Certificate issues on Android App

Hello,
we have a public Jitsi Server running on nginx with a Let’s Encrypt certificate. There are no issues in any browser, but after getting a ticket from a user, we tried the Android app on multiple devices that haven’t had it installed before and it worked on none, immediately saying that it’s been disconnected. Different brands and different Android versions (9, 10, 11). Oddly, it works for a few colleagues, seemingly for those that had it installed for a longer time already.

Logcat from the phones show that the config.js can’t be loaded:

12-28 17:20:27.184 3212 12245 I JitsiMeetSDK: [features/app] Reloading the conference using URL: https://HOSTNAME/#config.startWithAudioMuted=true&config.startWithVideoMuted=true
12-28 17:20:27.273 3212 12245 E JitsiMeetSDK: [features/base/lib-jitsi-meet] Failed to load config from https://HOSTNAME/config.js Error(Error){“message”:“SyntaxError: unterminated statement (line 1211)”,“code”:“EUNSPECIFIED”,“stack”:“index.android.bundle:31:1111\nindex.android.bundle:1234:347\ny@index.android.bundle:115:587\nindex.android.bundle:115:1890\ny@index.android.bundle:115:587\no@index.android.bundle:115:1066\nindex.android.bundle:115:1209\nf@index.android.bundle:111:155\nindex.android.bundle:111:882\ny@index.android.bundle:117:661\nC@index.android.bundle:117:1025\ncallImmediates@index.android.bundle:117:3100\ncallImmediates@[native code]\nvalue@index.android.bundle:40:3247\nindex.android.bundle:40:1283\nvalue@index.android.bundle:40:2939\nvalue@index.android.bundle:40:1253\nvalue@[native code]\nvalue@[native code]”}

So I tried curling the config, which shows a certificate error:

  • Trying XXX:443…
  • TCP_NODELAY set
  • Connected to HOSTNAME (XXX) port 443 (#0)
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /system/etc/security/cacerts
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, certificate expired (557):
  • SSL certificate problem: certificate has expired
  • Closing connection 0
    curl: (60) SSL certificate problem: certificate has expired

Disabling the verification with -k is working, and from all other servers it also works fine WITH verification.
I read about the issue with the expired Let’s Encrypt Root CA but our cert has been a new one without that expired one in the chain and I even renewed it again today hoping it’d help, but unfortunately not. No browser (also not on Android) and multiple SSL-checkers don’t reports any issue with the cert.

Any help would be appreciated as I’m really stuck now.

Pretty sure that you pointed nginx only to the server certificate. You want the fullchain.pem instead as this describes the complete chain of trust and is basically a bundle of CA+intermediate+server certificate.

And here a tool to validate your server:

https://whatsmychaincert.com/

Nope, the config is pointed to the fullchain.pem already and whatsmychaincert also says that the chain is correct.

Are you sure that your config is valid?

Oh no, I didn’t catch that. This line contains a workaround to fix the problem of joining muted by default not working anymore. However, this is a different issue, because when removing it, there’s still a connection error, and according to an user it’s not working for months, while the workaround has only been added 3 weeks ago.

12-29 16:11:05.714 22021 22079 E JitsiMeetSDK: [features/base/lib-jitsi-meet] Failed to load config from https://jitsi.ikarus.at/config.js Error(TypeError){“message”:“Network request failed”,“stack”:“onerror@index.android.bundle:137:7285\ndispatchEvent@index.android.bundle:128:5676\nvalue@index.android.bundle:123:8035\nvalue@index.android.bundle:123:4775\nvalue@index.android.bundle:53:1280\nvalue@index.android.bundle:40:3685\nindex.android.bundle:40:841\nvalue@index.android.bundle:40:2939\nvalue@index.android.bundle:40:813\nvalue@[native code]”}

it can be correct and yet not trusted by old Android clients. Check that you have in the chain 2 certificates with CN = ISRG Root X1, one self signed and one signed by Digital signature.

Incompatibily issues should just happen on Android 7 and below, no? I tried it on Android 9, 10, and 11, with some hardware not being even a year old :confused: By the way, a colleague who had a working app reinstalled it and after that, it didn’t work anymore either - there must have been something in the cache.

This my chain tested by ssllabs, and I’m a bit confused about the expired cert appearing there, but I can’t figure out what to do about it. Below is the chain how it’s displayed in browsers.

.

image

it’s here for a reason, see this link. Your expired certificate is at the top of the schema; it’s not necessary for Mozilla, it’s necessary for old Android devices. Now this stuff is a bit tortuous, and I have found that for a Microsoft IIS server it’s mostly failing to ensure compatibility - I guess it’s confused by the 2 certification paths. Now I’d not bet against faulty Android devices on similar lines of not taking the ‘right’ path - after all, these things are almost all produced by third parties, not Google.
FTR, with my IIS problem I have given up on Let’sEncrypt and got a certificate from ZeroSSL. Same cost, less hassle. Maybe you could give it a try.

Yesterday I noticed a similar problem but sadly I couldn’t fix it. Maybe the thread helps you somehow.

Solved by switching to a ZeroSSL certificate.