Jitsi docker - let's encrypt

Hello, I am first time trying to run jitsi. I am running dockerized jitsi on mac os via docker desktop. ( I know jitsi has not supported mac ).
I am using the guide - Self-Hosting Guide - Docker | Jitsi Meet

services are started successfully.

Screen Shot 2022-09-09 at 11.08.20

in the browser I’ve got Your connection is not private. I’ve got from other posts for the jitsi I need to use a real let’s encrypt certificates.

Question:
Can you guys point me on how to create and configure the certificates ( it is my first attempt with Jitsi :slight_smile: ).

  • You need an FQDN for your Jitsi server. e.g. jitsi.mydomain.com

  • DNS A record” for this FQDN which points to your server IP address.

Ok , thanks Emrah , but what about generating let’s encrypt certificates? or do you assume the problem is fqdn and DNS?
Is there a jitsi manual on how to configure it?

Not familiar with Docker setup but according to the guide, it is handled automatically.

Nice, thanks emrah. is there a place I can check the certificates are generated?

and for the DNS and FQDN what are the steps.

Enablign LEt’s Encrypt is documented in the handbook: Self-Hosting Guide - Docker | Jitsi Meet

For testing purposes you can just use the self-signed certifficates, the way to bypass that screen in Chrome is to type “thisisunsafe” without quotes.

yeah , thanks saghul. I made a changes:

Directory where all configuration will be stored

CONFIG=~/.jitsi-meet-cfg

Exposed HTTP port

HTTP_PORT=80

Exposed HTTPS port

HTTPS_PORT=443

System time zone

TZ=UTC

Public URL for the web service (required)

PUBLIC_URL=https://domain.domain.com

ENABLE_HTTP_REDIRECT=1

Enable Let’s Encrypt certificate generation

ENABLE_LETSENCRYPT=1

Domain for which to generate the certificate

LETSENCRYPT_DOMAIN=domain.domain.com

E-Mail for receiving important account notifications (mandatory)

ETSENCRYPT_EMAIL=alice@domain.com

after restarting the containers I can’t reach url. how to troubleshot?

docker container logs:
"status": 429

}

[Fri Sep 9 09:44:06 UTC 2022] Please add '--debug' or '--log' to check more details.

[Fri Sep 9 09:44:06 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

./acme.sh: 7288: shift: can't shift that many

[Fri Sep 9 09:44:28 UTC 2022] Create new order error. Le_OrderFinalize not found. {

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",

"status": 429

}

[Fri Sep 9 09:44:28 UTC 2022] Please add '--debug' or '--log' to check more details.

[Fri Sep 9 09:44:28 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

./acme.sh: 7288: shift: can't shift that many

[Fri Sep 9 09:44:50 UTC 2022] Create new order error. Le_OrderFinalize not found. {

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",

"status": 429

}

[Fri Sep 9 09:44:50 UTC 2022] Please add '--debug' or '--log' to check more details.

[Fri Sep 9 09:44:50 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

./acme.sh: 7288: shift: can't shift that many

[Fri Sep 9 09:45:12 UTC 2022] Create new order error. Le_OrderFinalize not found. {

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",

"status": 429

}

[Fri Se

I think you might need to disable this for LE to work.

You’re going to have to wait, since you failed too many times.

Oh, ok.
but how to fix the problem? After waiting I will hit the same issue again, right? :slight_smile:

and except for disabling the property ENABLE_HTTP_REDIRECT=1. Should I pay attention on something else? is it valid to use domain.domain.com for a domain and public URL?

The problem is you failed too many times. You need to wait now. You can test on the staging LE platform, there is an env var for that. It’s not a valid cert, but it will allow you to know if things are working ok.

I assume you are using a real domain with a working DNS record. In that case, yes.

Ok, just to confirm - even for running local docker for testing purposes I need a real domain name and DNS?

No, for testing you can just use the self-signed certificate.

I am lost :-).
configuring things above I tried to run a test environment just to evaluate the jitsi.

I used the link:

what I need to change to work with self-signed certificates.

I went to the very beginning and passed by the browser as you recommended

the system is keep on reconnecting

36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

172.27.0.1 - - [09/Sep/2022:14:44:25 +0000] "GET /sounds/reactions-thumbs-up.mp3 HTTP/2.0" 206 79912 "https://localhost/abba" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

172.27.0.1 - - [09/Sep/2022:14:44:25 +0000] "GET /sounds/reactions-applause.mp3 HTTP/2.0" 206 70729 "https://localhost/abba" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

172.27.0.1 - - [09/Sep/2022:14:44:25 +0000] "GET /sounds/reactions-laughter.mp3 HTTP/2.0" 206 76989 "https://localhost/abba" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

172.27.0.1 - - [09/Sep/2022:14:44:25 +0000] "GET /sounds/reactions-surprise.mp3 HTTP/2.0" 206 68639 "https://localhost/abba" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

172.27.0.1 - - [09/Sep/2022:14:44:25 +0000] "GET /sounds/reactions-crickets.mp3 HTTP/2.0" 206 118536 "https://localhost/abba" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

172.27.0.1 - - [09/Sep/2022:14:44:25 +0000] "GET /sounds/rejected.wav HTTP/2.0" 206 69236 "https://localhost/abba" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

I know I am going circles, sorry about that.(it is the first time I am trying to run the system).

how can I check I am using self-signed certificates?
What configuration parameters I should to verify to make the system working?

I’d suggest you start from scratch. That is, a fresh .env file and delete ~/.jitsi-meet-cfg

Self-signed certificates will be generated by default and you should be able to access the site at https://localhost:8443 (after accepting the self-signed cert).