Help us save lives - Internal Server for Healthcare COVID-19 Solution

Hi everyone,

I work with a healthcare company and we are trying to set up an internal Meet server so that we can have secure video conferencing between patients and clinicians in the facility with no traffic leaving the facility.

I have downloaded and installed Jitsi Meet and its up and running. I get the web page and have the REST API with colibri configured and working. However, when I try to connect to the internal server from the Android app, it crashes. When I try to connect to a private external server on AWS or the public jitsi meet server, it works fine.

The clients have the DNS working properly and we are running a wildcard certificate on the server which is properly configured and the web clients can see the cert fine.

I think we are very close to having a working solution and its a configuration issue, but I am just unable to find what is wrong here.

Help is urgently requested and much appreciated!

Thanks,

Rich

I believe the Android app only works with a valid certificate from a CA thats trusted by the system. If you use an internal CA this may cause the issue at hand. If that’s the case, you could try to

a) import your CA into the Android device’s trust store
b) try to connect using the Android device’s the chrome browser and form the settings menu choose ‘Request Desktop Page’ (not sure about the actual name of this option). This seems to work for at least some modern devices with powerful CPUs

Hi, contact through my email duong.tran@acexis.com. We are setting a server for military and can run inside a local network. Hope we can help.

Hi!

Thanks for the reply.

We are using a GoDaddy wildcard SSL certificate. I have configured our testing devices to use a hosts file that resolves the internal IP address to a host name that is in the same domain as the cert, and using a web browser from the android device connects to servers webpage and sees it as a valid certificate.

However, I will attempt to import the CA on the device and see what happens.

Thanks,

Rich

Make sure you have the fullchain for the certs check it with https://whatsmychaincert.com/

As far as i know, most browser on Android use the system’s trust store (the prominent exception being Firefox which comes with its own trust store). I haven’t looked into the Android app but if your browser successfully validates the certificate chain the issue you are facing may not be related to TLS in the end. To be sure whether or not its related to TLS it could help to get a tcpdump on the server while the Android app connects and inspect the TLS handshake, in particular if you see a TLS alert message that fails the handshake.

You said you use Jitsi internally, so I assume a LAN and that you are not using a TURN server and that UDP connections to the Videobridge are enabled? Asking because there is an open issue regarding the Android app when connecting to a TURN server using TLS.

The certificated is already a fullchain, we did verify that based on the documentation and someone pointed out in another question.

The only error we see in the Android adb log is this one.

04-15 13:27:25.740  6162  6524 I JitsiMeetSDK: [modules/xmpp/xmpp.js] P2P STUN servers:  [ { urls: 'stun:demolt.abc.com:3478',
04-15 13:27:25.740  6162  6524 I JitsiMeetSDK:     credential: 'testuser',
04-15 13:27:25.740  6162  6524 I JitsiMeetSDK:     password: 'Television1' } ]
04-15 13:27:25.741  6162  6524 I JitsiMeetSDK: [modules/xmpp/xmpp.js] (TIME) Strophe connecting:     1586950045739
04-15 13:27:26.039  6162  6524 W JitsiMeetSDK: [features/analytics] Error creating analytics handler: Error: Failed to initialize Amplitude handler, no APP key
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK: [modules/RTC/RTCUtils.js] Get media constraints { audio: false,
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK:   video: 
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK:    { mandatory: { minWidth: 1280, minHeight: 720, maxWidth: 1280, maxHeight: 720 },
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK:      optional: [ [Object] ],
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK:      facingMode: 'user',
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK:      width: { ideal: 1280 },
04-15 13:27:26.039  6162  6524 I JitsiMeetSDK:      height: { ideal: 720 } } }
04-15 13:27:26.055  6162  6524 W JitsiMeetSDK: [features/calendar-sync] Calendar access not granted.
04-15 13:27:26.056  6162  6524 E JitsiMeetSDK: [modules/xmpp/strophe.util.js] Strophe: request id 4.1 error 404 happened
04-15 13:27:26.057  6162  6524 W JitsiMeetSDK: [modules/xmpp/strophe.util.js] Strophe: request errored, status: 404, number of errors: 1
04-15 13:27:26.057  6162  6524 I JitsiMeetSDK: [modules/xmpp/xmpp.js] (TIME) Strophe disconnecting:  1586950045913
04-15 13:27:26.059  6162  6524 I JitsiMeetSDK: [modules/xmpp/xmpp.js] (TIME) Strophe disconnected:   1586950045915
04-15 13:27:26.059  6162  6524 E JitsiMeetSDK: [modules/xmpp/xmpp.js] XMPP connection dropped!
04-15 13:27:26.059  6162  6524 I JitsiMeetSDK: [modules/statistics/statistics.js] {"type":"operational","action":"connection.failed","attributes":{"error_type":"connection.droppedError","error_message":"connection-dropped-error","suspend_time":0,"time_since_last_success":null}}
04-15 13:27:26.102  6162  6524 I JitsiMeetSDK: [features/overlay] The conference will be reloaded after 13 seconds.

