Jitsi server(Web会議)の インストール2(Nginx編)

更新日 2020-05-20 (水) 16:04:02

WebサーバをApacheにして、Let's Encrypt SSLにあとから変更したインストールではスマホ(Android、iPhone)で接続できなかった。

但し、本インストールでも、iPhone、SoftBankの組み合わせでは相変わらず同じエラーが出た。このiPhoneでWifi経由だと問題なく接続できる。DoCoMoやイオンモバイルのiPhoneでも接続できる。

Android、SoftBankの組み合わせは未確認。

スマホエラー.png

WebサーバをNginx(エンジンエックス)に変更し、初めからSSL証明書をLet's Encrypt SSLにしたらスマホで接続できるようになった。原因はWebサーバの問題かSSL証明書の問題かは不明。

UbuntuはApache編と同じようにインストール

グローバルIPでアクセスできるように[[ネットワークの環境を整え>turboLinux_White Box Enterprise Linux_Fedora Core_Red Hat Memo/Network ]]、タイムゾーンを変更してから、「Ubuntuをjitsi(Web会議)で使用するための設定」以降同じ設定を行った。

先にhost名を設定

ホスト名の確認と変更

ホスト名は/etc/hostnameに、ドメイン名は/etc/hostsに記載する

/etc/hosts

127.0.0.1 meeting.hoge-c.com meeting localhost
# 127.0.1.1 meeting    ←127.0.1.1はバグみたいなのでコメントアウト

/etc/hostname

meeting

「SSLの証明書について」から本設定になる。

Nginxをインストールして有効にする

注: Nginxサーバーは、Jitsi Webインターフェースのリバースプロキシとして機能します NginxまたはApacheがシステムに存在しない場合、Jitsi Meetはインストール中にJettyを自動的にインストールします。

# apt install -y nginx
(略)
Processing triggers for ufw (0.36-0ubuntu0.18.04.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...

サービス起動

# systemctl start nginx.service

サービス自動起動有効

# systemctl enable nginx.service
Synchronizing state of nginx.service with SysV service script with /lib/systemd /systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx

Ubuntu18.04の場合のみ追加。OpenJDK-8をインストール

# apt install openjdk-8-jre-headless
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  ca-certificates-java java-common libavahi-client3 libavahi-common-data
  libavahi-common3 libcups2 liblcms2-2 libnspr4 libnss3 libpcsclite1 libxi6
  libxrender1 libxtst6 x11-common
Suggested packages:
  default-jre cups-common liblcms2-utils pcscd libnss-mdns fonts-dejavu-extra
  fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei
  fonts-wqy-zenhei fonts-indic
The following NEW packages will be installed:
  ca-certificates-java java-common libavahi-client3 libavahi-common-data
  libavahi-common3 libcups2 liblcms2-2 libnspr4 libnss3 libpcsclite1 libxi6
  libxrender1 libxtst6 openjdk-8-jre-headless x11-common
0 upgraded, 15 newly installed, 0 to remove and 0 not upgraded.
Need to get 29.3 MB of archives.
After this operation, 107 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
(略)

jitsiのインストール †

# apt install -y jitsi-meet
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  coturn jicofo jitsi-meet-prosody jitsi-meet-turnserver jitsi-meet-web
  jitsi-meet-web-config jitsi-videobridge2 libevent-core-2.1-6
  libevent-extra-2.1-6 libevent-openssl-2.1-6 libevent-pthreads-2.1-6
  libhiredis0.13 libmysqlclient20 libpq5 lua-bitop lua-event lua-expat
  lua-filesystem lua-sec lua-socket lua5.1 mysql-common prosody ssl-cert
Suggested packages:
  sip-router lua-dbi-mysql lua-dbi-postgresql lua-dbi-sqlite3 lua-zlib
  openssl-blacklist
The following NEW packages will be installed:
  coturn jicofo jitsi-meet jitsi-meet-prosody jitsi-meet-turnserver
  jitsi-meet-web jitsi-meet-web-config jitsi-videobridge2 libevent-core-2.1-6
  libevent-extra-2.1-6 libevent-openssl-2.1-6 libevent-pthreads-2.1-6
  libhiredis0.13 libmysqlclient20 libpq5 lua-bitop lua-event lua-expat
  lua-filesystem lua-sec lua-socket lua5.1 mysql-common prosody ssl-cert
0 upgraded, 25 newly installed, 0 to remove and 0 not upgraded.
Need to get 90.7 MB of archives.
After this operation, 137 MB of additional disk space will be used. 
(略)

jitsi_inst.png

nginxinst.png

「Generete a new self-signed・・・・・」を選択する。

(略)

Setting up jitsi-meet-turnserver (1.0.4074-1) ...
Processing triggers for systemd (237-3ubuntu10.39) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ufw (0.36-0ubuntu0.18.04.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...

