jfinn
/
jitsi_corner2
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Adds a script which install certificates from let's encrypt. 

The script looks for nginx, apache2 or jetty configuration and edits the first one found. Nginx and apache2 will be reloaded, while jvb will be stopped, configured and started again.
efficient_tiling
damencho 8 years ago
parent
92f58cb3c1
commit
8591fe00b6
5 changed files with 118 additions and 4 deletions
Unified View Show Diff Stats
  1. 8
    1
      debian/jitsi-meet-web-config.postinst
  2. 2
    1
      debian/jitsi-meet-web-config.templates
  3. 1
    0
      debian/jitsi-meet-web.install
  4. 2
    2
      debian/po/templates.pot
  5. 105
    0
      resources/install-letsencrypt-cert.sh

+ 8
- 1
debian/jitsi-meet-web-config.postinst View File

65 
             # SSL for nginx
 65 
             # SSL for nginx
66 
             db_get jitsi-meet/cert-choice
 66 
             db_get jitsi-meet/cert-choice
67 
             CERT_CHOICE="$RET"
 67 
             CERT_CHOICE="$RET"
68 
-            UPLOADED_CERT_CHOICE="A certificate is available and the files are uploaded on the server"
68 
+            UPLOADED_CERT_CHOICE="I want to use my own certificate"
69
69
70 
             if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then
 70 
             if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then
71 
                 db_set jitsi-meet/cert-path-key "/etc/ssl/$JVB_HOSTNAME.key"
 71 
                 db_set jitsi-meet/cert-path-key "/etc/ssl/$JVB_HOSTNAME.key"
223 
             invoke-rc.d apache2 reload
 223 
             invoke-rc.d apache2 reload
224 
         fi
 224 
         fi
225
225
226 
+        echo "----------------"
227 
+        echo ""
228 
+        echo "You can now switch to a Let’s Encrypt certificate. To do so, execute:"
229 
+        echo "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"
230 
+        echo ""
231 
+        echo "----------------"
232 
+
226 
         # and we're done with debconf
 233 
         # and we're done with debconf
227 
         db_stop
 234 
         db_stop
228 
     ;;
 235 
     ;;

+ 2
- 1
debian/jitsi-meet-web-config.templates View File

1 
 Template: jitsi-meet/cert-choice
 1 
 Template: jitsi-meet/cert-choice
2 
 Type: select
 2 
 Type: select
3 
-__Choices: Self-signed certificate will be generated, A certificate is available and the files are uploaded on the server
3 
+__Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
4 
 _Description: SSL certificate for the Jitsi Meet instance
 4 
 _Description: SSL certificate for the Jitsi Meet instance
5 
  Jitsi Meet is best to be set up with an SSL certificate.
 5 
  Jitsi Meet is best to be set up with an SSL certificate.
6 
  Having no certificate, a self-signed one will be generated.
 6 
  Having no certificate, a self-signed one will be generated.
7 
+ By choosing self-signed you will later have a chance to install Let’s Encrypt certificates.
7 
  Having a certificate signed by a recognised CA, it can be uploaded on the server
 8 
  Having a certificate signed by a recognised CA, it can be uploaded on the server
8 
  and point its location. The default filenames will be /etc/ssl/--domain.name--.key
 9 
  and point its location. The default filenames will be /etc/ssl/--domain.name--.key
9 
  for the key and /etc/ssl/--domain.name--.crt for the certificate.
 10 
  for the key and /etc/ssl/--domain.name--.crt for the certificate.

+ 1
- 0
debian/jitsi-meet-web.install View File

9 
 images					/usr/share/jitsi-meet/
 9 
 images					/usr/share/jitsi-meet/
10 
 lang					/usr/share/jitsi-meet/
 10 
 lang					/usr/share/jitsi-meet/
11 
 connection_optimization	/usr/share/jitsi-meet/
 11 
 connection_optimization	/usr/share/jitsi-meet/
12 
+resources/*.sh			/usr/share/jitsi-meet/scripts/

