如何使用 letsencrypt 设置 coturn

tag-icon tag-icon lets-encrypt
如何使用 letsencrypt 设置 coturn

给出此设置:Nginx 提供一个 .well-known 文件夹,该文件夹在服务器上监听端口 80/443,以便将证书交换为 Letsencrypt。证书已正确创建,可以在上述 Nginx 中使用。

当尝试使用 coturn 证书时:

listening-port=3478
tls-listening-port=5349
alt-listening-port=3479
alt-tls-listening-port=5350
cert=/path/to/fullchain.pem
pkey=/path/to/privkey.pem

当现在尝试启动 coturn 时,似乎它没有找到/无法加载证书,如下所示:

WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
WARNING: cannot find private key file: /path/to/privkey.pem
WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
WARNING: cannot find certificate file: /path/to/fullchain.pem

现在我想知道使用 letsencrypt SSL 链设置 coturn 的正确方法是什么。

答案1

感谢您的提问。Letsencrypt 支持部署后钩子。我将其与以下内容一起使用。

我正在使用 Debian 10 buster 和 coturn 4.5.1.1-1.1 以及 letsencrypt certbot 0.31.0 。假设:

  • coturn 用户:turnserver
  • 科腾集团:turnserver
  • letsencrypt 配置文件夹:/etc/letsencrypt/
  • 域名:example.com
  • 可以使用以下命令重新启动 coturn 服务:service coturn restart
  • coturn配置文件:/etc/turnserver.conf

如果您的配置与上述假设不同,请相应调整。

mkdir -p /etc/coturn/certs
chown -R turnserver:turnserver /etc/coturn/
chmod -R 700 /etc/coturn/
nano /etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh
chmod 700 /etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh

从链接的 letsencrypt 页面示例中改编了适合 coturn 的 coturn-certbot-deploy.sh:

#!/bin/sh

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        example.com)
                daemon_cert_root=/etc/coturn/certs

                # Make sure the certificate and private key files are
                # never world readable, even just for an instant while
                # we're copying them into daemon_cert_root.
                umask 077

                cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"
                cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"

                # Apply the proper file ownership and permissions for
                # the daemon to read its certificate and key.
                chown turnserver "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"
                chmod 400 "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"

                service coturn restart >/dev/null
                ;;
        esac
done

您需要将example.com上述文件中的域名更改为您的域名。

编辑 coturn 配置文件中的证书文件位置:

nano /etc/turnserver.conf

example.com对于域名,使用这些行:

...
cert=/etc/coturn/certs/example.com.cert
...
pkey=/etc/coturn/certs/example.com.key
...

我可以通过以下命令测试所有证书的更新:

certbot renew --force-renewal

或者此命令仅适用于给定的域:

certbot certonly --force-renewal -d example.com

我的 coturn 日志不再显示以下行:

0: WARNING: cannot find certificate file: /etc/letsencrypt/live/example.com/fullchain.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: WARNING: cannot find private key file: /etc/letsencrypt/live/example.com/privkey.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly

相反,我得到了以下不错的内容:

...
0: ...: Certificate file found: /etc/coturn/certs/example.com.cert
0: ...: Private key file found: /etc/coturn/certs/example.com.key
...

相关内容