deployment
for domain in $RENEWED_DOMAINS; do
case $domain in
cv-meet.kozow.com)
# Make sure the certificate and private key files are
# never world readable, even just for an instant while
# we're copying them into daemon_cert_root.
umask 077
cp "$RENEWED_LINEAGE/fullchain.pem" "$COTURN_CERT_DIR/$domain.fullchain.pem"
cp "$RENEWED_LINEAGE/privkey.pem" "$COTURN_CERT_DIR/$domain.privkey.pem"
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
chown turnserver "$COTURN_CERT_DIR/$domain.fullchain.pem" \
"$COTURN_CERT_DIR/$domain.privkey.pem"
chmod 400 "$COTURN_CERT_DIR/$domain.fullchain.pem" \
"$COTURN_CERT_DIR/$domain.privkey.pem"
if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
echo "Configuring turnserver"
sed -i "/^cert/c\cert=\/etc\/coturn\/certs\/${domain}.fullchain.pem" $TURN_CONFIG
sed -i "/^pkey/c\pkey=\/etc\/coturn\/certs\/${domain}.privkey.pem" $TURN_CONFIG
fi
service coturn restart
;;
esac
done
That translates to:
if/when domain "cv-meet.kozow.com
" is renewed, then restart service "coturn"
Looks sane to me.
But does it also need to restart the web service?
[clearly, I don't know what a coturn is...]
Could add a service nginx reload
in that script so nginx picks up fresh certs as soon as they are issued.
I need to be away maybe @rg305 can finish up?
I was just going to:
- Ensure renewal conf file is correct. Add a deploy-hook if don't use the one described above
- Ensure email is on the account
- Ensure certbot renew setup in timer or cron
Of course, Rudy may well see something else too
Mike thank you again. I really appreciate it. Do you accept donations? I'm not rich but I could send you enough to probably buy a burger.
Note I just changed the nginx reload command (that was format for systemctl, not service)
I have found so many different commands that say they do the same thing for nginx.
I think reload is
systemctl reload nginx
or
/usr/sbin/nginx -s reload
So far Jitsi is working. I had to double check and make some config adjustments to Jitsi - tested outside my network (mobile). I need to test it further...
Excellent!
Yes, but I had service reload nginx
in my original post and that was wrong format. I edited it shortly after but wanted to warn you in case you saw my original.
Now, final Certbot / Let's Encrypt items:
For email, you can check if email set for your LE account with:
New with version 1.23 of certbot (which you have):
sudu certbot show_account
If no email or wrong one, use:
sudo certbot update_account
Check Certbot renew setup. Show results of:
sudo systemctl list-timers
sudo crontab -l
Deploy Hook update. Did you add one of the nginx reload
commands to your deploy hook script? If not you should or we can re-run the certbot command to setup another hook in your renewal conf file. But, since you have one might be best to have all commands in it
this always works. (if the executable is there)
the others, service nginx reload
and systemctl reload nginx
depend on other software, like OS, init system and the like. (they also log what you do and stuff like that)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.