haskal
/
jiti-meet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Adds LE choice when installing debian package. (#12154) 

* feat: Adds LE choice when installing debian package.

* Update debian/jitsi-meet-web-config.templates

Co-authored-by: raluca8x8 <raluca.tocmag@8x8.com>

* squash: Print in the console the JaaS link everytime.

* squash: Note that JaaS does not support self-signed certs.

* squash: Fix message.

* squash: Moves acme.sh stuff into a script, so it is easy to re-run.

Co-authored-by: raluca8x8 <raluca.tocmag@8x8.com>
This commit is contained in:
Дамян Минков 2022-09-13 07:55:00 -05:00 committed by GitHub
parent 139884fbe7
commit 079a2a505d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 167 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/control vendored
View File

@ -20,7 +20,7 @@ Description: WebRTC JavaScript video conferences
Package: jitsi-meet-web-config Package: jitsi-meet-web-config
Architecture: all Architecture: all
Depends: openssl, nginx | nginx-full | nginx-extras | apache2 Depends: openssl, nginx | nginx-full | nginx-extras | apache2, curl
Description: Configuration for web serving of Jitsi Meet Description: Configuration for web serving of Jitsi Meet
Jitsi Meet is a WebRTC JavaScript application that uses Jitsi Jitsi Meet is a WebRTC JavaScript application that uses Jitsi
Videobridge to provide high quality, scalable video conferences. Videobridge to provide high quality, scalable video conferences.

1
debian/jitsi-meet-turnserver.install vendored
View File

@ -1,3 +1,2 @@
doc/debian/jitsi-meet-turn/turnserver.conf /usr/share/jitsi-meet-turnserver/ doc/debian/jitsi-meet-turn/turnserver.conf /usr/share/jitsi-meet-turnserver/
doc/debian/jitsi-meet/jitsi-meet.conf /usr/share/jitsi-meet-turnserver/ doc/debian/jitsi-meet/jitsi-meet.conf /usr/share/jitsi-meet-turnserver/
doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh /usr/share/jitsi-meet-turnserver/

17
debian/jitsi-meet-turnserver.postinst vendored
View File

@ -107,7 +107,9 @@ denied-peer-ip=240.0.0.0-255.255.255.255" >> $TURN_CONFIG
db_get jitsi-meet/cert-choice db_get jitsi-meet/cert-choice
CERT_CHOICE="$RET" CERT_CHOICE="$RET"
if [ "$CERT_CHOICE" = "I want to use my own certificate" ] ; then UPLOADED_CERT_CHOICE="I want to use my own certificate"
LE_CERT_CHOICE="Let's Encrypt certificates"
if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ]; then
db_get jitsi-meet/cert-path-key db_get jitsi-meet/cert-path-key
CERT_KEY="$RET" CERT_KEY="$RET"
db_get jitsi-meet/cert-path-crt db_get jitsi-meet/cert-path-crt
@ -120,22 +122,13 @@ denied-peer-ip=240.0.0.0-255.255.255.255" >> $TURN_CONFIG
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g') CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g') CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/cert=\/etc\/jitsi\/meet\/.*crt/cert=$CERT_CRT_ESC/g" $TURN_CONFIG sed -i "s/cert=\/etc\/jitsi\/meet\/.*crt/cert=$CERT_CRT_ESC/g" $TURN_CONFIG
elif [ "$CERT_CHOICE" = "$LE_CERT_CHOICE" ]; then
/usr/share/jitsi-meet/scripts/coturn-le-update.sh ${JVB_HOSTNAME}
fi fi
sed -i "s/#TURNSERVER_ENABLED/TURNSERVER_ENABLED/g" /etc/default/coturn sed -i "s/#TURNSERVER_ENABLED/TURNSERVER_ENABLED/g" /etc/default/coturn
invoke-rc.d coturn restart || true invoke-rc.d coturn restart || true
NGINX_STREAM_CONFIG="/etc/nginx/modules-enabled/60-jitsi-meet.conf"
if [ -f $NGINX_STREAM_CONFIG ] ; then
echo "------------------------------------------------"
echo ""
echo "You have multiplexing enabled, it is recommended to disable it and migrate to using websockets for the bridge channel."
echo "The support for sctp data channels is deprecated and will be dropped at some point."
echo "How to do it at: https://jitsi.org/multiplexing-to-bridge-ws-howto"
echo ""
echo "------------------------------------------------"
fi
# and we're done with debconf # and we're done with debconf
db_stop db_stop
;; ;;

