Secure jitsi-meet with letsencrypt

Hello,
I can’t get a certificate with letsencrypt with your script.
Server: VM with debian 10.7
Jitsi: latest stable release
I created the subdirectories /.well-known/acme-challenge under /usr/share/jitsi-meet. A test-file in this directory is accessible with the url h t t p : / / m e e t . x x x . x x x /.well-known/acme-challenge/test. I can also start jitsi with h t t p s : / / m e e t . x x x . x x x with the initial self signed certificate. (sorry for the spaces, but new users are limited regarding links in the post)
But if I start the acme-script I get this:


This script will:

  • Need a working DNS record pointing to this machine(for domain meet.xxx.xxx)
  • Download certbot-auto from h t t p s : / / d l . e f f . o r g to /usr/local/sbin
  • Install additional dependencies in order to request Let’s Encrypt certificate
  • If running with jetty serving web content, will stop Jitsi Videobridge
  • Configure and reload nginx or apache2, whichever is used
  • Configure the coturn server to use Let’s Encrypt certificate and add required deploy hooks
  • Add command in weekly cron job to renew certificates regularly

You need to agree to the ACME server’s Subscriber Agreement (h t t p s : / / l e t s e n c r y p t . o r g/documents/LE-SA-v1.1.1-August-1-2016.pdf)
by providing an email address for important account notifications
Enter your email and press [ENTER]: sysop@xxx.xxx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for meet.xxx.xxx
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. meet.xxx.xxx (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching h t t p : / / m e e t . x x x . x x x /.well-known/me-challenge/0I2PRjywc5JjosXGzrTNStZaZWfsyq-NRwhtEiT1XKs: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: meet.xxx.xxx
    Type: connection
    Detail: Fetching
    h t t p : / / m e e t . x x x . x x x /.well-known/acme-challenge/0I2PRjywc5JjosXGzrTNStZaZWfsyq-NRwhtEiT1XKs:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

In the nginx access.log I can see the access attempts:

52.28.236.88 - - [12/Dec/2020:11:28:20 +0100] “GET /.well-known/acme-challenge/0I2PRjywc5JjosXGzrTNStZaZWfsyq-NRwhtEiT1XKs HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

If I look into the directory /usr/share/jitsi-meet/.well-known/acme-challenge during the verification, then I can see the generated file 0I2PRjywc5JjosXGzrTNStZaZWfsyq-NRwhtEiT1XKs
Do you have any idea why that error appears?
Thanks
Micha

you are looking at this file directory from the point of view of the Let’sEncrypt client - in this case your server is a client. What you should do to check is to assume the role of Let’sEncrypt server, that is, access this directory via the Internet. Create a phony file in this directory and try to access it by its Url.

A test-file in this directory is accessible with the url h t t p : / / m e e t . x x x . x x x /.well-known/acme-challenge/test .

I also done this… I created a simple txt-file named ‘test’ in this directory and I could access to this file with a browser from an other client over the internet (not local network)

I surely missed that from your initial post.
What you make sure of is if your client from the internet has no special authorization; if your provider has a firewall, maybe there is an exception for the client IP address you used ? You can do a realist test with this URL:

If it fails with this site, you will get advanced diagnostics helping you to understand what is wrong. If your site is all right there and you still can’t get a certificate (you have to retry each time you fix something :-)), go to community.letsencrypt.org. You will get the best help here.

Ok, I done the test with check-your-website.server-daten.de and everything seems to be ok. I will contact the letsencrypt community.
Thanks
Micha