1 #!/bin/bash 2 3 set -e 4 5 DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname` 6 DOMAIN="${DEB_CONF_RESULT##*:}" 7 # remove whitespace 8 DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')" 9 10 echo "-------------------------------------------------------------------------" 11 echo "This script will:" 12 echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})" 13 echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin" 14 echo "- Install additional dependencies in order to request Let’s Encrypt certificate" 15 echo "- If running with jetty serving web content, will stop Jitsi Videobridge" 16 echo "- Configure and reload nginx or apache2, whichever is used" 17 echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks" 18 echo "- Add command in weekly cron job to renew certificates regularly" 19 echo "" 20 echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) " 21 echo "by providing an email address for important account notifications" 22 23 echo -n "Enter your email and press [ENTER]: " 24 read EMAIL 25 26 CERTBOT="$(command -v certbot || true)" 27 if [ ! -x "$CERTBOT" ] ; then 28 DISTRO=$(lsb_release -is) 29 DISTRO_VERSION=$(lsb_release -rs) 30 31 if [ "$DISTRO" != "Debian" ] && [ "$DISTRO" != "Ubuntu" ]; then 32 echo "$DISTRO $DISTRO_VERSION is not supported" 33 echo "Only Debian and Ubuntu 18.04+ are supported" 34 exit 1 35 fi 36 37 if [ "$DISTRO" = "Ubuntu" ]; then 38 apt-get update 39 apt-get -y install software-properties-common 40 add-apt-repository -y universe 41 if [ "$DISTRO_VERSION" = "18.04" ]; then 42 add-apt-repository -y ppa:certbot/certbot 43 fi 44 fi 45 46 apt-get update 47 apt-get -y install certbot 48 49 CERTBOT="$(command -v certbot)" 50 fi 51 52 CRON_FILE="/etc/cron.weekly/letsencrypt-renew" 53 if [ ! -d "/etc/cron.weekly" ] ; then 54 mkdir "/etc/cron.weekly" 55 fi 56 echo "#!/bin/bash" > $CRON_FILE 57 echo "$CERTBOT renew >> /var/log/le-renew.log" >> $CRON_FILE 58 59 CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem" 60 CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem" 61 62 if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then 63 64 TURN_CONFIG="/etc/turnserver.conf" 65 TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh 66 if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then 67 mkdir -p $(dirname $TURN_HOOK) 68 69 cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK 70 chmod u+x $TURN_HOOK 71 sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK 72 73 $CERTBOT certonly --noninteractive \ 74 --webroot --webroot-path /usr/share/jitsi-meet \ 75 -d $DOMAIN \ 76 --agree-tos --email $EMAIL \ 77 --deploy-hook $TURN_HOOK 78 else 79 $CERTBOT certonly --noninteractive \ 80 --webroot --webroot-path /usr/share/jitsi-meet \ 81 -d $DOMAIN \ 82 --agree-tos --email $EMAIL 83 fi 84 85 echo "Configuring nginx" 86 87 CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf" 88 CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g') 89 CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g') 90 sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \ 91 $CONF_FILE 92 CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g') 93 CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g') 94 sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \ 95 $CONF_FILE 96 97 if type service >/dev/null 2>&1 98 then 99 service nginx reload 100 echo "service nginx reload" >> $CRON_FILE 101 else 102 systemctl reload nginx.service 103 echo "systemctl reload nginx.service" >> $CRON_FILE 104 fi 105 106 elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then 107 108 $CERTBOT certonly --noninteractive \ 109 --webroot --webroot-path /usr/share/jitsi-meet \ 110 -d $DOMAIN \ 111 --agree-tos --email $EMAIL 112 113 echo "Configuring apache2" 114 115 CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf" 116 CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g') 117 CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g') 118 sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \ 119 $CONF_FILE 120 CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g') 121 CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g') 122 sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \ 123 $CONF_FILE 124 125 if type service >/dev/null 2>&1 126 then 127 service apache2 reload 128 echo "service apache2 reload" >> $CRON_FILE 129 else 130 systemctl reload apache2.service 131 echo "systemctl reload apache2.service" >> $CRON_FILE 132 fi 133 fi 134 135 # the cron file that will renew certificates 136 chmod a+x $CRON_FILE