Tip: coturn + certbot issue on Debian Buster

coturn doesn’t listen the TLS port when Let's Encrypt certificate is used on Debian Buster. The problem is the turnserver user which run the coturn service, has no access right to the certificate files.

It’s needed to add the turnserver user to the ssl-cert group.

adduser turnserver ssl-cert

But this is not enough because the Let's Encrypt folder is not configured expectedly on Debian Buster. So it’s needed to configure the folder’s access rights. There are some options for when to do this:

  • Do the change manually, so certbot will preserve the changes on renewals.
  • Create a hook script in /etc/letsencrypt/renewal-hooks/deploy
  • Create an override file for the certbot service.

I’m using the /etc/systemd/system/certbot.service.d/override.conf file and this is its content:

ExecStartPost=chmod 750 /etc/letsencrypt/archive
ExecStartPost=chmod 750 /etc/letsencrypt/live
ExecStartPost=chown root:ssl-cert /etc/letsencrypt/archive -R
ExecStartPost=chown root:ssl-cert /etc/letsencrypt/live -R
ExecStartPost=find /etc/letsencrypt/archive -name 'privkey*.pem' -exec chmod 640 {} \;
ExecStartPost=systemctl restart coturn.service
ExecStartPost=systemctl reload nginx.service

And reload the services

systemctl daemon-reload

AFAIK, this problem was fixed on Jitsi by moving the certificate and the private key to a custom location at the renewal step. But this post is useful if you have a seperate coturn server on a Debian Buster machine.