Trying to setup Letsencrypt into Jitsi Docker

Hi Guys.

I’ma trying to setup letsencrypt into Jitsi Docker.

I’ve already setup the domain, pointing it to my VPS IP and enabled the letsencrypt on “.env” file.

What may be wrong? It’s correctly accessible through the domain address.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Waiting for verification...
Challenge failed for domain mydomain.com
http-01 challenge for mydomain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.mydomain.com/.well-known/acme-challenge/cGezi9Fob47MOfa53gypzPAj2d3rnyosTuc9DWwj7fw
   [ip]: "<!doctype html>\n<html lang=\"en\">\n<head>\n
   <meta charset=\"utf-8\">\n  <title>Angular</title>\n  <base
   href=\"/\">\n  <meta name="

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
Failed to obtain a certificate from the Let's Encrypt CA.

Bump please. I really don’t know how to proceed.

Whenever you see “mydomain.com” or “exampledomain.com” or things like this, you need to change it for your domain name (example, conference.whenfel.com or something like that)
Alos make sure that you added your domain name, linked to your server address in the zone editor on the site that hosts your domain name.

Ty for the response.

I changed the text I posted here from my real domain for “mydomain.com”, but the domain is correctly setup and accessible

This is what you have on your domain zone editor ?

Also, can you send me your .env file to have a look at it please

Yes, I have exactly this but with my domain name and ip.

Everything is working correctly except the microphone and video because it needs SSL, what currently Im trying to setup.

My .env is like this:

# Security

#

# Set these to strong passwords to avoid intruders from impersonating a service account

# The service(s) won't start unless these are specified

# Running ./gen-passwords.sh will update .env with strong passwords

# You may skip the Jigasi and Jibri passwords if you are not using those

# DO NOT reuse passwords

#

# XMPP component password for Jicofo

JICOFO_COMPONENT_SECRET=PASS

# XMPP password for Jicofo client connections

JICOFO_AUTH_PASSWORD=PASS

# XMPP password for JVB client connections

JVB_AUTH_PASSWORD=PASS

# XMPP password for Jigasi MUC client connections

JIGASI_XMPP_PASSWORD=PASS

# XMPP recorder password for Jibri client connections

JIBRI_RECORDER_PASSWORD=PASS

# XMPP password for Jibri client connections

JIBRI_XMPP_PASSWORD=PASS

#

# Basic configuration options

#

# Directory where all configuration will be stored

CONFIG=~/.jitsi-meet-cfg

# Exposed HTTP port

HTTP_PORT=8000

# Exposed HTTPS port

HTTPS_PORT=8443

# System time zone

TZ=America/Fortaleza

# Public URL for the web service

#PUBLIC_URL=https://142.93.51.89

# IP address of the Docker host

# See the "Running behind NAT or on a LAN environment" section in the README

#DOCKER_HOST_ADDRESS=192.168.1.1

# Control whether the lobby feature should be enabled or not

#ENABLE_LOBBY=1

#

# Let's Encrypt configuration

#

# Enable Let's Encrypt certificate generation

ENABLE_LETSENCRYPT=1

# Domain for which to generate the certificate

LETSENCRYPT_DOMAIN=mydomain.com

# E-Mail for receiving important account notifications (mandatory)

LETSENCRYPT_EMAIL=myemail@hotmail.com

#

# Etherpad integration (for document sharing)

#

# Set etherpad-lite URL in docker local network (uncomment to enable)

#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001

# Set etherpad-lite public URL (uncomment to enable)

#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain

#

# Basic Jigasi configuration options (needed for SIP gateway support)

#

# SIP URI for incoming / outgoing calls

#JIGASI_SIP_URI=test@sip2sip.info

# Password for the specified SIP account as a clear text

#JIGASI_SIP_PASSWORD=passw0rd

# SIP server (use the SIP account domain if in doubt)

#JIGASI_SIP_SERVER=sip2sip.info

# SIP server port

#JIGASI_SIP_PORT=5060

# SIP server transport

#JIGASI_SIP_TRANSPORT=UDP

#

# Authentication configuration (see handbook for details)

#

# Enable authentication

#ENABLE_AUTH=1

# Enable guest access

ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap

#AUTH_TYPE=internal

# JWT authentication

#

# Application identifier

#JWT_APP_ID=my_jitsi_app_id

# Application secret known only to your token

#JWT_APP_SECRET=my_jitsi_app_secret

# (Optional) Set asap_accepted_issuers as a comma separated list

#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client

# (Optional) Set asap_accepted_audiences as a comma separated list

#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2

# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)

