Unable to generate Letsencrypt certificate

Hi,

I am following the quick install guide.

My Jitsi-meet instance is run behind a NAT but I have made the necessary configuration to access it publicly with an FQDN.

When I try to run the Let’s encrypt script, I am getting the following error.

-------------------------------------------------------------------------
This script will:
- Need a working DNS record pointing to this machine(for domain meet.myfqdn-i-have-replaced-it-here.com)
- Download certbot-auto from https://dl.eff.org to /usr/local/sbin
- Install additional dependencies in order to request Let’s Encrypt certificate
- If running with jetty serving web content, will stop Jitsi Videobridge
- Configure and reload nginx or apache2, whichever is used
- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks
- Add command in weekly cron job to renew certificates regularly

You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
by providing an email address for important account notifications
Enter your email and press [ENTER]: myemail@myfqdn-i-have-replaced-it-here.com
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease
Ign:2 http://dl.google.com/linux/chrome/deb stable InRelease                  
Get:3 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease [106 kB]    
Hit:4 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease            
Get:5 http://security.ubuntu.com/ubuntu focal-security InRelease [107 kB]      
Get:6 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [35.5 kB]
Hit:7 http://dl.google.com/linux/chrome/deb stable Release                    
Get:8 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 DEP-11 Metadata [14.6 kB]
Get:9 http://in.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [12.3 kB]
Get:10 http://in.archive.ubuntu.com/ubuntu focal-updates/universe i386 Packages [10.5 kB]
Get:11 http://in.archive.ubuntu.com/ubuntu focal-updates/universe amd64 DEP-11 Metadata [212 B]
Hit:12 https://download.jitsi.org stable/ InRelease                            
Get:14 http://security.ubuntu.com/ubuntu focal-security/main amd64 DEP-11 Metadata [14.6 kB]
Get:15 http://security.ubuntu.com/ubuntu focal-security/universe amd64 DEP-11 Metadata [208 B]
Fetched 301 kB in 2s (199 kB/s)            
Reading package lists... Done
Reading package lists... Done
Building dependency tree      
Reading state information... Done
Note, selecting 'python-is-python2' instead of 'python'
Note, selecting 'python-dev-is-python2' instead of 'python-dev'
Package python-virtualenv is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'python-virtualenv' has no installation candidate

I am on Ubuntu 20.04 LTS and my default python version is 3.8.2. Can you somebody let me know how to proceed, please?

Thanks

Try following instructions at https://certbot.eff.org/ for installation without the script.

1 Like

Hi

The following helped the progress of Let’s encrypt with some modification:

certbot was getting installed in /usr/bin/ so i had to create a sym link on /usr/sbin/ using the command sudo ln -s /usr/bin/certbot /usr/sbin/certbot

But after that certbot failed with these errors:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for [meet.myfqdn-i-have-replaced-it-here.com](http://meet.myfqdn-i-have-replaced-it-here.com)
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification...
Challenge failed for domain [meet.myfqdn-i-have-replaced-it-here.com](http://meet.myfqdn-i-have-replaced-it-here.com)
http-01 challenge for [meet.myfqdn-i-have-replaced-it-here.com](http://meet.myfqdn-i-have-replaced-it-here.com)
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: [meet.myfqdn-i-have-replaced-it-here.com](http://meet.myfqdn-i-have-replaced-it-here.com)
Type:   connection
Detail: Fetching
http://meet.myfqdn-i-have-replaced-it-here.com/.well-known/acme-challenge/qc2QaTupnWRlo7SI7Vq3ldGuu2r6OlGLlULeXI3eAhg:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My Jitsi meet instance resolves only with https. But the http-01 challenge uses unecrypted connection. How should i proceed? Any ideas please?

Thanks

It’s difficult to see what you mean by that. A DNS name resolves to an IP address, not to a port or a protocol. If you mean that you did not open the port 80 for the IP address, and you absolutely can’t change that, I think that the Let’sencrypt server can deal with that but you may have more success to find someone knowing this kind of detail on the Let’s Encrypt forum

1 Like

I have kept port 80 open in my router and enabled access in ufw. Have configured Nginx as well. I can confirm port 80 is open with a portscan.

Port Scan has started…

Port Scanning host: 171.XXX.XXX.255 (masked)
	 Open TCP Port: 	80     		http
Port Scan has completed…

Am i missing something here?

Thanks

for Let’sEncrypt it’s absolutely not necessary to serve Jitsi on port 80. All that is necessary are to provide access to the .well-known/acme-challenge virtual directory. Test that it’s possible to read a file on this directory from the internet.

Thanks. I will check this and get back.

So to confirm, my Jitsi meet instance works with HTTPS but would not even load with HTTP and probably because of this LetsEncrpt http-01 authentication is failing.

Here is the mapping for port 80 in my router:

This is my UFW rules:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
10000/udp                  ALLOW IN    Anywhere                  
80/tcp (v6)                ALLOW IN    Anywhere (v6)            
443/tcp (v6)               ALLOW IN    Anywhere (v6)            
10000/udp (v6)             ALLOW IN    Anywhere (v6)    

Here is my Nginix Configuration

server_names_hash_bucket_size 64;

server {
    # listen 80;
    listen 80;
    listen [::]:80;    
    server_name meet.myfqdn-i-have-replaced-it-here.com;
    rewrite ^ https://$http_host$request_uri? permanent;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
    # listen 4444 ssl http2;
    listen 0.0.0.0:443 ssl http2;    
    # listen [::]:4444 ssl http2;
    listen [::]:443 ssl http2;
    server_name meet.myfqdn-i-have-replaced-it-here.com;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/jitsi/meet/meet.myfqdn-i-have-replaced-it-here.com.crt;
    ssl_certificate_key /etc/jitsi/meet/meet.myfqdn-i-have-replaced-it-here.com.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json;
    gzip_vary on;

    location = /config.js {
        alias /etc/jitsi/meet/meet.myfqdn-i-have-replaced-it-here.com-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/meet.myfqdn-i-have-replaced-it-here.com-config.js;
    }

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}

I am able to access /.well-known/acme-challenge/ from the HTTPS url. Here is a screenshot of the same.

Any suggestions please.

Thanks.

err, that’s very interesting but I actually suggested to check against the http url.
Something like placing a file in the actual directory pointed by the virtual directory, and accessing it with a tool like wget http://yoururl.com/.well-known/acme-challenge/myfile.txt.

Hi

Please see the screenshot. I am able to access test.txt from the HTTPS site but not from HTTP site.

Please note that I am behind cloudflare but I have disabled the cloudflare proxy. The Jitsi meet instance is reachable from the HTTPS site.

Please let me know.