Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with TLS Configuration for Jitsi Meet Docker Self-Hosting #1987

Open
HamzaGbada opened this issue Dec 27, 2024 · 3 comments
Open

Issue with TLS Configuration for Jitsi Meet Docker Self-Hosting #1987

HamzaGbada opened this issue Dec 27, 2024 · 3 comments

Comments

@HamzaGbada
Copy link

Hello,

I am trying to self-host Jitsi Meet using Docker with TLS configuration via Let's Encrypt, but I am encountering issues when the default ports (80 and 443) are already in use on my server.

Problem:

The Jitsi configuration guide recommends setting the following:

  • HTTP_PORT=80
  • HTTPS_PORT=443
  • PUBLIC_URL to my domain.

However, the ports 80 and 443 are already in use on my server. I attempted to modify the ports in the .env file to 8005 for HTTP and 8443 for HTTPS, but the configuration does not work as expected.

Steps to Reproduce:

  1. Set HTTP_PORT=8005 and HTTPS_PORT=8443 in the .env file.
  2. Set ENABLE_LETSENCRYPT=1 and LETSENCRYPT_DOMAIN=meet.example.com.
  3. Run the Docker container.
  4. I cannot join a room when I click the button join room, see the figure below

image
@damencho
Copy link
Member

You cannot use custom ports with Let's encrypt:
https://letsencrypt.org/docs/challenge-types/#http-01-challenge

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

@saghul
Copy link
Member

saghul commented Dec 27, 2024

You could perform the TLS termination on your existing web server and proxy to localhost over plain HTTP.

@HamzaGbada
Copy link
Author

You cannot use custom ports with Let's encrypt: https://letsencrypt.org/docs/challenge-types/#http-01-challenge

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

@damencho Thank you for the explanation,

You could perform the TLS termination on your existing web server and proxy to localhost over plain HTTP.

@saghul I will try it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@saghul @damencho @HamzaGbada