64
debian/jitsi-meet-web-config.postinst vendored
View File

@ -75,6 +75,7 @@ case "$1" in
JAAS_INPUT="$RET" JAAS_INPUT="$RET"
UPLOADED_CERT_CHOICE="I want to use my own certificate" UPLOADED_CERT_CHOICE="I want to use my own certificate"
LE_CERT_CHOICE="Let's Encrypt certificates"
# if first time config ask for certs, or if we are reconfiguring # if first time config ask for certs, or if we are reconfiguring
if [ -z "$JVB_HOSTNAME_OLD" ] || [ "$RECONFIGURING" = "true" ] ; then if [ -z "$JVB_HOSTNAME_OLD" ] || [ "$RECONFIGURING" = "true" ] ; then
RET="" RET=""
@ -83,7 +84,7 @@ case "$1" in
db_get jitsi-meet/cert-choice db_get jitsi-meet/cert-choice
CERT_CHOICE="$RET" CERT_CHOICE="$RET"
if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ]; then
RET="" RET=""
db_get jitsi-meet/cert-path-key db_get jitsi-meet/cert-path-key
if [ -z "$RET" ] ; then if [ -z "$RET" ] ; then
@ -103,7 +104,7 @@ case "$1" in
fi fi
CERT_CRT="$RET" CERT_CRT="$RET"
else else
# create self-signed certs # create self-signed certs (we also need them for the case of LE so we can start nginx)
CERT_KEY="/etc/jitsi/meet/$JVB_HOSTNAME.key" CERT_KEY="/etc/jitsi/meet/$JVB_HOSTNAME.key"
CERT_CRT="/etc/jitsi/meet/$JVB_HOSTNAME.crt" CERT_CRT="/etc/jitsi/meet/$JVB_HOSTNAME.crt"
HOST="$( (hostname -s; echo localhost) | head -n 1)" HOST="$( (hostname -s; echo localhost) | head -n 1)"
@ -116,6 +117,17 @@ case "$1" in
-extensions SAN \ -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \ -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:$JVB_HOSTNAME")) <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:$JVB_HOSTNAME"))
if [ "$CERT_CHOICE" = "$LE_CERT_CHOICE" ]; then
db_subst jitsi-meet/email domain "${JVB_HOSTNAME}"
db_input critical jitsi-meet/email || true
db_go
db_get jitsi-meet/email
EMAIL="$RET"
if [ ! -z "$EMAIL" ] ; then
ISSUE_LE_CERT="true"
fi
fi
fi fi
fi fi
@ -208,36 +220,38 @@ case "$1" in
invoke-rc.d apache2 reload || true invoke-rc.d apache2 reload || true
fi fi
echo "----------------" if [ "$ISSUE_LE_CERT" = "true" ] ; then
echo "" /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh $EMAIL $JVB_HOSTNAME
echo "You can now switch to a Lets Encrypt certificate. To do so, execute:" fi
echo "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"
echo ""
echo "----------------"
echo ""
echo ""
echo " ;dOocd;"
echo " .dNMM0dKO."
echo " lNMMMKd0K,"
echo " .xMMMMNxkNc"
echo " dMMMMMkxXc"
echo " cNMMMNl.."
if [ "${JAAS_INPUT}" != "true" ]; then if [ "${JAAS_INPUT}" != "true" ]; then
echo ""
echo ""
echo " ;dOocd;"
echo " .dNMM0dKO."
echo " lNMMMKd0K,"
echo " .xMMMMNxkNc"
echo " dMMMMMkxXc"
echo " cNMMMNl.."
echo " .kMMMX; Interested in adding telephony to your Jitsi meetings?" echo " .kMMMX; Interested in adding telephony to your Jitsi meetings?"
echo " ;XMMMO'" echo " ;XMMMO'"
echo " lNMMWO' Sign up on https://jaas.8x8.vc/components?host=${JVB_HOSTNAME}" echo " lNMMWO' Sign up on https://jaas.8x8.vc/components?host=${JVB_HOSTNAME}"
echo " lNMMM0, and follow the guide in the dev console." echo " lNMMM0, and follow the guide in the dev console."
echo " lXMMMK:." else
echo " ;KMMMNKd. 'oo," echo " .kMMMX;"
echo " 'xNMMMMXkkkkOKOl'" echo " ;XMMMO' Don't forget to sign up on"
echo " :0WMMMMMMNOkk0Kk," echo " lNMMWO' https://jaas.8x8.vc/components?host=${JVB_HOSTNAME}"
echo " .cdOWMMMMMWXOkOl" echo " lNMMM0, in order to add telephony to your Jitsi meetings!"
echo " .;dKWMMMMMXc."
echo " .,:cll:'"
echo ""
echo ""
fi fi
echo " lXMMMK:."
echo " ;KMMMNKd. 'oo,"
echo " 'xNMMMMXkkkkOKOl'"
echo " :0WMMMMMMNOkk0Kk,"
echo " .cdOWMMMMMWXOkOl"
echo " .;dKWMMMMMXc."
echo " .,:cll:'"
echo ""
echo ""
# and we're done with debconf # and we're done with debconf
db_stop db_stop

