[jitsi-dev] Certificates for jitsi meet doesn't work after success "acmetool quickstart"


#1

Hi,

I am using Ubuntu 16.04 with Apache2.

I installed the acme certificate on my "subdomain.example.com" domain and
it was successfully completed. I am able to see the certificates under:

  /var/lib/acme/live/subdomain.example.com --> ../certs/...

But wen I try again to open jitsi-meet with Https://subdomain.example.com ,
I still receive "Your connection is not private"

My ports.conf file is:

# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

I defined in my DNS a new record for subdomain.example.com.

Should I also define a DNS record for example.com? I don't want to damage
my website that runs with HTTP and not HTTPS. I just want to be able to use
https for jitsi-meet with my sub domain.

Please help!

Thanks,
David


#2

Hi,

Do you use the correct certificates in the apache config?
The certificates used for jitsi meet are only managed by the web
server and there are no other configurations needed.

Regards
damencho

···

On Mon, Nov 21, 2016 at 5:05 PM, David King <davidbking086@gmail.com> wrote:

Hi,

I am using Ubuntu 16.04 with Apache2.

I installed the acme certificate on my "subdomain.example.com" domain and it
was successfully completed. I am able to see the certificates under:

  /var/lib/acme/live/subdomain.example.com --> ../certs/...

But wen I try again to open jitsi-meet with Https://subdomain.example.com ,
I still receive "Your connection is not private"

My ports.conf file is:

# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

I defined in my DNS a new record for subdomain.example.com.

Should I also define a DNS record for example.com? I don't want to damage my
website that runs with HTTP and not HTTPS. I just want to be able to use
https for jitsi-meet with my sub domain.

Please help!

Thanks,
David

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Hi Damencho,

I followed this tutorial:

https://medium.com/@griggheo/protect-your-site-for-free-with-let-s-encrypt-ssl-certificates-and-acmetool-3139dd5af5d0#.p89m8ykyy

How should I put the correct certificates in the apache config? I just set
the ports there. Which file? and which certificates?

Thanks,
David

···

On Tue, Nov 22, 2016 at 2:37 AM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

Do you use the correct certificates in the apache config?
The certificates used for jitsi meet are only managed by the web
server and there are no other configurations needed.

Regards
damencho

On Mon, Nov 21, 2016 at 5:05 PM, David King <davidbking086@gmail.com> > wrote:
> Hi,
>
> I am using Ubuntu 16.04 with Apache2.
>
> I installed the acme certificate on my "subdomain.example.com" domain
and it
> was successfully completed. I am able to see the certificates under:
>
> /var/lib/acme/live/subdomain.example.com --> ../certs/...
>
> But wen I try again to open jitsi-meet with
Https://subdomain.example.com ,
> I still receive "Your connection is not private"
>
> My ports.conf file is:
>
> # /etc/apache2/sites-enabled/000-default.conf
>
> Listen 80
>
> <IfModule ssl_module>
> Listen 443
> </IfModule>
>
> <IfModule mod_gnutls.c>
> Listen 443
> </IfModule>
>
>
> I defined in my DNS a new record for subdomain.example.com.
>
> Should I also define a DNS record for example.com? I don't want to
damage my
> website that runs with HTTP and not HTTPS. I just want to be able to use
> https for jitsi-meet with my sub domain.
>
> Please help!
>
> Thanks,
> David
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

Hi,

I'm not familiar with acme certificate and the current mailinglist is
not the correct place to ask about it, sorry.
Not sure how you configured jitsi-meet with apache, but I suppose you
should put the certificates in your virtualhost. Take a look at the
default nginx config that comes with jitsi-meet:
https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example#L18
Mind that those lines are just example, and the post install script in
the package modifies them, based on the user input in the dialog
asking for path to the cert and the key file.
Hope this helps.

Regards
damencho

···

On Tue, Nov 22, 2016 at 9:03 AM, David King <davidbking086@gmail.com> wrote:

Hi Damencho,

I followed this tutorial:

https://medium.com/@griggheo/protect-your-site-for-free-with-let-s-encrypt-ssl-certificates-and-acmetool-3139dd5af5d0#.p89m8ykyy

How should I put the correct certificates in the apache config? I just set
the ports there. Which file? and which certificates?