#

# LDAP url for connection

#LDAP_URL=ldaps://ldap.domain.com/

# LDAP base DN. Can be empty

#LDAP_BASE=DC=example,DC=domain,DC=com

# LDAP user DN. Do not specify this parameter for the anonymous bind

#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com

# LDAP user password. Do not specify this parameter for the anonymous bind

#LDAP_BINDPW=LdapUserPassw0rd

# LDAP filter. Tokens example:

# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail

# %s - %s is replaced by the complete service string

# %r - %r is replaced by the complete realm string

#LDAP_FILTER=(sAMAccountName=%u)

# LDAP authentication method

#LDAP_AUTH_METHOD=bind

# LDAP version

#LDAP_VERSION=3

# LDAP TLS using

#LDAP_USE_TLS=1

# List of SSL/TLS ciphers to allow

#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC

# Require and verify server certificate

#LDAP_TLS_CHECK_PEER=1

# Path to CA cert file. Used when server certificate verify is enabled

#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt

# Path to CA certs directory. Used when server certificate verify is enabled

#LDAP_TLS_CACERT_DIR=/etc/ssl/certs

# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://

# LDAP_START_TLS=1

#

# Advanced configuration options (you generally don't need to change these)

#

# Internal XMPP domain

XMPP_DOMAIN=meet.jitsi

# Internal XMPP server

XMPP_SERVER=xmpp.meet.jitsi

# Internal XMPP server URL

XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280

# Internal XMPP domain for authenticated services

XMPP_AUTH_DOMAIN=auth.meet.jitsi

# XMPP domain for the MUC

XMPP_MUC_DOMAIN=muc.meet.jitsi

# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools

XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi

# XMPP domain for unauthenticated users

XMPP_GUEST_DOMAIN=guest.meet.jitsi

# Custom Prosody modules for XMPP_DOMAIN (comma separated)

XMPP_MODULES=

# Custom Prosody modules for MUC component (comma separated)

XMPP_MUC_MODULES=

# Custom Prosody modules for internal MUC component (comma separated)

XMPP_INTERNAL_MUC_MODULES=

# MUC for the JVB pool

JVB_BREWERY_MUC=jvbbrewery

# XMPP user for JVB client connections

JVB_AUTH_USER=jvb

# STUN servers used to discover the server's public IP

JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443

# Media port for the Jitsi Videobridge

JVB_PORT=10000

# TCP Fallback for Jitsi Videobridge for when UDP isn't available

JVB_TCP_HARVESTER_DISABLED=true

JVB_TCP_PORT=4443

JVB_TCP_MAPPED_PORT=4443

# A comma separated list of APIs to enable when the JVB is started [default: none]

# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information

#JVB_ENABLE_APIS=rest,colibri

# XMPP user for Jicofo client connections.

# NOTE: this option doesn't currently work due to a bug

JICOFO_AUTH_USER=focus

# Base URL of Jicofo's reservation REST API

#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com

# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)

