Can not connect from jicofo server to (prosody & jvb server)


#1

Hi team,
I installed prosody & video bridge on a server, jicofo on a server.
When i config jicofo connect to jvb server that is fail with error log belowed.
Pls, review and help me fix it.
The log file, jicofo config, prosody config is below.

Thanks,
----------------------jicofo log----------------------------
Jicofo 2018-10-05 16:39:45.764 WARNING: [205] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1067)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:994)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1010)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
… 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
… 19 more

--------------------------------------jicofo config---------------------------------------
root@ip-172-31-32-245:/etc/jitsi/jicofo# more config

Jitsi Conference Focus settings

sets the host name of the XMPP server

JICOFO_HOST=prosody.meet24.covavi.vn

sets the XMPP domain (default: none)

JICOFO_HOSTNAME=meet24.covavi.vn

sets the secret used to authenticate as an XMPP component

JICOFO_SECRET=ZBh@0QDk

sets the port to use for the XMPP component connection

JICOFO_PORT=5347

sets the XMPP domain name to use for XMPP user logins

JICOFO_AUTH_DOMAIN=auth.meet24.covavi.vn

sets the username to use for XMPP user logins

JICOFO_AUTH_USER=focus

sets the password to use for XMPP user logins

#JICOFO_AUTH_PASSWORD=qa@r3mPt
JICOFO_AUTH_PASSWORD=QuyetNC

extra options to pass to the jicofo daemon

JICOFO_OPTS=""

adds java system props that are passed to jicofo (default are for home and logging config file)

JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_L
OCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
root@ip-172-31-32-245:/etc/jitsi/jicofo#

--------------------------------------prosody config----------------------------
root@ip-172-31-40-185:/etc/prosody/conf.avail# more meet24.covavi.vn.cfg.lua
– Section for example.com

VirtualHost “meet24.covavi.vn”
–enabled = false – Remove this line to enable this host
authentication = “anonymous”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/meet24.covavi.vn.key”;
certificate = “/etc/prosody/certs/meet24.covavi.vn.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
}
c2s_require_encryption = false

VirtualHost “auth.meet24.covavi.vn”
ssl = {
key = “/etc/prosody/certs/auth.meet24.covavi.vn.key”;
certificate = “/etc/prosody/certs/auth.meet24.covavi.vn.crt”;
}
authentication = “internal_plain”

admins = { “focus@auth.meet24.covavi.vn” }

------ Components ------
– You can specify components to add hosts that provide special services,
– like multi-user conferences, and transports.
– For more information on components, see http://prosody.im/doc/components

– Set up a MUC (multi-user chat) room server on conference.example.com:
Component “conference.meet24.covavi.vn” “muc”

Component “jitsi-videobridge.meet24.covavi.vn”
component_secret = “kQsDRoIK”

Component “focus.meet24.covavi.vn”
component_secret = “ZBh@0QDk”
– Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
–Component “proxy.example.com” “proxy65”

—Set up an external component (default component port is 5347)
–Component “gateway.example.com
– component_secret = “password”

root@ip-172-31-40-185:/etc/prosody/conf.avail#


#2

It is just jicofo cannot connect to prosody,

There are some steps that jitsi-meet debian package executes when configuring which you are missing.

https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst#L136 and the command update-ca… after that.


#3

Hi,
That was my config which i run on prosody server. But jicofo cant connect to prosody.
I telnet service on prosody port 5347, 5222 to active, but telnet from jicofo server to prosody port 5222 is active and 5347 is refuse? So interesting.
Do i have to create a OS user on prosody server for jicofo services (jicofo server) to connect?
It looks like the manual install wizard does not create user OS.

Thanks,

------------------------------------Telnet service to check-----------------------------
prosody server:
ubuntu@ip-172-31-40-185:~ ubuntu@ip-172-31-40-185:~ telnet prosody.meet24.covavi.vn 5347
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
^CConnection closed by foreign host.
ubuntu@ip-172-31-40-185:~ telnet prosody.meet24.covavi.vn 5222 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^CConnection closed by foreign host. ubuntu@ip-172-31-40-185:~

Jicofo server:
jicofo@ip-172-31-32-245:/etc/jitsi/jicofo$ telnet prosody.meet24.covavi.vn 5222
Trying 172.31.40.185…
Connected to jitsi-videobridge.meet24.covavi.vn.
Escape character is ‘^]’.
^CConnection closed by foreign host.
jicofo@ip-172-31-32-245:/etc/jitsi/jicofo$ telnet prosody.meet24.covavi.vn 5347
Trying 172.31.40.185…
telnet: Unable to connect to remote host: Connection refused
jicofo@ip-172-31-32-245:/etc/jitsi/jicofo$

----------------------------prosody server-------------------------------
prosodyctl cert generate meet24.covavi.vn
prosodyctl cert generate auth.meet24.covavi.vn

ln -sf /var/lib/prosody/meet24.covavi.vn.crt /usr/local/share/ca-certificates/meet24.covavi.vn.crt

ln -sf /var/lib/prosody/auth.meet24.covavi.vn.crt /usr/local/share/ca-certificates/auth.meet24.covavi.vn.crt
update-ca-certificates -f



#4

I was just going throgh the unanswered topics here and in the issue tracker and saw you have opened so many. I have a question: is there a reason to try the manual install and skip the quick install? There many things that can go wrong in the manual one which are handled by the debian install scripts.


#5

Hi damencho,
I known that quick install is decrease risk. But if i use quick install jitsi meet, all component is installed on a server. I want install prosody + jicofo on a server, jvb on a server (possible install mutil jvb), and jitsi meet API on a server. That is my solution architecture. What do you think about that? And do you have another idea to use quick install for mutil server architecture?

Thanks,


#6

But it is always good to start with something working. Then stop jvb and run the one from another machine see it is working, than add another one andand see it is working and so on and so on.
Just my opinion…


#7

Thank for support @damencho
I think that is a good approach. Im trying to do that.