Using Let's Encrypt on Meeting Server

This section provides information to support using LetsEncrypt on a Sametime 11.6 Meetings server.

About this task

The Sametime Meeting Server is pre-configured with a self-signed certificate. Use these instructions to replace the self-signed certificate with a third party certificate.

Kubernetes

Follow these steps if you are running the Meeting Server in Kubernetes.

Obtain the certificate(s) and private key. Then, run the following commands to configure the ingress to use them.

  1. For KEY_FILE specify the private key file and for CERT_FILE specify the certificate(s) file.
    kubectl -n ingress-nginx delete secret ingress-tls-cert
    export CERT_NAME=ingress-tls-cert
    export KEY_FILE=privkey.pem
    export CERT_FILE=fullchain.pem
    kubectl -n ingress-nginx create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
    kubectl patch deployment nginx-ingress-controller -n ingress-nginx --patch "$(cat kubernetes/ingress/nginx-tls-patch.yaml)"
  2. Restart the ingress controller:
    kubectl scale deployment nginx-ingress-controller -n ingress-nginx --replicas=0
    kubectl scale deployment nginx-ingress-controller -n ingress-nginx --replicas=1

Procedure to use letsencrypt certificates

Add the config to use letsencrypt certificates:

  1. Set ENABLE_LETSENCRYPT to 1 in docker-compose.yml, the system will look for the lets encrypt certificates in the following folder:
    jitsi-config/web/letsencrypt/live/
  2. If you set a value for the LETSENCRYPT_DOMAIN , then the path will be:
    jitsi-config/web/letsencrypt/live/<LETSENCRYPT_DOMAIN >/

    and we are looking for

    fullchain.pem
    privkey.pem

How to use certbot to update the certificates (optional)

  1. Under the NGINX section add the following code to the volumes section.
     ${CONFIG}/web/data/letsencrypt:/data/letsencrypt:Z
    
  2. Run Docker-compose up -d.
  3. After initial start - modify jitsi-config/web/nginx/meet.conf and add (follow the pattern in the file)
    location ^~ /.well-known
    { allow all; root /data/letsencrypt/; } 
  4. Modify Docker-compose down, Docker-compose up -d to restart.
  5. Validate if they are working properly.
  6. Use Docker to run the certbot/letsencrypt request to renew certificates like:
    docker run -it --rm \
    -v certs:/etc/letsencrypt \
    -v certs-data:/data/letsencrypt \
    deliverous/certbot \
    certonly \
    --webroot --webroot-path=/data/letsencrypt \
    -d example.com -d www.example.com
  7. The docker run command - "certs" and "certs-data" should be the full absolute path to where the jitsi-config folder is located:
    -v certs:/etc/letsencrypt \
    
    would be (as an example)
    
    -v /stmeetings/jitsi-config/web/letsencrypt:/etc/letsencrypt \
    
    and
    
    -v certs-data:/data/letsencrypt \
    
    would be
    
    -v /stmeetings/jitsi-config/web/data/letsencrypt:/data/letsencrypt \
    
  8. Validate to verify if it is working as expected.

Procedure for Docker

Follow these steps if you are running the Meeting Server in Docker.

  1. Docker compose down.
  2. Replace the cert and key files in <install dir>./jitsi-config/web/keys/cert.crt and cert.key with the correct key and crt file.
  3. Docker compose up -d.
    Note: These changes will be lost if you delete or remove the jitsi-config folder which may be required in other steps.