#JICOFO_ENABLE_HEALTH_CHECKS=true

# XMPP user for Jigasi MUC client connections

JIGASI_XMPP_USER=jigasi

# MUC name for the Jigasi pool

JIGASI_BREWERY_MUC=jigasibrewery

# Minimum port for media used by Jigasi

JIGASI_PORT_MIN=20000

# Maximum port for media used by Jigasi

JIGASI_PORT_MAX=20050

# Enable SDES srtp

#JIGASI_ENABLE_SDES_SRTP=1

# Keepalive method

#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS

# Health-check extension

#JIGASI_HEALTH_CHECK_SIP_URI=keepalive

# Health-check interval

#JIGASI_HEALTH_CHECK_INTERVAL=300000

#

# Enable Jigasi transcription

#ENABLE_TRANSCRIPTIONS=1

# Jigasi will record audio when transcriber is on [default: false]

#JIGASI_TRANSCRIBER_RECORD_AUDIO=true

# Jigasi will send transcribed text to the chat when transcriber is on [default: false]

#JIGASI_TRANSCRIBER_SEND_TXT=true

# Jigasi will post an url to the chat with transcription file [default: false]

#JIGASI_TRANSCRIBER_ADVERTISE_URL=true

# Credentials for connect to Cloud Google API from Jigasi

# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol

# section "Before you begin" paragraph 1 to 5

# Copy the values from the json to the related env vars

#GC_PROJECT_ID=

#GC_PRIVATE_KEY_ID=

#GC_PRIVATE_KEY=

#GC_CLIENT_EMAIL=

#GC_CLIENT_ID=

#GC_CLIENT_CERT_URL=

# Enable recording

#ENABLE_RECORDING=1

# XMPP domain for the jibri recorder

XMPP_RECORDER_DOMAIN=recorder.meet.jitsi

# XMPP recorder user for Jibri client connections

JIBRI_RECORDER_USER=recorder

# Directory for recordings inside Jibri container

JIBRI_RECORDING_DIR=/config/recordings

# The finalizing script. Will run after recording is complete

JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh

# XMPP user for Jibri client connections

JIBRI_XMPP_USER=jibri

# MUC name for the Jibri pool

JIBRI_BREWERY_MUC=jibribrewery

# MUC connection timeout

JIBRI_PENDING_TIMEOUT=90

# When jibri gets a request to start a service for a room, the room

# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain

# We'll build the url for the call by transforming that into:

# https://xmpp_domain/subdomain/roomName

# So if there are any prefixes in the jid (like jitsi meet, which

# has its participants join a muc at conference.xmpp_domain) then

# list that prefix here so it can be stripped out to generate

# the call url correctly

JIBRI_STRIP_DOMAIN_JID=muc

# Directory for logs inside Jibri container

JIBRI_LOGS_DIR=/config/logs

# Disable HTTPS: handle TLS connections outside of this setup

#DISABLE_HTTPS=1

# Redirect HTTP traffic to HTTPS

# Necessary for Let's Encrypt, relies on standard HTTPS port (443)

#ENABLE_HTTP_REDIRECT=1

# Container restart policy

# Defaults to unless-stopped

RESTART_POLICY=unless-stopped

I see multiple problems here:



I changed those settings and rebuilded images and recreated containers, same result.

I’ve search some things and now I made the directory “.well-known/acme-challenge” accessible, because I’m using nginx on the Angular App.

Sadly I got the same result as before, don’t know what may be wrong, but it’s something related to the domain (although it’s accessible)

Domain: mydomain.com
web_1      |    Type:   unauthorized
web_1      |    Detail: Invalid response from
web_1      |    http://mydomain.com/.well-known/acme-challenge/Kf4aZz1hOZJ1JwP1Zoux5P1oCzNjtUWHRXY6gESD8ek
web_1      |    [my-ip]: "<html>\r\n<head><title>404 Not
web_1      |    Found</title></head>\r\n<body>\r\n<center><h1>404 Not
web_1      |    Found</h1></center>\r\n<hr><center>nginx/1.17.1</ce"
web_1      |
web_1      |    To fix these errors, please make sure that your domain name was
web_1      |    entered correctly and the DNS A/AAAA record(s) for that domain
web_1      |    contain(s) the right IP address.
web_1      |  - Your account credentials have been saved in your Certbot
web_1      |    configuration directory at /etc/letsencrypt. You should make a
web_1      |    secure backup of this folder now. This configuration directory will
web_1      |    also contain certificates and private keys obtained by Certbot so
web_1      |    making regular backups of this folder is ideal.
web_1      | Failed to obtain a certificate from the Let's Encrypt CA.

image

What ports are forwarded in the docker-compose.yml file?

Here is mine:
image

Oh, I have just realized you said you already have an app (angular) using a reverse proxy… I have no Idea how to make this work when other containers use reverse proxies on your system… The only place I do it is on my Home server, in Unraid and it is a lot easier!

You might need to install a standalone reverse proxy (ie. not in a stack) and map ports between the containers and the host… Or go with traefik.

Oh… I really don’t understand so much about this part of the stack.

But why is this a problem related to reverse proxy since my domain is accessible on the web?

Isn’t the problem related to some folder config or some DNS mapping?

My main application is accessible through the port 80, and Jitsi is accessible through the port 8000, and both are accessible. Also the “acme-challenge” is now ok, accessible.

From what I understand, if you have 2 NGINX reverse proxies on the same server, they will “fight” for port 80 and 443. There is a way to do it with a TURN server or something, but I know nothing about that!

What you can do is have a single NGINX instance where you add your jitsi-meet nginx config and make sure the containers share the same internal network. (You would basicaly copy over the meet.conf file and make sure it is referenced in the main nginx config file.)

To test if this is the issue in the first place, shut down your other proxy and re-deploy jitsi-meet’s stack… I am pretty certain that it will be able to reach-out to the evil internet then!

And to your question about your domain being accessible to the web, I am not sure we have the same definition of the terms… The fact that your machine is opened to the web and that your DNS is set to reach the server does not mean that they will “speak” together in the end… The reverse proxy has to forward the traffic to the right place for letsencrypt to work…