+ 2
- 2
debian/po/templates.pot View File

20 
 #. Type: select
 20 
 #. Type: select
21 
 #. Choices
 21 
 #. Choices
22 
 #: ../jitsi-meet-web-config.templates:1001
 22 
 #: ../jitsi-meet-web-config.templates:1001
23 
-msgid "Self-signed certificate will be generated"
23 
+msgid "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
24 
 msgstr ""
 24 
 msgstr ""
25
25
26 
 #. Type: select
 26 
 #. Type: select
27 
 #. Choices
 27 
 #. Choices
28 
 #: ../jitsi-meet-web-config.templates:1001
 28 
 #: ../jitsi-meet-web-config.templates:1001
29 
-msgid "A certificate is available and the files are uploaded on the server"
29 
+msgid "I want to use my own certificate"
30 
 msgstr ""
 30 
 msgstr ""
31
31
32 
 #. Type: select
 32 
 #. Type: select

+ 105
- 0
resources/install-letsencrypt-cert.sh View File

1 
+#!/bin/bash
2 
+
3 
+set -e
4 
+
5 
+DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
6 
+DOMAIN="${DEB_CONF_RESULT##*:}"
7 
+# remove whitespace
8 
+DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
9 
+
10 
+echo "-------------------------------------------------------------------------"
11 
+echo "This script will:"
12 
+echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
13 
+echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
14 
+echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
15 
+echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
16 
+echo "- Configure and reload nginx or apache2, whichever is used"
17 
+echo ""
18 
+echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
19 
+echo "by providing an email address for important account notifications"
20 
+
21 
+echo -n "Enter your email and press [ENTER]: "
22 
+read EMAIL
23 
+
24 
+cd /usr/local/sbin
25 
+
26 
+if [ ! -f certbot-auto ] ; then
27 
+  wget https://dl.eff.org/certbot-auto
28 
+  chmod a+x ./certbot-auto
29 
+fi
30 
+
31 
+CRON_FILE="/etc/cron.weekly/letsencrypt-renew"
32 
+echo "#!/bin/bash" > $CRON_FILE
33 
+echo "/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log" >> $CRON_FILE
34 
+
35 
+CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
36 
+CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
37 
+
38 
+if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
39 
+
40 
+    ./certbot-auto certonly --noninteractive \
41 
+    --webroot --webroot-path /usr/share/jitsi-meet \
42 
+    -d $DOMAIN \
43 
+    --agree-tos --email $EMAIL
44 
+
45 
+    echo "Configuring nginx"
46 
+
47 
+    CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf"
48 
+    CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
49 
+    CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
50 
+    sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \
51 
+        $CONF_FILE
52 
+    CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
53 
+    CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
54 
+    sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
55 
+        $CONF_FILE
56 
+
57 
+    echo "service nginx reload" >> $CRON_FILE
58 
+    service nginx reload
59 
+
60 
+elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
61 
+
62 
+    ./certbot-auto certonly --noninteractive \
63 
+    --webroot --webroot-path /usr/share/jitsi-meet \
64 
+    -d $DOMAIN \
65 
+    --agree-tos --email $EMAIL
66 
+
67 
+    echo "Configuring apache2"
68 
+
69 
+    CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf"
70 
+    CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
71 
+    CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
72 
+    sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \
73 
+        $CONF_FILE
74 
+    CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
75 
+    CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
76 
+    sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
77 
+        $CONF_FILE
78 
+
79 
+    echo "service apache2 reload" >> $CRON_FILE
80 
+    service apache2 reload
81 
+else
82 
+    service jitsi-videobridge stop
83 
+
84 
+    ./certbot-auto certonly --noninteractive \
85 
+    --standalone \
86 
+    -d $DOMAIN \
87 
+    --agree-tos --email $EMAIL
88 
+
89 
+    echo "Configuring jetty"
90 
+
91 
+    CERT_P12="/etc/jitsi/videobridge/$DOMAIN.p12"
92 
+    CERT_JKS="/etc/jitsi/videobridge/$DOMAIN.jks"
93 
+    # create jks from  certs
94 
+    openssl pkcs12 -export \
95 
+        -in $CERT_CRT -inkey $CERT_KEY -passout pass:changeit > $CERT_P12
96 
+    keytool -importkeystore -destkeystore $CERT_JKS \
97 
+        -srckeystore $CERT_P12 -srcstoretype pkcs12 \
98 
+        -noprompt -storepass changeit -srcstorepass changeit
99 
+
100 
+    service jitsi-videobridge start
101 
+
102 
+fi
103 
+
104 
+# the cron file that will renew certificates
105 
+chmod a+x $CRON_FILE

Write Preview
Loading…
Cancel
Save