Jitsi-meet: Letsencrypt renew certs doesn't work in standalone installation (by quick install guide)
After install by "Jitsi Meet quick install", letsencrypt renew doesn't work.
https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md#generate-a-lets-encrypt-certificate
1. First problem. Crontab task:
#!/bin/bash
/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
Get this error:
Processing /etc/letsencrypt/renewal/***.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ***
Cleaning up challenges
Attempting to renew cert (***) from /etc/letsencrypt/renewal/***.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/***/fullchain.pem (failure)
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/***/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
Reason: jitsi already busy 443 port.
2. Second problem:
After:
service jitsi-videobridge stop
and update certs jitsu-meet still not using renewal certs.
Reason - no phase for converting ssl keys again https://github.com/jitsi/jitsi-meet/blob/master/resources/install-letsencrypt-cert.sh#L89-L98
le0pard
All 12 comments
Some time ago I was working on this to update the renew procedure but didn't have time to fix/test it.
https://github.com/jitsi/jitsi-meet/tree/letsencrypt-renew
But now based on your comments I see that my renew script is missing the phase for converting ssl keys. So this needs updating.
This is still on my TODO list, but not sure when I will get to it. Any help is welcome.
damencho
on 27 Apr 2018
short term fix for this seems to be re-running the certificate install:
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
@damencho any tips on where to look int the repo to help you? some changes required in https://github.com/jitsi/jitsi-meet/blob/letsencrypt-renew/resources/install-letsencrypt-cert.sh ? I guess we can see the changes you made so far in:
https://github.com/jitsi/jitsi-meet/compare/letsencrypt-renew
tansaku
on 14 May 2018
Yep, this is correct, that branch is all I have ...
damencho
on 14 May 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 3 Dec 2018
It is a shame this has been marked wontfix by a bot and left untouched. You can't even use jitsi-meet without ssl enabled and an auto-renewing certbot seems pretty important for a turnkey solution like jitsi.
ahayes
on 15 Feb 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
on 16 May 2019
this can be worked-around in Debian / Ubuntu if you use the built-in certbot packages and scripts
I've tried it and it works
kamihacker
on 17 Jul 2019
By default the video bridge is binding to port 80 in order to redirect visitors to port 443. There's an undocumented flag (submitted PR for it today: jitsi/jitsi-videobridge#908) you can use to disable it if you like, which is what blocks the traditional certbot renew from succeeding.
However, the JKS files still need to be updated and the video-bridge needs to be restarted, so disabling it is only half a solution. I'll see whether I can make it respond to a kill -HUP such that it re-reads the JKS.
spditner
on 12 Sep 2019
On all my other systems, I use the ppa:certbot/certbot to install certbot and run it with --standalone. The conjob it installs handles the renewals. I put shell scripts to stop and start whatever services are normally on 80/443 (typically apache) in the /etc/letsencrypt/renewal-hooks/[pre|post] directories so that they out of the way when renewal happens.
All of this is to say, if it is a pain to implement as things stand in Jitsi, I wonder if jitsi packages could either do the same as above, or stay out of it and just periodically look in /etc/letsencrypt/ for the keys & certs it needs. Incidentally, I think Rocket.Chat is managing its own letsencrypt renewals. I'm not sure what it is doing but I don't seem to need to touch it.
Anyway, just some thoughts. Running a script every couple months when I get an email is a small price to pay for self-hosted conferencing. :)
ahayes
on 12 Sep 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
on 11 Dec 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
on 18 Mar 2020
As a workaround modify /etc/cron.weekly/letsencrypt-renew to look like this:
#!/bin/bash
service jitsi-videobridge stop
/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
service jitsi-videobridge start
It will just stop the service briefly during the renewal.
LatinSuD
on 24 Jun 2020
Related issues
xiefangzhenz
路
3Comments
galvaniccoffee
路
3Comments
samk17cmutpm
路
4Comments
TopheC
路
3Comments
jidanni
路
3Comments
Most helpful comment
Some time ago I was working on this to update the renew procedure but didn't have time to fix/test it.
https://github.com/jitsi/jitsi-meet/tree/letsencrypt-renew
But now based on your comments I see that my renew script is missing the phase for converting ssl keys. So this needs updating.
This is still on my TODO list, but not sure when I will get to it. Any help is welcome.