Thanks,
David

On Tue, Nov 22, 2016 at 2:37 AM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

Do you use the correct certificates in the apache config?
The certificates used for jitsi meet are only managed by the web
server and there are no other configurations needed.

Regards
damencho

On Mon, Nov 21, 2016 at 5:05 PM, David King <davidbking086@gmail.com> >> wrote:
> Hi,
>
> I am using Ubuntu 16.04 with Apache2.
>
> I installed the acme certificate on my "subdomain.example.com" domain
> and it
> was successfully completed. I am able to see the certificates under:
>
> /var/lib/acme/live/subdomain.example.com --> ../certs/...
>
> But wen I try again to open jitsi-meet with
> Https://subdomain.example.com ,
> I still receive "Your connection is not private"
>
> My ports.conf file is:
>
> # /etc/apache2/sites-enabled/000-default.conf
>
> Listen 80
>
> <IfModule ssl_module>
> Listen 443
> </IfModule>
>
> <IfModule mod_gnutls.c>
> Listen 443
> </IfModule>
>
>
> I defined in my DNS a new record for subdomain.example.com.
>
> Should I also define a DNS record for example.com? I don't want to
> damage my
> website that runs with HTTP and not HTTPS. I just want to be able to use
> https for jitsi-meet with my sub domain.
>
> Please help!
>
> Thanks,
> David
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

Hi Damencho,

I used the jitsi-meet quick install. It doesn't require to install nginx.

https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

I installed apache desperately for the acme certificates.

Do I need to install nginx?

Thanks,
David

···

On Tue, Nov 22, 2016 at 5:15 PM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

I'm not familiar with acme certificate and the current mailinglist is
not the correct place to ask about it, sorry.
Not sure how you configured jitsi-meet with apache, but I suppose you
should put the certificates in your virtualhost. Take a look at the
default nginx config that comes with jitsi-meet:
https://github.com/jitsi/jitsi-meet/blob/master/doc/
debian/jitsi-meet/jitsi-meet.example#L18
Mind that those lines are just example, and the post install script in
the package modifies them, based on the user input in the dialog
asking for path to the cert and the key file.
Hope this helps.

Regards
damencho

On Tue, Nov 22, 2016 at 9:03 AM, David King <davidbking086@gmail.com> > wrote:
> Hi Damencho,
>
> I followed this tutorial:
>
> https://medium.com/@griggheo/protect-your-site-for-free-
with-let-s-encrypt-ssl-certificates-and-acmetool-3139dd5af5d0#.p89m8ykyy
>
> How should I put the correct certificates in the apache config? I just
set
> the ports there. Which file? and which certificates?
>
> Thanks,
> David
>
> On Tue, Nov 22, 2016 at 2:37 AM, Damian Minkov <damencho@jitsi.org> > wrote:
>>
>> Hi,
>>
>> Do you use the correct certificates in the apache config?
>> The certificates used for jitsi meet are only managed by the web
>> server and there are no other configurations needed.
>>
>> Regards
>> damencho
>>
>>
>> On Mon, Nov 21, 2016 at 5:05 PM, David King <davidbking086@gmail.com> > >> wrote:
>> > Hi,
>> >
>> > I am using Ubuntu 16.04 with Apache2.
>> >
>> > I installed the acme certificate on my "subdomain.example.com" domain
>> > and it
>> > was successfully completed. I am able to see the certificates under:
>> >
>> > /var/lib/acme/live/subdomain.example.com --> ../certs/...
>> >
>> > But wen I try again to open jitsi-meet with
>> > Https://subdomain.example.com ,
>> > I still receive "Your connection is not private"
>> >
>> > My ports.conf file is:
>> >
>> > # /etc/apache2/sites-enabled/000-default.conf
>> >
>> > Listen 80
>> >
>> > <IfModule ssl_module>
>> > Listen 443
>> > </IfModule>
>> >
>> > <IfModule mod_gnutls.c>
>> > Listen 443
>> > </IfModule>
>> >
>> >
>> > I defined in my DNS a new record for subdomain.example.com.
>> >
>> > Should I also define a DNS record for example.com? I don't want to
>> > damage my
>> > website that runs with HTTP and not HTTPS. I just want to be able to
use
>> > https for jitsi-meet with my sub domain.
>> >
>> > Please help!
>> >
>> > Thanks,
>> > David
>> >
>> > _______________________________________________
>> > dev mailing list
>> > dev@jitsi.org
>> > Unsubscribe instructions and other list options:
>> > http://lists.jitsi.org/mailman/listinfo/dev
>>
>> _______________________________________________
>> dev mailing list
>> dev@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/dev
>
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#6

