jfinn
/
jitsi_app_c0
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Adds a script which install certificates from let's encrypt. 

The script looks for nginx, apache2 or jetty configuration and edits the first one found. Nginx and apache2 will be reloaded, while jvb will be stopped, configured and started again.
master
damencho 8 years ago
parent
92f58cb3c1
commit
8591fe00b6
5 changed files with 118 additions and 4 deletions
Split View Show Diff Stats
  1. 8
    1
      debian/jitsi-meet-web-config.postinst
  2. 2
    1
      debian/jitsi-meet-web-config.templates
  3. 1
    0
      debian/jitsi-meet-web.install
  4. 2
    2
      debian/po/templates.pot
  5. 105
    0
      resources/install-letsencrypt-cert.sh

+ 8
- 1
debian/jitsi-meet-web-config.postinst View File 

@@ -65,7 +65,7 @@ case "$1" in
65 65 
             # SSL for nginx
66 66 
             db_get jitsi-meet/cert-choice
67 67 
             CERT_CHOICE="$RET"
68 
-            UPLOADED_CERT_CHOICE="A certificate is available and the files are uploaded on the server"
68 
+            UPLOADED_CERT_CHOICE="I want to use my own certificate"
69 69
70 70 
             if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then
71 71 
                 db_set jitsi-meet/cert-path-key "/etc/ssl/$JVB_HOSTNAME.key"
 
@@ -223,6 +223,13 @@ case "$1" in
223 223 
             invoke-rc.d apache2 reload
224 224 
         fi
225 225
226 
+        echo "----------------"
227 
+        echo ""
228 
+        echo "You can now switch to a Let’s Encrypt certificate. To do so, execute:"
229 
+        echo "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"
230 
+        echo ""
231 
+        echo "----------------"
232 
+
226 233 
         # and we're done with debconf
227 234 
         db_stop
228 235 
     ;;

+ 2
- 1
debian/jitsi-meet-web-config.templates View File 

@@ -1,9 +1,10 @@
1 1 
 Template: jitsi-meet/cert-choice
2 2 
 Type: select
3 
-__Choices: Self-signed certificate will be generated, A certificate is available and the files are uploaded on the server
3 
+__Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
4 4 
 _Description: SSL certificate for the Jitsi Meet instance
5 5 
  Jitsi Meet is best to be set up with an SSL certificate.
6 6 
  Having no certificate, a self-signed one will be generated.
7 
+ By choosing self-signed you will later have a chance to install Let’s Encrypt certificates.
7 8 
  Having a certificate signed by a recognised CA, it can be uploaded on the server
8 9 
  and point its location. The default filenames will be /etc/ssl/--domain.name--.key
9 10 
  for the key and /etc/ssl/--domain.name--.crt for the certificate.

+ 1
- 0
debian/jitsi-meet-web.install View File 

@@ -9,3 +9,4 @@ fonts					/usr/share/jitsi-meet/
9 9 
 images					/usr/share/jitsi-meet/
10 10 
 lang					/usr/share/jitsi-meet/
11 11 
 connection_optimization	/usr/share/jitsi-meet/
12 
+resources/*.sh			/usr/share/jitsi-meet/scripts/

+ 2
- 2
debian/po/templates.pot View File 

@@ -20,13 +20,13 @@ msgstr ""
20 20 
 #. Type: select
21 21 
 #. Choices
22 22 
 #: ../jitsi-meet-web-config.templates:1001
23 
-msgid "Self-signed certificate will be generated"
23 
+msgid "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
24 24 
 msgstr ""
25 25
26 26 
 #. Type: select
27 27 
 #. Choices
28 28 
 #: ../jitsi-meet-web-config.templates:1001
29 
-msgid "A certificate is available and the files are uploaded on the server"
29 
+msgid "I want to use my own certificate"
30 30 
 msgstr ""
31 31
32 32 
 #. Type: select

+ 105
- 0
resources/install-letsencrypt-cert.sh View File 

@@ -0,0 +1,105 @@
1 
+#!/bin/bash
2 
+
3 
+set -e
4 
+
5 
+DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
6 
+DOMAIN="${DEB_CONF_RESULT##*:}"
7 
+# remove whitespace
8 
+DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
9 
+
10 
+echo "-------------------------------------------------------------------------"
11 
+echo "This script will:"
12 
+echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
13 
+echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
14 
+echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
15 
+echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
16 
+echo "- Configure and reload nginx or apache2, whichever is used"
17 
+echo ""
18 
+echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
19 
+echo "by providing an email address for important account notifications"
20 
+
21 
+echo -n "Enter your email and press [ENTER]: "
22 
+read EMAIL
23 
+
24 
+cd /usr/local/sbin
25 
+
26 
+if [ ! -f certbot-auto ] ; then
27 
+  wget https://dl.eff.org/certbot-auto
28 
+  chmod a+x ./certbot-auto
29 
+fi
30 
+
31 
+CRON_FILE="/etc/cron.weekly/letsencrypt-renew"
32 
+echo "#!/bin/bash" > $CRON_FILE
33 
+echo "/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log" >> $CRON_FILE
34 
+
35 
+CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
36 
+CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
37 
+
38 
+if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
39 
+
40 
+    ./certbot-auto certonly --noninteractive \
41 
+    --webroot --webroot-path /usr/share/jitsi-meet \
42 
+    -d $DOMAIN \
43 
+    --agree-tos --email $EMAIL
44 
+
45 
+    echo "Configuring nginx"
46 
+
47 
+    CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf"
48 
+    CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
49 
+    CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
50 
+    sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \
51 
+        $CONF_FILE
52 
+    CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
53 
+    CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
54 
+    sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
55 
+        $CONF_FILE
56 
+
57 
+    echo "service nginx reload" >> $CRON_FILE
58 
+    service nginx reload
59 
+
60 
+elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
61 
+
62 
+    ./certbot-auto certonly --noninteractive \
63 
+    --webroot --webroot-path /usr/share/jitsi-meet \
64 
+    -d $DOMAIN \
65 
+    --agree-tos --email $EMAIL
66 
+
67 
+    echo "Configuring apache2"
68 
+
69 
+    CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf"
70 
+    CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
71 
+    CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
72 
+    sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \
73 
+        $CONF_FILE
74 
+    CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
75 
+    CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
76 
+    sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
77 
+        $CONF_FILE
78 
+
79 
+    echo "service apache2 reload" >> $CRON_FILE
80 
+    service apache2 reload
81 
+else
82 
+    service jitsi-videobridge stop
83 
+
84 
+    ./certbot-auto certonly --noninteractive \
85 
+    --standalone \
86 
+    -d $DOMAIN \
87 
+    --agree-tos --email $EMAIL
88 
+
89 
+    echo "Configuring jetty"
90 
+
91 
+    CERT_P12="/etc/jitsi/videobridge/$DOMAIN.p12"
92 
+    CERT_JKS="/etc/jitsi/videobridge/$DOMAIN.jks"
93 
+    # create jks from  certs
94 
+    openssl pkcs12 -export \
95 
+        -in $CERT_CRT -inkey $CERT_KEY -passout pass:changeit > $CERT_P12
96 
+    keytool -importkeystore -destkeystore $CERT_JKS \
97 
+        -srckeystore $CERT_P12 -srcstoretype pkcs12 \
98 
+        -noprompt -storepass changeit -srcstorepass changeit
99 
+
100 
+    service jitsi-videobridge start
101 
+
102 
+fi
103 
+
104 
+# the cron file that will renew certificates
105 
+chmod a+x $CRON_FILE

Write Preview
Loading…
Cancel
Save