haskal
/
jiti-meet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1410 from jitsi/letsencrypt-script 

Adds a script which install certificates from let's encrypt.
This commit is contained in:
Aaron van Meerten 2017-03-17 15:53:52 -05:00 committed by GitHub
parent 92f58cb3c1 8591fe00b6
commit ae41782cd4
5 changed files with 118 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
debian/jitsi-meet-web-config.postinst vendored
View File

@ -65,7 +65,7 @@ case "$1" in
# SSL for nginx # SSL for nginx
db_get jitsi-meet/cert-choice db_get jitsi-meet/cert-choice
CERT_CHOICE="$RET" CERT_CHOICE="$RET"
UPLOADED_CERT_CHOICE="A certificate is available and the files are uploaded on the server" UPLOADED_CERT_CHOICE="I want to use my own certificate"
if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then
db_set jitsi-meet/cert-path-key "/etc/ssl/$JVB_HOSTNAME.key" db_set jitsi-meet/cert-path-key "/etc/ssl/$JVB_HOSTNAME.key"
@ -223,6 +223,13 @@ case "$1" in
invoke-rc.d apache2 reload invoke-rc.d apache2 reload
fi fi
echo "----------------"
echo ""
echo "You can now switch to a Lets Encrypt certificate. To do so, execute:"
echo "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"
echo ""
echo "----------------"
# and we're done with debconf # and we're done with debconf
db_stop db_stop
;; ;;

3
debian/jitsi-meet-web-config.templates vendored
View File

@ -1,9 +1,10 @@
Template: jitsi-meet/cert-choice Template: jitsi-meet/cert-choice
Type: select Type: select
__Choices: Self-signed certificate will be generated, A certificate is available and the files are uploaded on the server __Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
_Description: SSL certificate for the Jitsi Meet instance _Description: SSL certificate for the Jitsi Meet instance
Jitsi Meet is best to be set up with an SSL certificate. Jitsi Meet is best to be set up with an SSL certificate.
Having no certificate, a self-signed one will be generated. Having no certificate, a self-signed one will be generated.
By choosing self-signed you will later have a chance to install Lets Encrypt certificates.
Having a certificate signed by a recognised CA, it can be uploaded on the server Having a certificate signed by a recognised CA, it can be uploaded on the server
and point its location. The default filenames will be /etc/ssl/--domain.name--.key and point its location. The default filenames will be /etc/ssl/--domain.name--.key
for the key and /etc/ssl/--domain.name--.crt for the certificate. for the key and /etc/ssl/--domain.name--.crt for the certificate.

1
debian/jitsi-meet-web.install vendored
View File

@ -9,3 +9,4 @@ fonts /usr/share/jitsi-meet/
images /usr/share/jitsi-meet/ images /usr/share/jitsi-meet/
lang /usr/share/jitsi-meet/ lang /usr/share/jitsi-meet/
connection_optimization /usr/share/jitsi-meet/ connection_optimization /usr/share/jitsi-meet/
resources/*.sh /usr/share/jitsi-meet/scripts/

4
debian/po/templates.pot vendored
View File

@ -20,13 +20,13 @@ msgstr ""
#. Type: select #. Type: select
#. Choices #. Choices
#: ../jitsi-meet-web-config.templates:1001 #: ../jitsi-meet-web-config.templates:1001
msgid "Self-signed certificate will be generated" msgid "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
msgstr "" msgstr ""
#. Type: select #. Type: select
#. Choices #. Choices
#: ../jitsi-meet-web-config.templates:1001 #: ../jitsi-meet-web-config.templates:1001
msgid "A certificate is available and the files are uploaded on the server" msgid "I want to use my own certificate"
msgstr "" msgstr ""
#. Type: select #. Type: select

105
resources/install-letsencrypt-cert.sh Executable file
View File

@ -0,0 +1,105 @@
#!/bin/bash
set -e
DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
DOMAIN="${DEB_CONF_RESULT##*:}"
# remove whitespace
DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
echo "-------------------------------------------------------------------------"
echo "This script will:"
echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
echo "- Install additional dependencies in order to request Lets Encrypt certificate"
echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
echo "- Configure and reload nginx or apache2, whichever is used"
echo ""
echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
echo "by providing an email address for important account notifications"
echo -n "Enter your email and press [ENTER]: "
read EMAIL
cd /usr/local/sbin
if [ ! -f certbot-auto ] ; then
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
fi
CRON_FILE="/etc/cron.weekly/letsencrypt-renew"
echo "#!/bin/bash" > $CRON_FILE
echo "/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log" >> $CRON_FILE
CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
./certbot-auto certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL
echo "Configuring nginx"
CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf"
CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \
$CONF_FILE
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
$CONF_FILE
echo "service nginx reload" >> $CRON_FILE
service nginx reload
elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
./certbot-auto certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL
echo "Configuring apache2"
CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf"
CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \
$CONF_FILE
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
$CONF_FILE
echo "service apache2 reload" >> $CRON_FILE
service apache2 reload
else
service jitsi-videobridge stop
./certbot-auto certonly --noninteractive \
--standalone \
-d $DOMAIN \
--agree-tos --email $EMAIL
echo "Configuring jetty"
CERT_P12="/etc/jitsi/videobridge/$DOMAIN.p12"
CERT_JKS="/etc/jitsi/videobridge/$DOMAIN.jks"
# create jks from certs
openssl pkcs12 -export \
-in $CERT_CRT -inkey $CERT_KEY -passout pass:changeit > $CERT_P12
keytool -importkeystore -destkeystore $CERT_JKS \
-srckeystore $CERT_P12 -srcstoretype pkcs12 \
-noprompt -storepass changeit -srcstorepass changeit
service jitsi-videobridge start
fi
# the cron file that will renew certificates
chmod a+x $CRON_FILE