Error jvb logs

Hello,

Recently I have encountered difficulties on my jitsi server.
I proceeded to update the debian os, and then did an ‘apt-get update && apt-get upgrade’.

And since in the jvb logs I encounter these error messages:

> 2021-12-29 10:19:48.677 AVERTISSEMENT: [177] [hostname=localhost id=shard] MucClient$1.connectionClosedOnError#277: Closed on error:
> org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
> <stream:error><host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text>This server does not serve auth.visio.saint-cyr-sur-loire.com</text></stream:error>
>         at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1064)
>         at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
>         at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
>         at java.base/java.lang.Thread.run(Thread.java:834)
2021-12-29 10:20:33.756 AVERTISSEMENT: [195] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener: Connection XMPPTCPConnection[not-authenticated] (0) closed with error
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
<stream:error><host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text>This server does not serve auth.visio.saint-cyr-sur-loire.com</text></stream:error>
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1064)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)

Also I have a question about wildcard certificates, how do I get a .crt?

If anyone has already had this thank you for your help.

Show your prosody configuration. Either the hostname is incorrect, or the certificate.

1 Like

Hello,

Thanks for your quick response, here is the prosody setup:

However, yes my certificate has just expired, I have the new one but I only have pem or cer files while the old one has the .key and .crt, how do I convert them?

Thank you for your help,
Cordially.

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "visio.saint-cyr-sur-loire.com";

turncredentials_secret = "***";

turncredentials = {
  { type = "stun", host = "visio.saint-cyr-sur-loire.com", port = "3478" },
  { type = "turn", host = "visio.saint-cyr-sur-loire.com", port = "3478", transport = "udp" },
  { type = "turns", host = "visio.saint-cyr-sur-loire.com", port = "5349", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
  protocol = "tlsv1_2+";
  ciphers = "**"
}

VirtualHost "visio.saint-cyr-sur-loire.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "internal_hashed"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/visio.saint-cyr-sur-loire.com.key";
                certificate = "/etc/prosody/certs/visio.saint-cyr-sur-loire.com.crt";
        }
        speakerstats_component = "speakerstats.visio.saint-cyr-sur-loire.com"
        conference_duration_component = "conferenceduration.visio.saint-cyr-sur-loire.com"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
            "muc_lobby_rooms";
        }
        c2s_require_encryption = false
        lobby_muc = "lobby.visio.saint-cyr-sur-loire.com"
        main_muc = "conference.visio.saint-cyr-sur-loire.com"
        -- muc_lobby_whitelist = { "recorder.visio.saint-cyr-sur-loire.com" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.visio.saint-cyr-sur-loire.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focus@auth.visio.saint-cyr-sur-loire.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.visio.saint-cyr-sur-loire.com" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.visio.saint-cyr-sur-loire.com", "jvb@auth.visio.saint-cyr-sur-loire.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.visio.saint-cyr-sur-loire.com"
    ssl = {
        key = "/etc/prosody/certs/auth.visio.saint-cyr-sur-loire.com.key";
        certificate = "/etc/prosody/certs/auth.visio.saint-cyr-sur-loire.com.crt";
    }
    authentication = "internal_plain"

Component "focus.visio.saint-cyr-sur-loire.com"
    component_secret = "DEeMm8N@"

Component "speakerstats.visio.saint-cyr-sur-loire.com" "speakerstats_component"
    muc_component = "conference.visio.saint-cyr-sur-loire.com"

Component "conferenceduration.visio.saint-cyr-sur-loire.com" "conference_duration_component"
    muc_component = "conference.visio.saint-cyr-sur-loire.com"

Component "lobby.visio.saint-cyr-sur-loire.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "guest.visio.saint-cyr-sur-loire.com"
    authentication = "anonymous"
    modules_enabled = {
        "turncredentials";
        --"muc_lobby_rooms";
    }
    c2s_require_encryption = false
    --lobby_muc = "lobby.visio.saint-cyr-sur-loire.com"
    --main_muc = "conference.visio.saint-cyr-sur-loire.com"

Component "conference.visio.saint-cyr-sur-loire.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focus@auth.visio.saint-cyr-sur-loire.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

The pem and cer file is most probably equal to the key and crt file. You can change the extension or just change replace them in the prosody configuration file

1 Like

Thanks for your answer, I have to put the new ones in /etc/prosody/certs/ ?

EDIT : I looked and apparently its would be a simple symbolic link, the files are to be updated directly in /var/lib/prosody ?

