Letsencrypt Certificate for Jitsi App?

kthomas · June 2, 2020, 8:42pm

Hi there,

glad to see Jitsi app added to UCS - great!

I am wondering if URL jitsi.domain.tld can be inculded to LetsEncrypt. By default, an UCS SSL certificate is generated with warnings in the browser caused by untrusted certificate.
If I just add jitsi.domain.tld to LetsEncrypt domains, this URL does not resolve to Jitsi, but to UCS Portal.
As a side effect (I assume), mobile Jitsi apps(Android and iOS) do not connect to the UCS Jitsi instance. Using a browser everything including LDAP login is fine (besides the untrusted certificate).

Regards,
Karsten

Kevo · June 2, 2020, 9:29pm

See this bug for more info and a way to fix it.

https://forge.univention.org/bugzilla/show_bug.cgi?id=51365

kthomas · June 3, 2020, 6:41am

Thanks - I tried that, but this vhost.conf does not reflect which domain is used, so after setting the symlink, every domain including domain.tld and management console points to jitsi.domain.tld.

kthomas · June 3, 2020, 8:15am

Meanwhile it works on an interim basis
Since the Virtualhost section for jitsi was missing completely, I added it in /etc/apache2/sites-available:

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName jitsi.ucs2.domain.tld
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt_20200601-213522
#       SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key

        ProxyPass / http://localhost:8888/ retry=0
        ProxyPassReverse / http://localhost:8888/
</VirtualHost>

Regarding two aspects I am not sure how the final solution should be set up.

1.) univention-letsencrypt.conf seems to be autogenerated, so the jitsi part has to be configured (hard-coded) in /etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf ?
How can I re-generate the conf file from the template manually?

2.) For generating a letsencrypt SSL certificate, I have to add jitsi.domain.tld in LE settings. After that a virtualhost section in the above mentioned config file is generated, but for all apps - including wekan, nextcloud etc., but without jitsi, with the result, that jitsi points to UCS portal.
The missing jitsi line I can add by the workaround above, but how can I prevent these additional entries in univention-letsencrypt.conf?

Thanks and regards,
Karsten

lebernd · June 3, 2020, 5:46pm

For a working setup I would suggest:

subdomain registration in letsencrypt for SUBDOMAIN.DOMAIN.TLD
change external url in through the jitsi-app (umc)
write a vhost-file under /etc/apache2/sites-available/ much like the one above:

<VirtualHost *:443>
        ServerName SUBDOMAIN.DOMAIN.TLD
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key

       ProxyPass / http://localhost:8888/ retry=0
       ProxyPassReverse / http://localhost:8888/

</VirtualHost>

a2ensite des vhosts + systemctl reload apache2

Best,
Bernd

lebernd · June 3, 2020, 5:53pm

Hi @kthomas

the command is: ucr commit <etc-file> you find everything for the templates in the developer docs

But I don’t think you should edit this file. If you want a solution with a template - make a new one, register it etc. Like this you can solve the problems posed by your second question.

Best,
Bernd

kthomas · June 3, 2020, 9:08pm

Thank you very much - everything works fine, certificate is loaded and mobile apps are working.