Hi,

When jitsi-meet is installed on ubuntu where java8 is available it
configures jvb to serve jitsi-meet using its embedded jetty server.
I'm currently working on updating the debian packages and found a bug
in the postinstall scripts where in such situation it is not asking
for certificate location but just uses the default paths which are:
/etc/ssl/$JVB_HOSTNAME.crt
/etc/ssl/$JVB_HOSTNAME.key
Where $JVB_HOSTNAME is the service name entered when installing.

If you want to install with nginx configured, you need install nginx
before installing jitsi-meet (on clean install or after purging what
is currently installed).
Our debian packages do not currently configure apache, and if you want
to install with apache there are several manual steps to configure
apache and jvb correctly (steps are removing configuration for jetty
serving meet from jvb config file and then configure apache).
If you are currently experimenting a deployment and want to install
certs correctly I would say you have two options:
- purge everything, put your certs in the correct path with correct
name(/etc/ssl/subdomain.example.com.crt and
/etc/ssl/subdomain.example.com.key), install jvb and it should be
configured to use those certs. And this in case if java8 is available.
- purge everything, install nginx, then install jitsi-meet it will
configure nginx and will ask you for the cert files paths.
Hope this helps.

We are currently working on updating the debian packages, the bug I
mentioned with configuring jvb's jetty and not asking for cert files
will be fixed. New packages will be decoupled and can be installed on
different machines without requiring each other, and will also detect
whether apache is installed on machine where you install jitsi-meet
and will skip some steps so it will minimize the steps for correctly
configuring apache to serve meet and later we can add configuring
apache to the packages. But the last with apache will come later as a
second step of those updates.

Regards
damencho

···

On Tue, Nov 22, 2016 at 10:06 AM, David King <davidbking086@gmail.com> wrote:

Hi Damencho,

I used the jitsi-meet quick install. It doesn't require to install nginx.

https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

I installed apache desperately for the acme certificates.

Do I need to install nginx?

Thanks,
David

On Tue, Nov 22, 2016 at 5:15 PM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

I'm not familiar with acme certificate and the current mailinglist is
not the correct place to ask about it, sorry.
Not sure how you configured jitsi-meet with apache, but I suppose you
should put the certificates in your virtualhost. Take a look at the
default nginx config that comes with jitsi-meet:

https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example#L18
Mind that those lines are just example, and the post install script in
the package modifies them, based on the user input in the dialog
asking for path to the cert and the key file.
Hope this helps.

Regards
damencho

On Tue, Nov 22, 2016 at 9:03 AM, David King <davidbking086@gmail.com> >> wrote:
> Hi Damencho,
>
> I followed this tutorial:
>
>
> https://medium.com/@griggheo/protect-your-site-for-free-with-let-s-encrypt-ssl-certificates-and-acmetool-3139dd5af5d0#.p89m8ykyy
>
> How should I put the correct certificates in the apache config? I just
> set
> the ports there. Which file? and which certificates?
>
> Thanks,
> David
>
> On Tue, Nov 22, 2016 at 2:37 AM, Damian Minkov <damencho@jitsi.org> >> > wrote:
>>
>> Hi,
>>
>> Do you use the correct certificates in the apache config?
>> The certificates used for jitsi meet are only managed by the web
>> server and there are no other configurations needed.
>>
>> Regards
>> damencho
>>
>>
>> On Mon, Nov 21, 2016 at 5:05 PM, David King <davidbking086@gmail.com> >> >> wrote:
>> > Hi,
>> >
>> > I am using Ubuntu 16.04 with Apache2.
>> >
>> > I installed the acme certificate on my "subdomain.example.com" domain
>> > and it
>> > was successfully completed. I am able to see the certificates under:
>> >
>> > /var/lib/acme/live/subdomain.example.com --> ../certs/...
>> >
>> > But wen I try again to open jitsi-meet with
>> > Https://subdomain.example.com ,
>> > I still receive "Your connection is not private"
>> >
>> > My ports.conf file is:
>> >
>> > # /etc/apache2/sites-enabled/000-default.conf
>> >
>> > Listen 80
>> >
>> > <IfModule ssl_module>
>> > Listen 443
>> > </IfModule>
>> >
>> > <IfModule mod_gnutls.c>
>> > Listen 443
>> > </IfModule>
>> >
>> >
>> > I defined in my DNS a new record for subdomain.example.com.
>> >
>> > Should I also define a DNS record for example.com? I don't want to
>> > damage my
>> > website that runs with HTTP and not HTTPS. I just want to be able to
>> > use
>> > https for jitsi-meet with my sub domain.
>> >
>> > Please help!
>> >
>> > Thanks,
>> > David
>> >
>> > _______________________________________________
>> > dev mailing list
>> > dev@jitsi.org
>> > Unsubscribe instructions and other list options:
>> > http://lists.jitsi.org/mailman/listinfo/dev
>>
>> _______________________________________________
>> dev mailing list
>> dev@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/dev
>
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#7

