Problem renewing the certificate #1834
Comments
|
The certificate is not renewed unless necessary, why do you need to force it? |
|
There was 1 day left before the certificate expired, so I was trying to force the renewal. The other times I managed to renew with a few days left. |
|
That's odd. Do you have the output of the container when it ran? Any logs in the web folder? |
|
Failed to obtain a certificate from the Let's Encrypt CA. |
|
i am getting this error whle trying to configure jitsi on docker ..web container is not able to get a valid lets encrypt ca ..while hostname is associated on ip and i am able to ping it as well. |
|
Do you have both ports 80 and 443 open and pointing to the server? |
|
Yes both ports 80 and 443 are open on the VM and pointing to the web server. But still its not able to generate the certificates. Checking inside it i think theres some process called socat using port 80 inside web container. |
|
Yes socat is what acme.sh is using |
|
Does this only happen when renewing or also when you wipe the config directory and start anew? |
|
No.. I faced this issue while installing jitsi from scratch. Both with the latest as well as the stable version. |
|
Hum that's odd. I'll try again and see if I can repro. I suppose your domain is correctly configured to point to the public IP of your server, right? |
|
Yes domain is correctly pointing to my VM's IP. I have verified the same .. Let me know if you want the logs too . I could provide that f that would be helpful |
|
I noticed, that this issue came after the ZeroSSL change. Older versions of Jitsi with Letsencrypt are not affected (for example 9364-1). As a general mention: it is still called Letsencrypt in the config files and partially in the logs. This extended the problem-search a lot by confusing me at first :D Is there a way to test the latest version with a different CA? |
|
You can try modifying the web container and pass this setting: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL |
|
Thank you very much for the link. It answers a lot of question:
Will test later and report, if it worked |
Yeah, me issed that :-/
Not sure that is the case... I started from scratch on one of my environments (wiping away .jitsi-meet-cfg) and thus it started fresh with ZeroSSL.
I'd be rusprised it's a ZeroSSL specific error, since acme.sh users would have noticed I guess. Maybe there is some bug in the way we use it (standalone). |
|
Running |
|
I'd take a PR allowing the server to be configurable, if you're up for it. |
|
I think we'd need to find the root cause first. Reading the comments above suggests that this not only happens after upgrades but also for fresh installs. Another question is why it even tries to use ZeroSSL despite the current certificate being issued by Lets Encrypt. The acme.sh docs clearly state that it should keep using Lets Encrypt in that case. |
|
Agreed. The last thing might be related to the major version update, so I'm not sure. |
I saw issue in their Git. But hard to tell, if users just forgot to open closed ports. I can confirm that after updating to the latest jitsi version the following command renewed the cert without issue:
This (probably) means that updating from older version or running @timoschwarzer 's command workarounds the issue. Some P.S.: Not that my opinion matters on your project, but just mentioning the obvious: It probably makes sense to release a hotfix by changing default CA back to letsencrypt |
|
I run a fresh copy of Jitsi in a new folder and copied the .env there. This is error message zerossl gives, when opening the link to zerossl provided in the logs:
Cropped part of the log: This log is somehow different from the log which I had before and which got posted above: (log copied from @yumibad 's message above) |
|
As a less terrible workaround, you could disable letsencrypt, use certbot to get the certificates ready, and place them in $CONFIG_DIR/web/keys and $CONFIG_DIR/data as follows: |
I'm using jitsi version 9457-2 and the acme version is v3.0.7.
I tried to update the certificate, but without success.
I saw that cron ran ("/config/acme.sh"/acme.sh --cron --home "/config/acme.sh" > /dev/null) Then I do a "docker-compose down" and then " docker-compose up -d", but the certificate does not renew.
Does anyone know how to solve this problem?
The text was updated successfully, but these errors were encountered: