web: add builtin Let's Encrypt support

README.md

@@ -51,11 +51,8 @@ A Jitsi Meet installation can be broken down into the following components:
 
 ![](resources/docker-jitsi-meet.png)
 
-The diagram shows a typical deployment in a host running Docker, with a separate container
-(not included in this project) which acts as a reverse proxy and SSL terminator, then
-passing the traffic to the web container serving Jitsi Meet.
-
-This project separates each of the components above into interlinked containers. To this end,
+The diagram shows a typical deployment in a host running Docker. This project
+separates each of the components above into interlinked containers. To this end,
 several container images are provided.
 
 ### Images
@@ -91,6 +88,23 @@ Variable | Description | Example
 `HTTPS_PORT` | Exposed port for HTTPS traffic | 8443
 `DOCKER_HOST_ADDRESS` | IP address of the Docker host, needed for LAN environments | 192.168.1.1
 
+**NOTE**: The mobile apps won't work with self-signed certificates (the default)
+see below for instructions on how to obtain a proper certificate with Let's Encrypt.
+
+### Let's Encrypt configuration
+
+If you plan on exposing this container setup to the outside traffic directly and
+want a proper TLS certificate, you are in luck because Let's Encrypt support is
+built right in. Here are the required options:
+
+Variable | Description | Example
+--- | --- | ---
+`ENABLE_LETSENCRYPT` | Enable Let's Encrypt certificate generation | 1
+`LETSENCRYPT_DOMAIN` | Domain for which to generate the certificate | meet.example.com
+`LETSENCRYPT_EMAIL` | E-Mail for receiving important account notifications (mandatory) | alice@atlanta.net
+
+In addition, you will need to set `HTTP_PORT` to 80 and `HTTPS_PORT` to 443.
+
 ### SIP gateway configuration
 
 If you want to enable the SIP gateway, these options are required:
@@ -162,7 +176,6 @@ option.
 * Support multiple Jitsi Videobridge containers.
 * Support container replicas (where applicable).
 * Docker Swarm mode.
-* Native Let's Encrypt support.
 * More services:
   * Jibri.
   * TURN server.

docker-compose.yml

@@ -12,7 +12,10 @@ services:
         environment:
             - ENABLE_AUTH
             - ENABLE_GUESTS
+            - ENABLE_LETSENCRYPT
             - JICOFO_AUTH_USER
+            - LETSENCRYPT_DOMAIN
+            - LETSENCRYPT_EMAIL
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
             - XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280

env.example

@@ -19,6 +19,20 @@ TZ=Europe/Amsterdam
 #DOCKER_HOST_ADDRESS=192.168.1.1
 
 
+#
+# Let's Encrypt configuration
+#
+
+# Enable Let's Encrypt certificate generation.
+#ENABLE_LETSENCRYPT=1
+
+# Domain for which to generate the certificate.
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# E-Mail for receiving important account notifications (mandatory).
+#LETSENCRYPT_EMAIL=alice@atlanta.net
+
+
 #
 # Basic Jigasi configuration options (needed for SIP gateway support)
 #

web/Dockerfile

@@ -2,7 +2,8 @@ FROM jitsi/base
 
 RUN \
 	apt-dpkg-wrap apt-get update && \
-	apt-dpkg-wrap apt-get install -y nginx-extras jitsi-meet-web && \
+	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web && \
+	apt-dpkg-wrap apt-get install -y -t stretch-backports certbot && \
 	apt-cleanup && \
 	rm -f /etc/nginx/conf.d/default.conf && \
 	rm -f /usr/share/jitsi-meet/interface_config.js

web/rootfs/defaults/letsencrypt-renew

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# stop nginx
+s6-svc -u /var/run/s6/services/nginx
+
+# renew cert
+certbot -n renew >> /config/le-renew.log
+
+# start nginx
+s6-svc -u /var/run/s6/services/nginx

web/rootfs/defaults/ssl.conf

@@ -7,8 +7,13 @@ ssl_session_tickets off;
 ssl_dhparam /config/nginx/dhparams.pem;
 
 # ssl certs
+{{ if .Env.ENABLE_LETSENCRYPT }}
+ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
+{{ else }}
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
+{{ end }}
 
 # protocols
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

web/rootfs/etc/cont-init.d/10-config

@@ -8,12 +8,26 @@ mkdir -p \
     /var/tmp/nginx
 
 # generate keys (maybe)
-if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
-	echo "using keys found in /config/keys"
+if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
+    if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
+        certbot certonly \
+            --noninteractive \
+            --standalone \
+            --preferred-challenges http \
+            -d $LETSENCRYPT_DOMAIN \
+            --agree-tos \
+            --email $LETSENCRYPT_EMAIL
+        cp /defaults/letsencrypt-renew /etc/cron.monthly/
+    fi
 else
-	echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
-	SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
-	openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
+    # use self-signed certs
+    if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
+        echo "using keys found in /config/keys"
+    else
+        echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
+        SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
+        openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
+    fi
 fi
 
 # copy config files
@@ -22,7 +36,7 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
 fi
 
 if [[ ! -f /config/nginx/ssl.conf ]]; then
-    cp /defaults/ssl.conf /config/nginx/ssl.conf
+    tpl /defaults/ssl.conf > /config/nginx/ssl.conf
 fi
 
 if [ ! -f "/config/nginx/dhparams.pem" ]; then

web/rootfs/etc/services.d/cron/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+exec cron -f

web/rootfs/etc/services.d/nginx/run

@@ -1,3 +1,3 @@
 #!/usr/bin/with-contenv bash
-nginx -c /config/nginx/nginx.conf
 
+exec nginx -c /config/nginx/nginx.conf