Nginx issue with Ubuntu Jitsi chat server

Yes, the unsecure notification disappeared

1 Like

I have no clue. This is what the config file says. I don't see anything about restarting nginx? I could be wrong. Initially I used the certbot install package that suppose to be a one stop shop for renewal. But with all the misconfigs I'm not sure if it will work?

#!/bin/sh

set -e

COTURN_CERT_DIR="/etc/coturn/certs"
TURN_CONFIG="/etc/turnserver.conf"

# create a directory to store certs if it does not exists
if [ ! -d "$COTURN_CERT_DIR" ]; then
    mkdir -p $COTURN_CERT_DIR
    chown -R turnserver:turnserver /etc/coturn/
    chmod -R 700 /etc/coturn/
fi

# This is a template and when copied to /etc/letsencrypt/renewal-hooks/deploy/
# during creating the Let's encrypt certs script
# cv-meet.kozow.com will be replaced with the real domain of deployment
for domain in $RENEWED_DOMAINS; do
        case $domain in
        cv-meet.kozow.com)
                # Make sure the certificate and private key files are
                # never world readable, even just for an instant while
                # we're copying them into daemon_cert_root.
                umask 077

                cp "$RENEWED_LINEAGE/fullchain.pem" "$COTURN_CERT_DIR/$domain.fullchain.pem"
                cp "$RENEWED_LINEAGE/privkey.pem" "$COTURN_CERT_DIR/$domain.privkey.pem"

                # Apply the proper file ownership and permissions for
                # the daemon to read its certificate and key.
                chown turnserver "$COTURN_CERT_DIR/$domain.fullchain.pem" \
                        "$COTURN_CERT_DIR/$domain.privkey.pem"
                chmod 400 "$COTURN_CERT_DIR/$domain.fullchain.pem" \
                        "$COTURN_CERT_DIR/$domain.privkey.pem"

                if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
                    echo "Configuring turnserver"
                    sed -i "/^cert/c\cert=\/etc\/coturn\/certs\/${domain}.fullchain.pem" $TURN_CONFIG
                    sed -i "/^pkey/c\pkey=\/etc\/coturn\/certs\/${domain}.privkey.pem" $TURN_CONFIG
                fi
                service coturn restart
                ;;
        esac
done

That translates to:
if/when domain "cv-meet.kozow.com" is renewed, then restart service "coturn"
Looks sane to me.
But does it also need to restart the web service?
[clearly, I don't know what a coturn is...]

2 Likes

Could add a service nginx reload in that script so nginx picks up fresh certs as soon as they are issued.

I need to be away maybe @rg305 can finish up?

I was just going to:

  1. Ensure renewal conf file is correct. Add a deploy-hook if don't use the one described above
  2. Ensure email is on the account
  3. Ensure certbot renew setup in timer or cron

Of course, Rudy may well see something else too :slight_smile:

4 Likes

Mike thank you again. I really appreciate it. Do you accept donations? I'm not rich but I could send you enough to probably buy a burger. :joy:

2 Likes

Note I just changed the nginx reload command (that was format for systemctl, not service)

3 Likes

I have found so many different commands that say they do the same thing for nginx.

I think reload is
systemctl reload nginx

or

/usr/sbin/nginx -s reload

So far Jitsi is working. I had to double check and make some config adjustments to Jitsi - tested outside my network (mobile). I need to test it further...

1 Like

Excellent!

Yes, but I had service reload nginx in my original post and that was wrong format. I edited it shortly after but wanted to warn you in case you saw my original.


Now, final Certbot / Let's Encrypt items:

For email, you can check if email set for your LE account with:

New with version 1.23 of certbot (which you have):
sudu certbot show_account

If no email or wrong one, use:
sudo certbot update_account

Check Certbot renew setup. Show results of:

sudo systemctl list-timers
sudo crontab -l

Deploy Hook update. Did you add one of the nginx reload commands to your deploy hook script? If not you should or we can re-run the certbot command to setup another hook in your renewal conf file. But, since you have one might be best to have all commands in it

2 Likes

this always works. (if the executable is there)

the others, service nginx reload and systemctl reload nginx depend on other software, like OS, init system and the like. (they also log what you do and stuff like that)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.