22
debian/jitsi-meet-web-config.templates vendored
View File

@ -1,14 +1,16 @@
Template: jitsi-meet/cert-choice Template: jitsi-meet/cert-choice
Type: select Type: select
__Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate __Choices: Generate a new self-signed certificate, Let's Encrypt certificates, I want to use my own certificate
_Description: SSL certificate for the Jitsi Meet instance _Description: SSL certificate for the Jitsi Meet instance
.
Jitsi Meet is best to be set up with an SSL certificate. Jitsi Meet is best to be set up with an SSL certificate.
.
Having no certificate, a self-signed one will be generated. Having no certificate, a self-signed one will be generated.
By choosing self-signed you will later have a chance to install Lets Encrypt certificates.
In the case of using a self-signed certificate, only the web app will be available with some warnings, the mobile app will not connect. In the case of using a self-signed certificate, only the web app will be available with some warnings, the mobile app will not connect.
Having a certificate signed by a recognised CA, it can be uploaded on the server Self-signed certificates are not supported by JaaS (Jitsi as a Service).
and point its location. The default filenames will be /etc/ssl/--domain.name--.key .
for the key and /etc/ssl/--domain.name--.crt for the certificate. Having a certificate signed by a recognised CA, it can be uploaded on the server and point its location.
The default filenames will be /etc/ssl/--domain.name--.key for the key and /etc/ssl/--domain.name--.crt for the certificate.
Template: jitsi-meet/cert-path-key Template: jitsi-meet/cert-path-key
Type: string Type: string
@ -39,3 +41,13 @@ _Description: Interested in adding telephony to your Jitsi meetings?
You need to: You need to:
- have a certificate signed by a recognised CA or Lets Encrypt on your deployment - have a certificate signed by a recognised CA or Lets Encrypt on your deployment
- sign in for JaaS at https://jaas.8x8.vc/components?host=${domain} - sign in for JaaS at https://jaas.8x8.vc/components?host=${domain}
Template: jitsi-meet/email
Type: string
_Description: Enter your email:
To successfully issue Let's Encrypt certificates:
.
You need a working DNS record pointing to this machine(for hostname ${domain})"
.
You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
by providing an email address for important account notifications

