Installation

The required packages for Kopano Meet are available for the following distributions (some more distributions may be available through the Kopano nightly downloads):

  • Debian 9.0
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Univention >=4.3 (through the Kopano Meet app)

Note

Support for rpm based distributions such as SLES 12, SLES 15 and RHEL 7 will be added later on. As some of the components of Meet rely on the availablility of Python 3 and therefore we cannot deliver these packages at the moment.

Note

The below instructions do not apply when installing Meet through the Univention Appcenter.

System requirements

  • Kopano Grouware Core >=8.7.0

Installation

The packages can either be retreived from the Kopano package repository (available only to customers with a valid Kopano subscription) or downloaded as an archive including the latest development versions from the Kopano Community downloads. The following chapter will explain the installation through the Kopano package repository.

Configuring the Kopano package repositories

The package repository can either be accessed by using a combination of username & password (account can be registered at the Kopano Portal or by using the username serial and your Kopano serial (e.g. Z...) as the password.

The repository url to be used depends on the release type (final releases and pre-final releases, e.g. beta or rc versions) and the Linux distribution. It is recommended to visit https://download.kopano.io/supported/meet:/ with a webbrowser and navigate to the desired release type and distribution and copy the url. For the final release channel and Ubuntu 18.04 the url will for example be https://download.kopano.io/supported/meet:/final/Ubuntu_18.04/.

Adding the repository for Ubuntu 18.04:

URL=https://meetserial:your-serial@download.kopano.io/supported/meet:/final/Ubuntu_18.04/
echo "deb $URL /">> /etc/apt/sources.list.d/kopano-meet.list
curl $URL/Release.key | apt-key add -
apt update

Customers that have purchased a Meet subscription key use the username “meetserial” and their subscription key as the password. Customers who have also purchased another Kopano product can use “serial” as the username and their subscription ket as the password.

See the Kopano Core Administrator Manual for more information about our package repositories.

Installing Meet and its dependencies

After the repository has been added Meet can be installed by retrieving the kopano-meet-packages meta package with your package manager.

Installing packages on Ubuntu 18.04:

apt install kopano-meet-packages

Configuring Kopano Meet and its dependencies

To get started with Kopano Meet, a couple of extra services need to be configured. All required configuration for them can be seen further down in this manual. For more information about individual configuration please check the corresponding manual.

  • Your webserver (we recommend to use kopano-kwebd) provides both external access and helps the individual services talk with each other
  • Kopano Konnect manages authentication and authorisation for Meet through OpenID Connect
  • Kopano API (together with the kopano-grapi package) provides data access to the users address book via a REST API
  • Kopano Web Meeting Server provides the signaling server for the WebRTC connections
  • Kopano Meet webapp provides the files for the user facing part of Kopano Meet
  • Kopano Server needs to be configured to support login via Konnect

The webserver (as well as the used ssl certificate) play an important role in this setup, since the individual services need to be able to talk with each other over http(s). For this both the hostname needs to resolve to the local system (and not be localhost), as well the used ssl certificates need to be trusted by the local system.

Webserver configuration

The preferred and fully supported way to install Kopano Meet is by utilising the new “Kopano Web” server. This webserver will automatically create a secure (SSL via Let’s Encrypt) and performant setup for most scenarios. For special environment it is also possible to use another webserver like Nginx or Apache. For such environment configuration examples have been added below. Using Kopano Meet with Apache, Nginx or another webserver only has limited support coverage.

Kopano Web

Using Kopano Web is the recommended way to run Kopano Meet. Kopano Web is a minimal self contained webserver, apart from drastically reducing complexity for the initial configuration, it also improves security by automatically handling SSL/TLS certificates, managing security and performance related webserver settings (like HSTS, HTTP/2).

When installing Meet via the kopano-meet-packages meta package, Kopano Web is already installed and just needs to be configured and started.

Configuration is done through /etc/kopano/kwebd.cfg and in a mimal setup the only values that need to be modified are hostname (which needs to match the hostname the system should be accessible from) and tls_acme_email which needs to be a valid email. This email is required by Let’s Encrypt for creation of your personal ssl certificate.

systemctl enable kopano-kwebd
systemctl start kopano-kwebd

I already have a valid SSL certificate that I want to use for Kopano Web

Kopano Web can easily be configured to use a pre-existing ssl certificate by configuring the options tls_cert and tls_key within /etc/kopano/kwebd.cfg. As Kopano Web by default runs as the user and group www-data you have to make sure that this user can read these files.

