Apt full-upgrade broke jitsi-meet setup (SSL certificate problem?)


Yesterday, an unfortunate “apt full-upgrade” broke our Jitsi-meet server running Debian 10 and Apache2. I suspect a SSL certificate issue (see prosody.err, systemctl status prosody and /etc/prosody/conf.avail/meet.example.com.cfg.lua).

A user can create a call, but when another user joins, the first user get disconnected and a message “Unfortunately something went wrong we’re trying to fix this” with a reconnect countdown. The second user is unaware of this. He just pops up in a call alone like he was the creator. Then, if the first user tries to reconnect, the second user gets kicked out on his turn.

Until disconnection, the user connection is established is established with the right SSL certificate created many months ago and renewed a long time before Jitsi upgrade.

The upgrade installed a “jitsi-videobridge2” package with no interaction.

Here are some pastebin. Server FQDN is “example.com”:

Because new users on this Discourse instance cannot post more than two links, I prepared a pastebin link with all pastebin links to:

  • Browser console
  • /var/log/prosody/prosody.log
  • /var/log/prosody/prosody.err
  • /var/log/jitsi/jvb.log
  • /var/log/jitsi/jicofo.log
  • /etc/prosody/conf.avail/meet.example.com.cfg.lua
  • prosodyctl check
  • systemctl status prosody
  • systemctl
  • journalctl -e -u jitsi-videobridge2

Sorry about that.

Your help would be much appreciated.

I only started playing with jitsi a couple of days ago, so take this with a grain of salt. The ssl error in prosody.err is harmless (I think): I see it too and my setup is working.
For an unrelated problem I had to purge and reinstall everything from scratch. After that the configuration generated worked right out of the box, so I can only suggest you try an apt remove --purge of all jitsi packages and then an apt install (but keep a copy of your current configuration).
Maybe it’s poor advice, I don’t know.

Do you have a firewall blocking request to localhost port 5222?
Is prosody listening there?
JVB tries to connect to prosody port 5222 on localhost and does not get any response.

No, our firewall doesn’t block connections to localhost. We solved the problem by configuring correct SSL keys for our domain name. For some reason, upgrade script didn’t detect them nor ask for them. Do you know if this is bad luck or a recurrent issue with last release?