Yes as long as the prosody can read the file, location or symlink is all depends on u. Notice the cnf file? That’s for generating new cerificate and key for prosody use.

1 Like

Thank you for your answer, information in the private key of the certificate has changed. Could you tell me now, what I have to do to renew the certificate?

In /etc/prosody/certs, there should be yourhost.cnf and makefile. You can simply run make yourhost.cnf to get new key and crt file. After that, you just modify the prosody ssl section to point to the key and crt. You should have 2 different certs and keys. One for the domain, and one for auth.

1 Like

Hello, thank you for your answer.

I found how to update the certificate, I had to do it directly.

I also added the files in / etc / prosody / certs, seeing that I have a wildcard certificate, I have renamed my certificate to also the auth.visio part …

Screenshot_1

However now I have this error message in the logs :

2021-12-30 09:32:31.985 AVERTISSEMENT: [41] [hostname=localhost id=shard] MucClient$1.connectionClosedOnError#277: Closed on error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is because the certificate is not imported into the Java keystore. You can simply import by:

keytool -import -file auth.visio.saint-cyr-sur-loire.com.crt -cacerts -alias auth.visio.saint-cyr-sur-loire.com -storepass changeit -noprompt

and

keytool -import -file visio.saint-cyr-sur-loire.com.crt -cacerts -alias visio.saint-cyr-sur-loire.com -storepass changeit -noprompt

(This will only work for Java 11 and above, Java 8 require you to specify the cacerts keystore location)

1 Like

Thank you very much for your help, but I must be a black cat I still have two errors with the domain name.

Here are the errors:


2021-12-30 10:02:34.544 AVERTISSEMENT: [45] [hostname=localhost id=shard] MucClient$1.connectionClosedOnError#277: Closed on error:
java.security.cert.CertificateException: Hostname verification of certificate failed. Certificate does not authenticate auth.visio.saint-cyr-sur-loire.com


2021-12-30 10:02:39.612 INFOS: [47] org.jivesoftware.smack.java7.XmppHostnameVerifier.verify: Certificate does not match hostname
java.security.cert.CertificateException: No subject alternative DNS name matching auth.visio.saint-cyr-sur-loire.com found. Tried: *.saint-cyr-sur-loire.com,saint-cyr-sur-loire.com,

Once again, thank you for your great help.

Cordially.

I had the same error using a wildcard certificate and I didn’t found any solution. Not sure how to help you here. I just use the certificate generated using the cnf file.
The cnf file I use to generate certificate is looks like this:

[subject_alternative_name]
DNS.0 = conferenceduration.example.com
DNS.1 = breakout.example.com
DNS.2 = lobby.example.com
DNS.3 = conference.example.com
DNS.4 = avmoderation.example.com
DNS.5 = example.com
DNS.6 = focus.example.com
DNS.7 = auth.example.com
DNS.8 = speakerstats.example.com
DNS.9 = internal.auth.example.com
otherName.0 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.conferenceduration.example.com
otherName.1 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:conferenceduration.example.com
otherName.2 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.breakout.example.com
otherName.3 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:breakout.example.com
otherName.4 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.lobby.example.com
otherName.5 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:lobby.example.com
otherName.6 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.conference.example.com
otherName.7 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:conference.example.com
otherName.8 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.avmoderation.example.com
otherName.9 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:avmoderation.example.com
otherName.10 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-client.example.com
otherName.11 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:example.com
otherName.12 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.focus.example.com
otherName.13 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:focus.example.com
otherName.14 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-client.auth.example.com
otherName.15 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.auth.example.com
otherName.16 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:auth.example.com
otherName.17 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.speakerstats.example.com
otherName.18 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:speakerstats.example.com
otherName.19 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.internal.auth.example.com
otherName.20 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:internal.auth.example.com

[req]
distinguished_name = distinguished_name
prompt = no
x509_extensions = selfsigned
req_extensions = certrequest

[distinguished_name]
countryName = GB
localityName = The Internet
organizationName = Your Organisation
organizationalUnitName = XMPP Department
commonName = example.com
emailAddress = xmpp@example.com

[certrequest]
basicConstraints = CA:FALSE
subjectAltName = @subject_alternative_name
extendedKeyUsage = serverAuth,clientAuth
keyUsage = digitalSignature,keyEncipherment

[selfsigned]
basicConstraints = CA:TRUE
subjectAltName = @subject_alternative_name

and

[selfsigned]
basicConstraints = CA:TRUE
subjectAltName = @subject_alternative_name