There is a 404 Error in the adb log, so I’d say this is likely not a TLS issue. So here is what I would check next:

  • Can you successfully establish conferences between devices that are not Android (also for more than 2 participants)?
  • Is your STUN server also available locally?
  • Can you try to disable stun/turn for p2p connections in config.js?
  • Is external_api.js accessible?

The STUN server is also configured locally. If we disable that, we get following error.

04-17 09:02:20.295  2664  2715 I JitsiMeetSDK: [modules/xmpp/xmpp.js] P2P STUN servers:  [ { urls: 'stun:stun.l.google.com:19302' },
04-17 09:02:20.295  2664  2715 I JitsiMeetSDK:   { urls: 'stun:stun1.l.google.com:19302' },
04-17 09:02:20.295  2664  2715 I JitsiMeetSDK:   { urls: 'stun:stun2.l.google.com:19302' } ]
04-17 09:02:20.301  2664  2715 I JitsiMeetSDK: [modules/xmpp/xmpp.js] (TIME) Strophe connecting:     1587106940300

04-17 09:02:20.483  2664  2715 E JitsiMeetSDK: [modules/xmpp/strophe.util.js] Strophe: request id 34.1 error 404 happened
04-17 09:02:20.484  2664  2715 W JitsiMeetSDK: [modules/xmpp/strophe.util.js] Strophe: request errored, status: 404, number of errors: 1
04-17 09:02:20.484  2664  2715 I JitsiMeetSDK: [modules/xmpp/xmpp.js] (TIME) Strophe disconnecting:  1587106940459
04-17 09:02:20.485  2664  2715 I JitsiMeetSDK: [modules/xmpp/xmpp.js] (TIME) Strophe disconnected:   1587106940460
04-17 09:02:20.487  2664  2715 E JitsiMeetSDK: [modules/xmpp/xmpp.js] XMPP connection dropped!
04-17 09:02:20.488  2664  2715 I JitsiMeetSDK: [modules/statistics/statistics.js] {"type":"operational","action":"connection.failed","attributes":{"error_type":"connection.droppedError","error_message":"connection-dropped-error","suspend_time":0,"time_since_last_success":null}}

If we use the local STUN server, then also get the same error.

Is external_api.js accessible? YES, it is reachable from the device browser.

Could be a problem with the xmpp connection, as the connection dropped error comes from the xmpp.js module. Do you see anything in the Prosody logs? Is the bosh endpoint properly configured (I think you can just call example.org/http-bind with a web-browser to check)?
Can you establish conferences between non-Android devices?
What is your setup like, did you follow the quick install or are you using docker?
What OS is the server running?
Do you see any errors in the other relevant logs of jvb, jicofo?

Here is how our setup looks and various things we have tried.

We have a local network with two machines and one Android device at the moment. We tested on AWS with EC2 and LB where everything works, so I will just put the local network part below.

  1. Local instance with SSL enabled
  2. SSL is a wild-card cert purchased from GoDaddy
  3. SSL configured is a full-chained
  4. The routing is only enabled locally, so the https://demolt.ab.com is not reachable from the Internet but works fine from all the devices in the network
  5. We have tested from machine browsers and android browsers, where the conference works fine. Although on Android Browser we are not able to see the Video/Audio, but let’s put that on a side for now.
  6. The issue comes only when we try to join from the Android app
  7. Our android app is Native Android app, where we have integrated the Jitsi Meet SDK
  8. /config.js works! /http-bind works! /external_api.js works!
  9. Firewall in our local network is disabled at the moment so port forward does not seem to be an issue
  10. The only log we are getting on the Android app side is this Strophe: request errored, status: 404, number of errors: 1 after which the connection gets terminated
  11. We tested with 3 attendees conference where all the browsers join, which works.

I largely think this is some sort of config issue, which only affects the Android app. We don’t have any non-Android App at the moment to test with.

What should be our next steps to check or debug? I appreciate all the answers that we have received so far.

I was assuming you were talking about the Jitsi Meet app. I would suggest to test whether the original Jitis Meet Android app works with your local setup but am currently clueless where else to look for the root cause of your issue.