Thanks Damian.

Can you please send me the right installation guide, so I will have it for
once and for all (including nginx and certificates)?

nginx was not part of the quick install.

In addition, are you saying that the jitsi-meet certificates should be good
enough? So no reason to use acme or any other certificates? Are those
certificates renewed automatically?

Thanks,
David

···

On Tue, Nov 22, 2016 at 6:34 PM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

When jitsi-meet is installed on ubuntu where java8 is available it
configures jvb to serve jitsi-meet using its embedded jetty server.
I'm currently working on updating the debian packages and found a bug
in the postinstall scripts where in such situation it is not asking
for certificate location but just uses the default paths which are:
/etc/ssl/$JVB_HOSTNAME.crt
/etc/ssl/$JVB_HOSTNAME.key
Where $JVB_HOSTNAME is the service name entered when installing.

If you want to install with nginx configured, you need install nginx
before installing jitsi-meet (on clean install or after purging what
is currently installed).
Our debian packages do not currently configure apache, and if you want
to install with apache there are several manual steps to configure
apache and jvb correctly (steps are removing configuration for jetty
serving meet from jvb config file and then configure apache).
If you are currently experimenting a deployment and want to install
certs correctly I would say you have two options:
- purge everything, put your certs in the correct path with correct
name(/etc/ssl/subdomain.example.com.crt and
/etc/ssl/subdomain.example.com.key), install jvb and it should be
configured to use those certs. And this in case if java8 is available.
- purge everything, install nginx, then install jitsi-meet it will
configure nginx and will ask you for the cert files paths.
Hope this helps.

We are currently working on updating the debian packages, the bug I
mentioned with configuring jvb's jetty and not asking for cert files
will be fixed. New packages will be decoupled and can be installed on
different machines without requiring each other, and will also detect
whether apache is installed on machine where you install jitsi-meet
and will skip some steps so it will minimize the steps for correctly
configuring apache to serve meet and later we can add configuring
apache to the packages. But the last with apache will come later as a
second step of those updates.

