Few debian updates

debian/jitsi-meet-turnserver.install

@@ -1,2 +1,3 @@
-doc/debian/jitsi-meet-turn/turnserver.conf  /usr/share/jitsi-meet-turnserver/
-doc/debian/jitsi-meet/jitsi-meet.conf       /usr/share/jitsi-meet-turnserver/
+doc/debian/jitsi-meet-turn/turnserver.conf          /usr/share/jitsi-meet-turnserver/
+doc/debian/jitsi-meet/jitsi-meet.conf               /usr/share/jitsi-meet-turnserver/
+doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh /usr/share/jitsi-meet-turnserver/

doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -e
+
+COTURN_CERT_DIR="/etc/coturn/certs"
+
+# create a directory to store certs if it does not exists
+if [ ! -d "$COTURN_CERT_DIR" ]; then
+	mkdir -p /etc/coturn/certs
+	chown -R turnserver:turnserver /etc/coturn/
+	chmod -R 700 /etc/coturn/
+fi
+
+for domain in $RENEWED_DOMAINS; do
+        case $domain in
+        jitsi-meet.example.com)
+                # Make sure the certificate and private key files are
+                # never world readable, even just for an instant while
+                # we're copying them into daemon_cert_root.
+                umask 077
+
+                cp "$RENEWED_LINEAGE/fullchain.pem" "$COTURN_CERT_DIR/$domain.fullchain.pem"
+                cp "$RENEWED_LINEAGE/privkey.pem" "$COTURN_CERT_DIR/$domain.privkey.pem"
+
+                # Apply the proper file ownership and permissions for
+                # the daemon to read its certificate and key.
+                chown turnserver "$COTURN_CERT_DIR/$domain.fullchain.pem" \
+                        "$COTURN_CERT_DIR/$domain.privkey.pem"
+                chmod 400 "$COTURN_CERT_DIR/$domain.fullchain.pem" \
+                        "$COTURN_CERT_DIR/$domain.privkey.pem"
+
+                ;;
+        esac
+done
+

resources/install-letsencrypt-cert.sh

@@ -14,6 +14,8 @@ echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
 echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
 echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
 echo "- Configure and reload nginx or apache2, whichever is used"
+echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
+echo "- Add command in weekly cron job to renew certificates regularly"
 echo ""
 echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
 echo "by providing an email address for important account notifications"
@@ -40,6 +42,15 @@ CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
 
 if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
 
+    TURN_CONFIG="/etc/turnserver.conf"
+    if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
+        TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
+
+        cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK
+        chmod u+x $TURN_HOOK
+        sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK
+    fi
+
     ./certbot-auto certonly --noninteractive \
     --webroot --webroot-path /usr/share/jitsi-meet \
     -d $DOMAIN \
@@ -60,11 +71,10 @@ if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
     echo "service nginx reload" >> $CRON_FILE
     service nginx reload
 
-    TURN_CONFIG="/etc/turnserver.conf"
     if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
         echo "Configuring turnserver"
-        sed -i "s/cert=\/etc\/jitsi\/meet\/.*crt/cert=$CERT_CRT_ESC/g" $TURN_CONFIG
-        sed -i "s/pkey=\/etc\/jitsi\/meet\/.*key/pkey=$CERT_KEY_ESC/g" $TURN_CONFIG
+        sed -i "/^cert/c\cert=\/etc\/coturn\/certs\/$DOMAIN.fullchain.pem" $TURN_CONFIG
+        sed -i "/^pkey/c\pkey=\/etc\/coturn\/certs\/$DOMAIN.privkey.pem" $TURN_CONFIG
 
         echo "service coturn restart" >> $CRON_FILE
         service coturn restart