2
debian/po/templates.pot vendored
View File

@ -20,7 +20,7 @@ msgstr ""
#. Type: select #. Type: select
#. Choices #. Choices
#: ../jitsi-meet-web-config.templates:1001 #: ../jitsi-meet-web-config.templates:1001
msgid "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" msgid "Generate a new self-signed certificate"
msgstr "" msgstr ""
#. Type: select #. Type: select

45
doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh
View File

@ -1,45 +0,0 @@
#!/bin/sh
set -e
COTURN_CERT_DIR="/etc/coturn/certs"
TURN_CONFIG="/etc/turnserver.conf"
# create a directory to store certs if it does not exists
if [ ! -d "$COTURN_CERT_DIR" ]; then
mkdir -p $COTURN_CERT_DIR
chown -R turnserver:turnserver /etc/coturn/
chmod -R 700 /etc/coturn/
fi
# This is a template and when copied to /etc/letsencrypt/renewal-hooks/deploy/
# during creating the Let's encrypt certs script
# jitsi-meet.example.com will be replaced with the real domain of deployment
for domain in $RENEWED_DOMAINS; do
case $domain in
jitsi-meet.example.com)
# Make sure the certificate and private key files are
# never world readable, even just for an instant while
# we're copying them into daemon_cert_root.
umask 077
cp "$RENEWED_LINEAGE/fullchain.pem" "$COTURN_CERT_DIR/$domain.fullchain.pem"
cp "$RENEWED_LINEAGE/privkey.pem" "$COTURN_CERT_DIR/$domain.privkey.pem"
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
chown turnserver "$COTURN_CERT_DIR/$domain.fullchain.pem" \
"$COTURN_CERT_DIR/$domain.privkey.pem"
chmod 400 "$COTURN_CERT_DIR/$domain.fullchain.pem" \
"$COTURN_CERT_DIR/$domain.privkey.pem"
if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
echo "Configuring turnserver"
sed -i "/^cert/c\cert=\/etc\/coturn\/certs\/${domain}.fullchain.pem" $TURN_CONFIG
sed -i "/^pkey/c\pkey=\/etc\/coturn\/certs\/${domain}.privkey.pem" $TURN_CONFIG
fi
service coturn restart
;;
esac
done

2
doc/debian/jitsi-meet-turn/turnserver.conf
View File

@ -16,6 +16,8 @@ no-tlsv1
no-tlsv1_1 no-tlsv1_1
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4 # https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# without it there are errors when running on Ubuntu 20.04
dh2066
# jitsi-meet coturn relay disable config. Do not modify this line # jitsi-meet coturn relay disable config. Do not modify this line
denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255

47
resources/coturn-le-update.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/sh
set -e
# This script is updating the Let's Encrypt certificates on renew or when installing
# The only param it gets is the domain and expects the certificates to use are updated
# in /etc/jitsi/meet folder.
DOMAIN=$1
if [ -z "$DOMAIN" ] ; then
echo "You need to pass the domain as parameter."
exit 10;
fi
COTURN_CERT_DIR="/etc/coturn/certs"
TURN_CONFIG="/etc/turnserver.conf"
# Execute only if turnconfig exist and is one managed by jitsi-meet
if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
# create a directory to store certs if it does not exists
if [ ! -d "$COTURN_CERT_DIR" ]; then
mkdir -p $COTURN_CERT_DIR
chown -R turnserver:turnserver /etc/coturn/
chmod -R 700 /etc/coturn/
fi
# Make sure the certificate and private key files are
# never world readable, even just for an instant while
# we're copying them into daemon_cert_root.
umask 077
cp "/etc/jitsi/meet/${DOMAIN}.crt" "$COTURN_CERT_DIR/${DOMAIN}.fullchain.pem"
cp "/etc/jitsi/meet/${DOMAIN}.key" "$COTURN_CERT_DIR/${DOMAIN}.privkey.pem"
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
chown turnserver "$COTURN_CERT_DIR/${DOMAIN}.fullchain.pem" \
"$COTURN_CERT_DIR/${DOMAIN}.privkey.pem"
chmod 400 "$COTURN_CERT_DIR/${DOMAIN}.fullchain.pem" \
"$COTURN_CERT_DIR/${DOMAIN}.privkey.pem"
echo "Configuring turnserver"
sed -i "/^cert/c\cert=\/etc\/coturn\/certs\/${DOMAIN}.fullchain.pem" $TURN_CONFIG
sed -i "/^pkey/c\pkey=\/etc\/coturn\/certs\/${DOMAIN}.privkey.pem" $TURN_CONFIG
service coturn restart
fi