Regards
damencho

On Tue, Nov 22, 2016 at 10:06 AM, David King <davidbking086@gmail.com> > wrote:
> Hi Damencho,
>
> I used the jitsi-meet quick install. It doesn't require to install nginx.
>
> https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
>
> I installed apache desperately for the acme certificates.
>
> Do I need to install nginx?
>
> Thanks,
> David
>
> On Tue, Nov 22, 2016 at 5:15 PM, Damian Minkov <damencho@jitsi.org> > wrote:
>>
>> Hi,
>>
>> I'm not familiar with acme certificate and the current mailinglist is
>> not the correct place to ask about it, sorry.
>> Not sure how you configured jitsi-meet with apache, but I suppose you
>> should put the certificates in your virtualhost. Take a look at the
>> default nginx config that comes with jitsi-meet:
>>
>> https://github.com/jitsi/jitsi-meet/blob/master/doc/
debian/jitsi-meet/jitsi-meet.example#L18
>> Mind that those lines are just example, and the post install script in
>> the package modifies them, based on the user input in the dialog
>> asking for path to the cert and the key file.
>> Hope this helps.
>>
>> Regards
>> damencho
>>
>>
>> On Tue, Nov 22, 2016 at 9:03 AM, David King <davidbking086@gmail.com> > >> wrote:
>> > Hi Damencho,
>> >
>> > I followed this tutorial:
>> >
>> >
>> > https://medium.com/@griggheo/protect-your-site-for-free-
with-let-s-encrypt-ssl-certificates-and-acmetool-3139dd5af5d0#.p89m8ykyy
>> >
>> > How should I put the correct certificates in the apache config? I just
>> > set
>> > the ports there. Which file? and which certificates?
>> >
>> > Thanks,
>> > David
>> >
>> > On Tue, Nov 22, 2016 at 2:37 AM, Damian Minkov <damencho@jitsi.org> > >> > wrote:
>> >>
>> >> Hi,
>> >>
>> >> Do you use the correct certificates in the apache config?
>> >> The certificates used for jitsi meet are only managed by the web
>> >> server and there are no other configurations needed.
>> >>
>> >> Regards
>> >> damencho
>> >>
>> >>
>> >> On Mon, Nov 21, 2016 at 5:05 PM, David King <davidbking086@gmail.com > > > >> >> wrote:
>> >> > Hi,
>> >> >
>> >> > I am using Ubuntu 16.04 with Apache2.
>> >> >
>> >> > I installed the acme certificate on my "subdomain.example.com"
domain
>> >> > and it
>> >> > was successfully completed. I am able to see the certificates
under:
>> >> >
>> >> > /var/lib/acme/live/subdomain.example.com --> ../certs/...
>> >> >
>> >> > But wen I try again to open jitsi-meet with
>> >> > Https://subdomain.example.com ,
>> >> > I still receive "Your connection is not private"
>> >> >
>> >> > My ports.conf file is:
>> >> >
>> >> > # /etc/apache2/sites-enabled/000-default.conf
>> >> >
>> >> > Listen 80
>> >> >
>> >> > <IfModule ssl_module>
>> >> > Listen 443
>> >> > </IfModule>
>> >> >
>> >> > <IfModule mod_gnutls.c>
>> >> > Listen 443
>> >> > </IfModule>
>> >> >
>> >> >
>> >> > I defined in my DNS a new record for subdomain.example.com.
>> >> >
>> >> > Should I also define a DNS record for example.com? I don't want to
>> >> > damage my
>> >> > website that runs with HTTP and not HTTPS. I just want to be able
to
>> >> > use
>> >> > https for jitsi-meet with my sub domain.
>> >> >
>> >> > Please help!
>> >> >
>> >> > Thanks,
>> >> > David
>> >> >
>> >> > _______________________________________________
>> >> > dev mailing list
>> >> > dev@jitsi.org
>> >> > Unsubscribe instructions and other list options:
>> >> > http://lists.jitsi.org/mailman/listinfo/dev
>> >>
>> >> _______________________________________________
>> >> dev mailing list
>> >> dev@jitsi.org
>> >> Unsubscribe instructions and other list options:
>> >> http://lists.jitsi.org/mailman/listinfo/dev
>> >
>> >
>> >
>> > _______________________________________________
>> > dev mailing list
>> > dev@jitsi.org
>> > Unsubscribe instructions and other list options:
>> > http://lists.jitsi.org/mailman/listinfo/dev
>>
>> _______________________________________________
>> dev mailing list
>> dev@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/dev
>
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#8

Hi,

In addition, are you saying that the jitsi-meet certificates should be good
enough? So no reason to use acme or any other certificates? Are those
certificates renewed automatically?

I don't get this. If you install jitsi-meet it will ask for
certificates, that you need to provide (buy certificates from cert
authority). If you do not have those, you can always use self-signed
certs, which is the other option.

Nginx is not the default method of installation for reasons. If you
install everything on one machine jetty is the preferred way, cause
jvb will use port 443 for serving meet and also for tcp fallback,
which in some corporate networks where there is no udp and only ports
443 and 80 are allowed. If you install nginx, nginx will use port 443
and jvb will use by default port 4443 for tcp fallback and there can
be networks where this port will not be allowed.
If you want to install jitsi-meet with nginx on clean you just need to:
apt-get install nginx
apt-get install jitsi-meet.

Regards
damencho

···

On Tue, Nov 22, 2016 at 12:06 PM, David King <davidbking086@gmail.com> wrote: