Fixes renewing let's encrypt certificates when using jetty.

Uses webroot for obtaining certificate, avoids stopping jitsi-videobridge before obtaining certificate.
Adds a renew hook, where we reload apache or nginx and try to graceful shutdown jvb and restart it.
Before merging this we need to make sure graceful shutdown is enabled by default and also pubsub is enabled by default so after restarting jvb, jicofo will discover it.
This commit is contained in:
damencho 2017-03-30 13:57:47 -05:00
parent 2301732e2d
commit 029ca1753f
2 changed files with 39 additions and 6 deletions

View File

@ -30,7 +30,7 @@ fi
CRON_FILE="/etc/cron.weekly/letsencrypt-renew"
echo "#!/bin/bash" > $CRON_FILE
echo "/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log" >> $CRON_FILE
echo "/usr/local/sbin/certbot-auto --renew-hook '/usr/share/jitsi-meet/scripts/renew-letsencrypt-cert.sh' renew >> /var/log/le-renew.log" >> $CRON_FILE
CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
@ -54,7 +54,6 @@ if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
$CONF_FILE
echo "service nginx reload" >> $CRON_FILE
service nginx reload
elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
@ -76,13 +75,11 @@ elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
$CONF_FILE
echo "service apache2 reload" >> $CRON_FILE
service apache2 reload
else
service jitsi-videobridge stop
./certbot-auto certonly --noninteractive \
--standalone \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL
@ -97,7 +94,14 @@ else
-srckeystore $CERT_P12 -srcstoretype pkcs12 \
-noprompt -storepass changeit -srcstorepass changeit
service jitsi-videobridge start
PIDFILE=/var/run/jitsi-videobridge.pid
if [ -f $PIDFILE ]; then
PID=$(cat $PIDFILE)
/usr/share/jitsi-videobridge/graceful_shutdown.sh $PID || true
fi
service jitsi-videobridge restart
fi

View File

@ -0,0 +1,29 @@
#!/bin/bash
set -e
#
# This script is executed once a Lets Encrypt certificate had been renewed
# we reload web servers or in case of jetty we restart jvb
# In future we need to implement reloading jvb, which will reload the jetty
#
DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
DOMAIN="${DEB_CONF_RESULT##*:}"
# remove whitespace
DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
service nginx reload
elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
service apache2 reload
else
PIDFILE=/var/run/jitsi-videobridge.pid
if [ -f $PIDFILE ]; then
PID=$(cat $PIDFILE)
/usr/share/jitsi-videobridge/graceful_shutdown.sh $PID || true
fi
service jitsi-videobridge restart
fi