Error occurred while installing Let's Encrypt on ubuntu 20

I installed jitsi meet server on ubuntu version 20 and tried to install let’s encrypt by running the following command.

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

the following error occurs:


This script will:

  • Need a working DNS record pointing to this machine(for hostname )

  • Install additional dependencies in order to request Let’s Encrypt certificate (acme.sh)

  • Configure and reload nginx or apache2, whichever is used

  • Configure the coturn server to use Let’s Encrypt certificate and add required deploy hooks

  • Configure renew of certificate

    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 1032 0 1032 0 0 226 0 --:–:-- 0:00:04 --:–:-- 226
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 214k 100 214k 0 0 31676 0 0:00:06 0:00:06 --:–:-- 29897
    [Sat 19 Nov 2022 11:36:27 PM EST] Installing from online archive.
    [Sat 19 Nov 2022 11:36:27 PM EST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
    [Sat 19 Nov 2022 11:36:44 PM EST] Extracting master.tar.gz
    [Sat 19 Nov 2022 11:36:44 PM EST] It is recommended to install socat first.
    [Sat 19 Nov 2022 11:36:44 PM EST] We use socat for standalone server if you use standalone mode.
    [Sat 19 Nov 2022 11:36:44 PM EST] If you don’t use standalone mode, just ignore this warning.
    [Sat 19 Nov 2022 11:36:44 PM EST] Installing to /opt/acmesh/.acme.sh
    [Sat 19 Nov 2022 11:36:44 PM EST] Installed to /opt/acmesh/.acme.sh/acme.sh
    [Sat 19 Nov 2022 11:36:44 PM EST] No profile is found, you will need to go into /opt/acmesh/.acme.sh to use acme.sh
    [Sat 19 Nov 2022 11:36:44 PM EST] Installing cron job
    17 0 * * * “/opt/acmesh/.acme.sh”/acme.sh --cron --home “/opt/acmesh/.acme.sh” > /dev/null
    [Sat 19 Nov 2022 11:36:44 PM EST] Good, bash is found, so change the shebang to use bash as preferred.
    [Sat 19 Nov 2022 11:36:51 PM EST] OK
    [Sat 19 Nov 2022 11:36:51 PM EST] Install success!
    [Sat 19 Nov 2022 11:36:52 PM EST] Single domain=‘mydomain’
    [Sat 19 Nov 2022 11:36:52 PM EST] Getting domain auth token for each domain
    [Sat 19 Nov 2022 11:36:57 PM EST] Getting webroot for domain=‘mydomain’
    [Sat 19 Nov 2022 11:36:57 PM EST] Verifying: mydomain
    [Sat 19 Nov 2022 11:36:59 PM EST] Pending, The CA is processing your order, please just wait. (1/30)
    [Sat 19 Nov 2022 11:37:03 PM EST] mydomain:Verify error:mypublicip: Invalid response from http://mydomain.com/.well-known/acme-challenge/pHZXil1RIZBde7GRPaEaQk-rcwkkr1hFqCMvtzrkwhM: 403
    Issuing the certificate from Let’s Encrypt failed, continuing …

What could be the issue?

Can you share your Nginx site config?

file: /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 768;
  # multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}


#mail {
#  # See sample authentication script at:
#  # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#  # auth_http localhost/auth.php;
#  # pop3_capabilities "TOP" "USER";
#  # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#  server {
#    listen     localhost:110;
#    protocol   pop3;
#    proxy      on;
#  }
# 
#  server {
#    listen     localhost:143;
#    protocol   imap;
#    proxy      on;
#  }
#}

file: /etc/nginx/sites-available/meet.ghalibqjournal.com.conf

#server_names_hash_bucket_size 64;

types {
# nginx's default mime.types doesn't include a mapping for wasm or wav.
    application/wasm     wasm;
    audio/wav            wav;
}
upstream prosody {
    zone upstreams 64K;
    server 127.0.0.1:5280;
    keepalive 2;
}
upstream jvb1 {
    zone upstreams 64K;
    server 127.0.0.1:9090;
    keepalive 2;
}
server {
    listen 80;
    listen [::]:80;
    server_name meet.ghalibqjournal.com;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
        return 404;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name meet.ghalibqjournal.com;

    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    set $prefix "";

    ssl_certificate /etc/jitsi/meet/meet.ghalibqjournal.com.crt;
    ssl_certificate_key /etc/jitsi/meet/meet.ghalibqjournal.com.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
    gzip_vary on;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;

    location = /config.js {
        alias /etc/jitsi/meet/meet.ghalibqjournal.com-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    location = /_api/room-info {
        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files
        if ($arg_v) {
            expires 1y;
        }
    }

    # BOSH
    location = /http-bind {
        proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header Connection "";
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        tcp_nodelay on;
    }
# load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)$ {
    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
    #}

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
        set $subdomain "$1.";
        set $subdir "$1/";

        alias /etc/jitsi/meet/meet.ghalibqjournal.com-config.js;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }

    location ~ ^/([^/?&:'"]+)/_api/room-info {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /_api/room-info;
    }

    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
}

Many parts are missing in this config (meet.ghalibqjournal.com.conf).

sorry, the file hasn’t been copied completely. I just edit my reply and pasted the complete meet.ghalibqjournal.com.conf file