feat: Adds LE choice when installing debian package. (#12154)

* feat: Adds LE choice when installing debian package.

* Update debian/jitsi-meet-web-config.templates

Co-authored-by: raluca8x8 <raluca.tocmag@8x8.com>

* squash: Print in the console the JaaS link everytime.

* squash: Note that JaaS does not support self-signed certs.

* squash: Fix message.

* squash: Moves acme.sh stuff into a script, so it is easy to re-run.

Co-authored-by: raluca8x8 <raluca.tocmag@8x8.com>

debian/control

@@ -20,7 +20,7 @@ Description: WebRTC JavaScript video conferences
 
 Package: jitsi-meet-web-config
 Architecture: all
-Depends: openssl, nginx | nginx-full | nginx-extras | apache2
+Depends: openssl, nginx | nginx-full | nginx-extras | apache2, curl
 Description: Configuration for web serving of Jitsi Meet
  Jitsi Meet is a WebRTC JavaScript application that uses Jitsi
  Videobridge to provide high quality, scalable video conferences.

debian/jitsi-meet-turnserver.install

@@ -1,3 +1,2 @@
 doc/debian/jitsi-meet-turn/turnserver.conf          /usr/share/jitsi-meet-turnserver/
 doc/debian/jitsi-meet/jitsi-meet.conf               /usr/share/jitsi-meet-turnserver/
-doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh /usr/share/jitsi-meet-turnserver/

debian/jitsi-meet-turnserver.postinst

@@ -107,7 +107,9 @@ denied-peer-ip=240.0.0.0-255.255.255.255" >> $TURN_CONFIG
         db_get jitsi-meet/cert-choice
         CERT_CHOICE="$RET"
 
-        if [ "$CERT_CHOICE" = "I want to use my own certificate" ] ; then
+        UPLOADED_CERT_CHOICE="I want to use my own certificate"
+        LE_CERT_CHOICE="Let's Encrypt certificates"
+        if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ]; then
             db_get jitsi-meet/cert-path-key
             CERT_KEY="$RET"
             db_get jitsi-meet/cert-path-crt
@@ -120,22 +122,13 @@ denied-peer-ip=240.0.0.0-255.255.255.255" >> $TURN_CONFIG
             CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
             CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
             sed -i "s/cert=\/etc\/jitsi\/meet\/.*crt/cert=$CERT_CRT_ESC/g" $TURN_CONFIG
+        elif [ "$CERT_CHOICE" = "$LE_CERT_CHOICE" ]; then
+            /usr/share/jitsi-meet/scripts/coturn-le-update.sh ${JVB_HOSTNAME}
         fi
 
         sed -i "s/#TURNSERVER_ENABLED/TURNSERVER_ENABLED/g" /etc/default/coturn
         invoke-rc.d coturn restart || true
 
-        NGINX_STREAM_CONFIG="/etc/nginx/modules-enabled/60-jitsi-meet.conf"
-        if [ -f $NGINX_STREAM_CONFIG ] ; then
-            echo "------------------------------------------------"
-            echo ""
-            echo "You have multiplexing enabled, it is recommended to disable it and migrate to using websockets for the bridge channel."
-            echo "The support for sctp data channels is deprecated and will be dropped at some point."
-            echo "How to do it at: https://jitsi.org/multiplexing-to-bridge-ws-howto"
-            echo ""
-            echo "------------------------------------------------"
-        fi
-
         # and we're done with debconf
         db_stop
     ;;

debian/jitsi-meet-web-config.postinst

@@ -75,6 +75,7 @@ case "$1" in
         JAAS_INPUT="$RET"
 
         UPLOADED_CERT_CHOICE="I want to use my own certificate"
+        LE_CERT_CHOICE="Let's Encrypt certificates"
         # if first time config ask for certs, or if we are reconfiguring
         if [ -z "$JVB_HOSTNAME_OLD" ] || [ "$RECONFIGURING" = "true" ] ; then
             RET=""
@@ -83,7 +84,7 @@ case "$1" in
             db_get jitsi-meet/cert-choice
             CERT_CHOICE="$RET"
 
-            if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ] ; then
+            if [ "$CERT_CHOICE" = "$UPLOADED_CERT_CHOICE" ]; then
                 RET=""
                 db_get jitsi-meet/cert-path-key
                 if [ -z "$RET" ] ; then
@@ -103,7 +104,7 @@ case "$1" in
                 fi
                 CERT_CRT="$RET"
             else
-                # create self-signed certs
+                # create self-signed certs (we also need them for the case of LE so we can start nginx)
                 CERT_KEY="/etc/jitsi/meet/$JVB_HOSTNAME.key"
                 CERT_CRT="/etc/jitsi/meet/$JVB_HOSTNAME.crt"
                 HOST="$( (hostname -s; echo localhost) | head -n 1)"
@@ -116,6 +117,17 @@ case "$1" in
                     -extensions SAN \
                     -config <(cat /etc/ssl/openssl.cnf \
                         <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:$JVB_HOSTNAME"))
+
+                if [ "$CERT_CHOICE" = "$LE_CERT_CHOICE" ]; then
+                    db_subst jitsi-meet/email domain "${JVB_HOSTNAME}"
+                    db_input critical jitsi-meet/email || true
+                    db_go
+                    db_get jitsi-meet/email
+                    EMAIL="$RET"
+                    if [ ! -z "$EMAIL" ] ; then
+                        ISSUE_LE_CERT="true"
+                    fi
+                fi
             fi
         fi
 
