Questions about the prosody certificates


#1

Assuming we setup jitsi-meet with domain name jitsi.example.com, after the installation, 2 VirtualHosts will be created in prosody with 2 sets of self-signed certificates.

VirtualHost “jitsi.example.com
authentication = “anonymous”
ssl = {
key = “/var/lib/prosody/jitsi.example.com.key”;
certificate = “/var/lib/prosody/jitsi.example.com.crt”;
}
c2s_require_encryption = false

VirtualHost “auth.jitsi.example.com
ssl = {
key = “/var/lib/prosody/auth.jitsi.example.com.key”;
certificate = “/var/lib/prosody/auth.jitsi.example.com.crt”;
}
authentication = “internal_plain”

My questions are:

  1. The first virtual host has a “c2s_require_encryption = false”. Is it because the http-bind mapped http, i.e. http://localhost:5280/http-bind?

  2. Since c2s_require_encryption is false, is the certificate in the first virtual host mainly for the s2s communication?

  3. The certificates have an expiration date set one year from the date created. Are we suppose to update them periodically? Or is it ok for them to expire since they are self-signed anyway?

Thanks in advance!


#2

Yes and there is no s2s communication. Jitsi-meet prosody is used internally between components and there is no federation.

Yep, you are not supposed to update them.

The only certificate that needs to be taken care of and the only client facing is the one on the web server.


#3

Got it! Thanks for explaining Damian.