174
resources/install-letsencrypt-cert.sh
View File

@ -2,134 +2,64 @@
set -e set -e
DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname` echo "-------------------------------------------------------------------------"
DOMAIN="${DEB_CONF_RESULT##*:}" echo "This script will:"
echo "- Need a working DNS record pointing to this machine(for hostname ${DOMAIN})"
echo "- Install additional dependencies in order to request Lets Encrypt certificate (acme.sh)"
echo "- Configure and reload nginx or apache2, whichever is used"
echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
echo "- Configure renew of certificate"
echo ""
EMAIL=$1
if [ -z "$EMAIL" ]; then
echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
echo "by providing an email address for important account notifications"
echo -n "Enter your email and press [ENTER]: "
read EMAIL
fi
DOMAIN=$2
if [ -z "$DOMAIN" ]; then
DEB_CONF_RESULT=$(debconf-show jitsi-meet-web-config | grep jitsi-meet/jvb-hostname)
DOMAIN="${DEB_CONF_RESULT##*:}"
fi
# remove whitespace # remove whitespace
DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')" DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
echo "-------------------------------------------------------------------------"
echo "This script will:"
echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
echo "- Install additional dependencies in order to request Lets Encrypt certificate"
echo "- Configure and reload nginx or apache2, whichever is used"
echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
echo "- Add command in weekly cron job to renew certificates regularly"
echo ""
echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
echo "by providing an email address for important account notifications"
echo -n "Enter your email and press [ENTER]: " export HOME=/opt/acmesh
read EMAIL curl https://get.acme.sh | sh -s email=$EMAIL
CERTBOT="$(command -v certbot || true)" # Checks whether nginx or apache is installed
if [ ! -x "$CERTBOT" ] ; then NGINX_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'nginx' 2>/dev/null | awk '{print $3}' || true)"
DISTRO=$(lsb_release -is) NGINX_FULL_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'nginx-full' 2>/dev/null | awk '{print $3}' || true)"
DISTRO_VERSION=$(lsb_release -rs) NGINX_EXTRAS_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'nginx-extras' 2>/dev/null | awk '{print $3}' || true)"
APACHE_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'apache2' 2>/dev/null | awk '{print $3}' || true)"
if [ "$DISTRO" != "Debian" ] && [ "$DISTRO" != "Ubuntu" ]; then RELOAD_CMD=""
echo "$DISTRO $DISTRO_VERSION is not supported" if [ "$NGINX_INSTALL_CHECK" = "installed" ] || [ "$NGINX_INSTALL_CHECK" = "unpacked" ] \
echo "Only Debian and Ubuntu 18.04+ are supported" || [ "$NGINX_FULL_INSTALL_CHECK" = "installed" ] || [ "$NGINX_FULL_INSTALL_CHECK" = "unpacked" ] \
exit 1 || [ "$NGINX_EXTRAS_INSTALL_CHECK" = "installed" ] || [ "$NGINX_EXTRAS_INSTALL_CHECK" = "unpacked" ]; then
fi RELOAD_CMD="systemctl force-reload nginx.service"
elif [ "$APACHE_INSTALL_CHECK" = "installed" ] || [ "$APACHE_INSTALL_CHECK" = "unpacked" ] ; then
if [ "$DISTRO" = "Ubuntu" ]; then RELOAD_CMD="systemctl force-reload apache2.service"
apt-get update else
apt-get -y install software-properties-common RELOAD_CMD="echo 'No webserver found'"
add-apt-repository -y universe
if [ "$DISTRO_VERSION" = "18.04" ]; then