@@ -208,36 +220,38 @@ case "$1" in
             invoke-rc.d apache2 reload || true
         fi
 
-        echo "----------------"
-        echo ""
-        echo "You can now switch to a Let’s Encrypt certificate. To do so, execute:"
-        echo "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"
-        echo ""
-        echo "----------------"
+        if [ "$ISSUE_LE_CERT" = "true" ] ; then
+            /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh $EMAIL $JVB_HOSTNAME
+        fi
 
+        echo ""
+        echo ""
+        echo "       ;dOocd;"
+        echo "     .dNMM0dKO."
+        echo "     lNMMMKd0K,"
+        echo "    .xMMMMNxkNc"
+        echo "     dMMMMMkxXc"
+        echo "     cNMMMNl.."
         if [ "${JAAS_INPUT}" != "true" ]; then
-            echo ""
-            echo ""
-            echo "       ;dOocd;"
-            echo "     .dNMM0dKO."
-            echo "     lNMMMKd0K,"
-            echo "    .xMMMMNxkNc"
-            echo "     dMMMMMkxXc"
-            echo "     cNMMMNl.."
             echo "     .kMMMX;             Interested in adding telephony to your Jitsi meetings?"
             echo "      ;XMMMO'"
             echo "       lNMMWO'           Sign up on https://jaas.8x8.vc/components?host=${JVB_HOSTNAME}"
             echo "        lNMMM0,                        and follow the guide in the dev console."
-            echo "         lXMMMK:."
-            echo "          ;KMMMNKd.  'oo,"
-            echo "           'xNMMMMXkkkkOKOl'"
-            echo "             :0WMMMMMMNOkk0Kk,"
-            echo "              .cdOWMMMMMWXOkOl"
-            echo "                 .;dKWMMMMMXc."
-            echo "                    .,:cll:'"
-            echo ""
-            echo ""
+        else
+            echo "     .kMMMX;"
+            echo "      ;XMMMO'            Don't forget to sign up on"
+            echo "       lNMMWO'             https://jaas.8x8.vc/components?host=${JVB_HOSTNAME}"
+            echo "        lNMMM0,              in order to add telephony to your Jitsi meetings!"
         fi
+        echo "         lXMMMK:."
+        echo "          ;KMMMNKd.  'oo,"
+        echo "           'xNMMMMXkkkkOKOl'"
+        echo "             :0WMMMMMMNOkk0Kk,"
+        echo "              .cdOWMMMMMWXOkOl"
+        echo "                 .;dKWMMMMMXc."
+        echo "                    .,:cll:'"
+        echo ""
+        echo ""
 
         # and we're done with debconf
         db_stop

debian/jitsi-meet-web-config.templates

@@ -1,14 +1,16 @@
 Template: jitsi-meet/cert-choice
 Type: select
-__Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
+__Choices: Generate a new self-signed certificate, Let's Encrypt certificates, I want to use my own certificate
 _Description: SSL certificate for the Jitsi Meet instance
+ .
  Jitsi Meet is best to be set up with an SSL certificate.
+ .
  Having no certificate, a self-signed one will be generated.
- By choosing self-signed you will later have a chance to install Let’s Encrypt certificates.
  In the case of using a self-signed certificate, only the web app will be available with some warnings, the mobile app will not connect.
- Having a certificate signed by a recognised CA, it can be uploaded on the server
- and point its location. The default filenames will be /etc/ssl/--domain.name--.key
- for the key and /etc/ssl/--domain.name--.crt for the certificate.
+ Self-signed certificates are not supported by JaaS (Jitsi as a Service).
+ .
+ Having a certificate signed by a recognised CA, it can be uploaded on the server and point its location.
+ The default filenames will be /etc/ssl/--domain.name--.key for the key and /etc/ssl/--domain.name--.crt for the certificate.
 
 Template: jitsi-meet/cert-path-key
 Type: string
@@ -39,3 +41,13 @@ _Description: Interested in adding telephony to your Jitsi meetings?
  You need to:
   - have a certificate signed by a recognised CA or Let’s Encrypt on your deployment
   - sign in for JaaS at https://jaas.8x8.vc/components?host=${domain}
+
+Template: jitsi-meet/email
+Type: string
+_Description: Enter your email:
+ To successfully issue Let's Encrypt certificates:
+ .
+ You need a working DNS record pointing to this machine(for hostname ${domain})"
+ .
+ You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
+ by providing an email address for important account notifications

debian/po/templates.pot

@@ -20,7 +20,7 @@ msgstr ""
 #. Type: select
 #. Choices
 #: ../jitsi-meet-web-config.templates:1001
-msgid "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
+msgid "Generate a new self-signed certificate"
 msgstr ""
 
 #. Type: select