Let's Encrypt SSL証明書を取得

# /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
-------------------------------------------------------------------------
This script will:
- Need a working DNS record pointing to this machine(for domain meeting.hoge-c.com)
- Download certbot-auto from https://dl.eff.org to /usr/local/sbin
- Install additional dependencies in order to request Let’s Encrypt certificate
- If running with jetty serving web content, will stop Jitsi Videobridge
- Configure and reload nginx or apache2, whichever is used
- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks
- Add command in weekly cron job to renew certificates regularly

You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
by providing an email address for important account notifications
Enter your email and press [ENTER]: okada@hoge-c.com    ← メールアドレス
--2020-04-14 14:11:57--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 151.101.88.201, 2a04:4e42:15::201
Connecting to dl.eff.org (dl.eff.org)|151.101.88.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 80073 (78K) [application/octet-stream]
Saving to: ‘certbot-auto’
(略)
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/0000-coturn- certbot-deploy.sh
Output from deploy-hook command 0000-coturn-certbot-deploy.sh:
Configuring turnserver


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/meet.ootsuji-c.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/meet.ootsuji-c.com/privkey.pem
   Your cert will expire on 2020-08-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Configuring nginx
  • OS再起動

起動

https://meeting.hoge-c.com/

にアクセス

「ユーザで会議室の作成にアクセス制限」や「オープニングメッセージ」等はApache編と同じ。

Let’s Encrypt の証明書の更新

certbotの確認

$ dpkg-query -l | grep certbot

インストールされていないときはインストールする。

# apt -y install certbot

初めてのときは、「--dry-run」オプションを付けて検証する。

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/meet.ootsuji-c.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 1.4.0 renewal configuration file found at \
/etc/letsencrypt/renewal/meet.ootsuji-c.com.conf with version 0.27.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for meet.ootsuji-c.com
Waiting for verification...
Cleaning up challenges
Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
Skipping deploy-hook '/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh' as it was already run.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/meet.ootsuji-c.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/meet.ootsuji-c.com/fullchain.pem (success)  ←成功のようだ
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
     [エラーの時はこの辺りにエラーが表示される]
IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Let’s Encrypt の証明書を更新

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/meet.ootsuji-c.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 1.4.0 renewal configuration file found at /etc/ letsencrypt/renewal/meet.ootsuji-c.com.conf with version 0.27.0 of Certbot. This might not work.
Cert not yet due for renewal  ←有効期限まで十分あると更新されない(3週間切ると できるみたい)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/meet.ootsuji-c.com/fullchain.pem expires on 2020-08-06 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Let’s Encrypt の証明書を強制更新

# certbot renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/meet.ootsuji-c.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 1.4.0 renewal configuration file found at 
\/etc/letsencrypt/renewal/meet.ootsuji-c.com.conf with version 0.27.0 of Certbot. This might not work.
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for meet.ootsuji-c.com
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
Output from 0000-coturn-certbot-deploy.sh:
Configuring turnserver

Skipping deploy-hook '/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh' as it was already run.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/meet.ootsuji-c.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/meet.ootsuji-c.com/fullchain.pem (success)   ← 成功
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 更新すると以下のフォルダに番号ついて追加される

以下の例は2回目の更新後の状態

/etc/letsencrypt/archive/meet.hoge-c.com

# ls -l
total 32
-rw-r--r-- 1 root root 1919 May  8 14:12 cert1.pem
-rw-r--r-- 1 root root 1919 May 11 15:52 cert2.pem
-rw-r--r-- 1 root root 1647 May  8 14:12 chain1.pem
-rw-r--r-- 1 root root 1647 May 11 15:52 chain2.pem
-rw-r--r-- 1 root root 3566 May  8 14:12 fullchain1.pem
-rw-r--r-- 1 root root 3566 May 11 15:52 fullchain2.pem
-rw------- 1 root root 1708 May  8 14:12 privkey1.pem
-rw-r--r-- 1 root root 1704 May 11 15:52 privkey2.pem

Nginxを再起動

# systemctl restart nginx

Nginx

Document Root

sites-enabled内のファイルは/etc/nginx/sites-available内のシンボリックリンク。

/etc/nginx/sites-enabled/default

server {
        listen 80 default_server;
        listen [::]:80 default_server;
(略)
        root /var/www/html;    ←ここ
  • Jitsi Meetインストる後には/etc/nginx/sites-enabled/meet.hoge-c.com.confが作成される

サイトごとに環境ファイルを作成することが出来る。 今回のサイトは「meet.hoge-c.com」なので、環境ファイル名は「meet.hoge-c.com.conf」 一般には以下ようになる

{service_name}.conf

/etc/nginx/sites-enabled/meet.hoge-c.com.conf

server {
    listen 80;
    listen [::]:80;
    server_name meet.hoge-c.com;    ←server_nameによりサーバ名を指定する

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;   ←Documet Root
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;  ←httpからhttpsにリダイレクト
    }

Nginx SSL証明書の指定場所

/etc/nginx/sites-enabled/meet.hoge-c.com.conf

server {
    listen 4444 ssl http2;
    listen [::]:4444 ssl http2;
    server_name vmmeeting.ootsuji-c.com;
(略)

    ssl_certificate /etc/letsencrypt/live/meeting.hoge-c.com/fullchain.pem;←Webサーバ証明書+中間CA証明書ファイル
    ssl_certificate_key /etc/letsencrypt/live/meeting.hoge-c.com/privkey.pem;  ←秘密鍵ファイル

LetsencryptのSSL証明書の場所

/etc/letsencrypt/live/meet.hoge-c.com

# ls -l
total 4
lrwxrwxrwx 1 root root  42 May 20 10:10 cert.pem -> ../../archive/meet.hoge-c.com/cert2.pem
lrwxrwxrwx 1 root root  43 May 20 10:10 chain.pem -> ../../archive/meet.hoge-c.com/chain2.pem
lrwxrwxrwx 1 root root  47 May 20 10:10 fullchain.pem -> ../../archive/meet.hoge-c.com/fullchain2.pem
lrwxrwxrwx 1 root root  45 May 20 10:10 privkey.pem -> ../../archive/meet.hoge-c.com/privkey2.pem
-rw-r--r-- 1 root root 692 May 13 14:49 README

参考ページ


添付ファイル: filejitsi_inst.png 7件 [詳細] fileスマホエラー.png 37件 [詳細] filenginxinst.png 16件 [詳細]

トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2020-05-20 (水) 16:04:02 (10d)