add-apt-repository -y ppa:certbot/certbot
fi
fi
apt-get update
apt-get -y install certbot
CERTBOT="$(command -v certbot)"
fi fi
CRON_FILE="/etc/cron.weekly/letsencrypt-renew" RELOAD_CMD+=" && /usr/share/jitsi-meet/scripts/coturn-le-update.sh ${DOMAIN}"
if [ ! -d "/etc/cron.weekly" ] ; then
mkdir "/etc/cron.weekly" ISSUE_CERT_CMD="/opt/acmesh/.acme.sh/acme.sh --issue -d ${DOMAIN} -w /usr/share/jitsi-meet --server letsencrypt"
eval "${ISSUE_CERT_CMD}" || ISSUE_FAILED="true"
INSTALL_CERT_CMD="/opt/acmesh/.acme.sh/acme.sh --install-cert -d ${DOMAIN} --key-file /etc/jitsi/meet/${DOMAIN}.key --fullchain-file /etc/jitsi/meet/${DOMAIN}.crt --reloadcmd \"${RELOAD_CMD}\""
if [ "$ISSUE_FAILED" = "true" ] ; then
echo "Issuing the certificate from Let's Encrypt failed, continuing ..."
echo "You can retry later by executing:"
echo "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh $EMAIL"
else
eval "$INSTALL_CERT_CMD"
fi fi
echo "#!/bin/bash" > $CRON_FILE
echo "$CERTBOT renew >> /var/log/le-renew.log" >> $CRON_FILE
CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
TURN_CONFIG="/etc/turnserver.conf"
TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
mkdir -p $(dirname $TURN_HOOK)
cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK
chmod u+x $TURN_HOOK
sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK
$CERTBOT certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL \
--deploy-hook $TURN_HOOK
else
$CERTBOT certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL
fi
echo "Configuring nginx"
CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf"
CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \
$CONF_FILE
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
$CONF_FILE
if type service >/dev/null 2>&1
then
service nginx reload
echo "service nginx reload" >> $CRON_FILE
else
systemctl reload nginx.service
echo "systemctl reload nginx.service" >> $CRON_FILE
fi
elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
$CERTBOT certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL
echo "Configuring apache2"
CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf"
CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \
$CONF_FILE
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
$CONF_FILE
if type service >/dev/null 2>&1
then
service apache2 reload
echo "service apache2 reload" >> $CRON_FILE
else
systemctl reload apache2.service
echo "systemctl reload apache2.service" >> $CRON_FILE
fi
fi
# the cron file that will renew certificates
chmod a+x $CRON_FILE

2
resources/prosody-plugins/mod_muc_size.lua
View File

@ -1,5 +1,5 @@
-- Prosody IM -- Prosody IM
-- Copyright (C) 2017 Atlassian -- Copyright (C) 2021-present 8x8, Inc.
-- --
local jid = require "util.jid"; local jid = require "util.jid";

2
resources/prosody-plugins/mod_token_verification.lua
View File

@ -1,5 +1,5 @@
-- Token authentication -- Token authentication
-- Copyright (C) 2015 Atlassian -- Copyright (C) 2021-present 8x8, Inc.
local log = module._log; local log = module._log;
local host = module.host; local host = module.host;

2
resources/prosody-plugins/token/util.lib.lua
View File

@ -1,5 +1,5 @@
-- Token authentication -- Token authentication
-- Copyright (C) 2015 Atlassian -- Copyright (C) 2021-present 8x8, Inc.
local basexx = require "basexx"; local basexx = require "basexx";
local have_async, async = pcall(require, "util.async"); local have_async, async = pcall(require, "util.async");