[SOLVED] How to change SSL-Certificate (No Lets Encrypt Cert) - without complete reinstall?

Hey Guys,

my jitsi meet instance is running on a debian 10 buster vm. We use a wildcard certificate, which will expire in 28 days. Yesterday I replaced the certificate with the new one in the default path, which was used in the initial installation from jitsi:

/etc/ssl/wildcard.crt

After replacing the certificate, the browser recognizes and presented the new cert. I thought everything was fine. After checking ssllabs.com for my domain - it still reported the old certificate.

I was verifying it on the local machine with:

echo | openssl s_client -servername %localipaddress% -connect %localipaddress%:443 2>/dev/null | openssl x[509 -](phone:509 -)noout -dates

And got the same result for port β€œ443”. It still presented me the old cert.

After digging into the nginx configuration i found out, that the webinstance (jitsi meet) is running in port β€œ4444”. So i checked the above command agaianst port β€œ4444” - and yeah - it is uses the new cert.

But how can I change it for port β€œ443”?? Where is the β€œold” certificate cached/or placed? I cant find it.
I really want to understand that part and cant find any answers in the forum.

Please help me :frowning:

Greets
Markus

If this is a usual installation, nothing wrong with ports, don’t touch them. 4444 in the site config is OK. Nginx should listen both TCP/443 and TCP/4444 at the same time

I do not want to touch the config. Maybe the problem description becomes more clear, with the real world example:

Nginx is listening on TCP/80, TCP/443 and /TCP4444:

root@CDC-S-CONFERENCE02:~# netstat -tulpn | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21877/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21877/nginx: master
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 21877/nginx: master
tcp6 0 0 :::80 :::* LISTEN 21877/nginx: master
tcp6 0 0 :::443 :::* LISTEN 21877/nginx: master
tcp6 0 0 :::4444 :::* LISTEN 21877/nginx: master

If you visit β€œhttps://hd-meeting.comramo.net” and check the Certificate in the Browser - you will see, that the certificate is valid from 10-05-2020 until 11-03-2021. That is the expected result, after replacing the original one - used in the intital jitsi installation - in β€œ/etc/ssl/wildcard.crt”.

BUT. If I check my domain via SSLLabs (Link) - it will report that the Certificate will expire on 11-02-2020.

It does not make sense for me tbh. Somehow NGINX uses still the β€œold” certificate for Port 443.

How you use wildcard ? i do not know how to use my wildcard to the website?

This may be related to the coturn’s certificate which is also active on TCP/443

Could you check the related fields on /etc/turnserver.conf?

1 Like

@emrah, you are a genius :slight_smile:

Even though i checked and verified the "/etc/turnserver.conf" is correct - i did NOT restartet the service.

I always use

service jicofo restart && service jitsi-videobridge2 restart && service prosody restart && service nginx restart

to be sure all service would be restartet. Now I will append the coturn service :slight_smile:
You made my day, thank you for pointing me in the right direction!

1 Like