# TLS certificate bundle.
# Path to a TLS certificate bundle (concatenation of the server's  certificate
# followed by the CA's certificate chain). If set, the TLS listener will use
# that certificate instead of trying automatic TLS.
#tls_cert =

# TLS private key.
# Path to the server's private key file which matches the certificate bundle. It
# must match the certificate in tls_cert.
#tls_key =

I have only one public IP, how can I integrate Kopano Web with my existing Apache/Nginx setup?

Kopano Web has a special mode, where it can proxy requests to /webapp/, /Microsoft-Server-ActiveSync and /AutoDiscover/AutoDiscover.xml to another webserver.

# Legacy support.
# To make integration into existing environments easier kwebd can act as a
# reverse proxy to allow serving requests Kopano WebApp and Z-Push running e.g.
# in Apache or Nginx. Set the address to the legacy web server here. Not set by
# default.
#legacy_reverse_proxy = 127.0.0.1:8000

Nginx

Outside of the server block:

upstream konnect {
        server 127.0.0.1:8777;
}

upstream kapi {
        server 127.0.0.1:8039;
}

upstream kwmserver {
        server 127.0.0.1:8778;
}

inside the server block:

location /.well-known/openid-configuration {
        proxy_pass http://konnect/.well-known/openid-configuration;
}

location /konnect/v1/jwks.json {
        proxy_pass http://konnect/konnect/v1/jwks.json;
}

location /konnect/v1/token {
        proxy_pass http://konnect/konnect/v1/token ;
}

location /konnect/v1/userinfo {
        proxy_pass http://konnect/konnect/v1/userinfo;
}

location /konnect/v1/static {
        proxy_pass http://konnect/konnect/v1/static;
}

location /konnect/v1/session {
        proxy_pass http://konnect/konnect/v1/session;
}

location /signin/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://konnect/signin/;
}

location /api/gc/ {
        proxy_pass http://kapi/api/gc/;
}

# kapi pubs
location /api/pubs/ {
        proxy_pass http://kapi/api/pubs;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
}

# disable caching for the service-worker
location /meet/service-worker.js {
        expires -1;
}

location /meet {
        rewrite ^/meet/r/(.*)$ /meet last;
        alias /usr/share/kopano-meet/meet-webapp;
}

location /api/config/v1/kopano/meet/config.json {
        # When using default values this setting can be kept as it is
        # please adapt the next line and copy config.json to
        # /etc/kopano if user modifications are needed
        alias /usr/share/doc/kopano-meet-webapp/config.json.in;
}

location /api/v1/websocket/ {
        proxy_pass http://kwmserver/api/v1/websocket/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
}

location /api/v1/ {
        proxy_pass http://kwmserver/api/v1/;
}

location /api/kwm/v2/ {
        proxy_pass http://kwmserver/api/kwm/v2/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
}

location /api/kvs/v1/ {
        proxy_pass http://kapi/api/kvs/v1/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
}

Kopano configuration

The below table illustrates the required configuration changes and the files that need to be updated:

configuration file / configuration value grapi.cfg kapid.cfg konnectd.cfg kwmserverd.cfg server.cfg
enable_sso         yes
kcoidc_issuer_identifier         public base url of Konnect. e.g. https://kopano.domain.com without a trailing slash (/)
oidc_issuer_identifier   same value as kcoidc_issuer_identifier  
turn_uris       Turn server to be used  
turn_server_shared_secret       Shared secret with Turn server  

In addition to this kopano-kapid, kopano-konnectd and kopano-kwmserverd each need individual key files to operate securely. These are automatically generated when the services starts the first time through systemd (by calling each service with a setup argument).

systemctl enable kopano-konnectd kopano-kapid kopano-grapi kopano-kwmserverd kopano-kwebd
systemctl start kopano-konnectd kopano-kapid kopano-grapi kopano-kwmserverd kopano-kwebd
systemctl restart kopano-server

Using Meet

After Kopano Meet has been setup you can navigate to https://your-domain/meet to use the Meet web client.

Debugging

The following things should be checked in case you run into errors. The individual services by default log to journald.

  • check logging of kopano-grapi
  • check logging of kopano-kapid
  • check logging of kopano-konnectd
  • check logging of kopano-kwmserverd
  • check the dev tools in your browser (Javascript console and Network packages)