Letsencrypt Certificate for Jitsi App?

Hi there,

glad to see Jitsi app added to UCS - great!

I am wondering if URL jitsi.domain.tld can be inculded to LetsEncrypt. By default, an UCS SSL certificate is generated with warnings in the browser caused by untrusted certificate.
If I just add jitsi.domain.tld to LetsEncrypt domains, this URL does not resolve to Jitsi, but to UCS Portal.
As a side effect (I assume), mobile Jitsi apps(Android and iOS) do not connect to the UCS Jitsi instance. Using a browser everything including LDAP login is fine (besides the untrusted certificate).

Regards,
Karsten

See this bug for more info and a way to fix it.

https://forge.univention.org/bugzilla/show_bug.cgi?id=51365

Thanks - I tried that, but this vhost.conf does not reflect which domain is used, so after setting the symlink, every domain including domain.tld and management console points to jitsi.domain.tld.

Meanwhile it works on an interim basis :slight_smile:
Since the Virtualhost section for jitsi was missing completely, I added it in /etc/apache2/sites-available:

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName jitsi.ucs2.domain.tld
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt_20200601-213522
#       SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key

        ProxyPass / http://localhost:8888/ retry=0
        ProxyPassReverse / http://localhost:8888/
</VirtualHost>

Regarding two aspects I am not sure how the final solution should be set up.

1.) univention-letsencrypt.conf seems to be autogenerated, so the jitsi part has to be configured (hard-coded) in /etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf ?
How can I re-generate the conf file from the template manually?

2.) For generating a letsencrypt SSL certificate, I have to add jitsi.domain.tld in LE settings. After that a virtualhost section in the above mentioned config file is generated, but for all apps - including wekan, nextcloud etc., but without jitsi, with the result, that jitsi points to UCS portal.
The missing jitsi line I can add by the workaround above, but how can I prevent these additional entries in univention-letsencrypt.conf?

Thanks and regards,
Karsten

For a working setup I would suggest:

  1. subdomain registration in letsencrypt for SUBDOMAIN.DOMAIN.TLD
  2. change external url in through the jitsi-app (umc)
  3. write a vhost-file under /etc/apache2/sites-available/ much like the one above:
<VirtualHost *:443>
        ServerName SUBDOMAIN.DOMAIN.TLD
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key

       ProxyPass / http://localhost:8888/ retry=0
       ProxyPassReverse / http://localhost:8888/

</VirtualHost>
  1. a2ensite des vhosts + systemctl reload apache2

Best,
Bernd

1 Like

Hi @kthomas

the command is: ucr commit <etc-file> you find everything for the templates in the developer docs

But I don’t think you should edit this file. If you want a solution with a template - make a new one, register it etc. Like this you can solve the problems posed by your second question.

Best,
Bernd

Thank you very much - everything works fine, certificate is loaded and mobile apps are working.

Mastodon