[distinguished_name]
countryName = GB
localityName = The Internet
organizationName = Your Organisation
organizationalUnitName = XMPP Department
commonName = auth.example.com
emailAddress = xmpp@auth.example.com

[subject_alternative_name]
DNS.0 = internal.auth.example.com
DNS.1 = auth.example.com
otherName.0 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.internal.auth.example.com
otherName.1 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:internal.auth.example.com
otherName.2 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-client.auth.example.com
otherName.3 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.auth.example.com
otherName.4 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:auth.example.com

[req]
distinguished_name = distinguished_name
prompt = no
x509_extensions = selfsigned
req_extensions = certrequest

[certrequest]
subjectAltName = @subject_alternative_name
extendedKeyUsage = serverAuth,clientAuth
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment

Place them in /etc/prosody/certs then run make auth.example.com and make example.com

1 Like

So I just did:

Creation of the example.com file with your first quote
Creation of the auth.example.com file with your second quote

I did a make on the two files as you asked me.

And after a restart always the same problem: c

Screenshot_2

I think you misunderstood it. You should change the example.com to your domain name like visio.saint-cyr-sur-loire.com. Then run make and then the keytool import command I given to import into the Java Keystore again.

1 Like

Indeed, I had misunderstood.

I just did it again, but the keytool tells me that there is already a domain, how to proceed with the deletion, by directly deleting the cacerts?

Thank you for your help.

EDIT :

In the absence of your answer, I allowed myself to delete the cacerts file directly, and I redid the two keytools commands that you had asked me.

Couldn’t it be because of the password you entered? “changeit”?

Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

while this is not a ‘real’ solution, it’s a real cowardly way to solve it :-), but you can disable certificate checking at the Java level. Here is a config example:

videobridge {
  http-servers {
      public {
          port = 9090
      }
      private {
          port = 8080
          host = 0.0.0.0
          #tls-port = 8443
          #key-store-path = /etc/jitsi/videobridge/ssl.store
          #key-store-password = mypasswd
      }
  }

  websockets {
      enabled = true
      // server-id=jvb1
      domain = "meet.myurl.mytld:443"
      tls = true
  }

  stats {
    # Enable broadcasting stats/presence in a MUC
    enabled = true
    transports = [
      { type = "muc" }
    ]
  }

  apis {
    xmpp-client {
      presence-interval = ${videobridge.stats.interval}
      jid-cache-size = 1000

      configs {
        shard-1 {
             hostname = "localhost"
             domain = "auth.meet.myurl.mytld"
             username = "jvb"
             password = "myverysecretjvbpassword-replace-by-your-value"
             muc_jids = "JvbBrewery@internal.auth.meet.myurl.mytld"
             # The muc_nickname must be unique across all jitsi-videobridge instances
             muc_nickname = "4326ee22-c910-42a2-9854-1af066e5d4fe"
             disable_certificate_verification = true
        }
      }
    }
    # The COLIBRI REST API
    rest {
        enabled = true
    }
    jvb-api {
      enabled = true
    }
  }
}

to be candid, your setup is probably along the lines of another configuration, but this particular jig has been deprecated by Jitsi-devs since quite a long time now, and as a ‘good resolution’ for 2022, how about configure your server as the Jitsi-videobridge gods always intended ?

Anyway, if you are a sip-communicator.properties diehard, you will find easily the appropriate magic by searching this forum.

1 Like

Hello, thank you for your answer.

I just modified the jvb.conf with your configuration and the correct username / password, however I still get the same error message.

And when I access Jitsi, he’s all gray …

Thank you for your help,
Cordially.

huh… this is a symptom of an invalid config.js; you did not set these instructions in your config.js right ? that is meant to live as jvb.conf, and replace the corresponding instructions in sip-communicator.properties.
BTW if your system is behind a NAT my sample config is lacking the necessary instructions.

1 Like

Hello,

Indeed, there is NAT behind it all, tell me which files you want to see, and I’ll share it with you.

Thank you for your help

in this case add at the end of the jvb.conf file something like:

ice4j {
  harvest {
      mapping {
      aws {
        enabled = false
        // Whether to use the AWS harvester even when the automatic detection indicates that we are not running in AWS.
        // force = false
      }

      static-mappings = [
                  {
                      local-address = "1.2.3.4"
                      public-address = "88.99.AA.BB"
                  }
              ]
       }
  }
}

replace private and public addresses with your own.
This should NOT be included in the videobridge section, but after the rest (the ice4j section being a separate section placed in the same file, in other words). Jvb conf file is not tolerant of haphasard placing of instructions.
After this, sip-communitor.properties should not be necessary.