ageis
commented
8 years ago Nginx SSL configuration may use the self-signed Prosody cert. Today, jitsi_meet_ssl_cert_path and jitsi_meet_ssl_key_path on our live deployment of this role were pointing to the localhost SSL cert in /var/lib/prosody/, so the Nginx configuration was not valid for normal browsers.
If I understand it correctly, the role apparently re-uses the self-signed cert generated by Prosody if those vars are not set. It seems we made that choice because we don't need to have multiple SSL certs for the individual components if one can be reused (per the original post), but I'm not totally sure of details how it happened so I'm tagging @conorsch. The playbook does reference the correct vars, so could've been a user error. The live configuration is fixed for the moment so I'll return to this issue later.
The prosody service generates SSL certs and stores them in
/var/lib/prosody. The jitsi-meet deb package will create a separate self-signed SSL keypair for the Nginx config. The Nginx keypair the role allows to be overridden for prod SSL certs, but what about the prosody certs? Should we regenerate them? Should we replace them with the prod SSL certs?