Internal self-signed certificates expiring

We have a jitsi server we’ve been using for a while now, with our own certificate. However, some of the certificates used internally, such as auth.jitsi.example.com by prosody, are still the ones generated during the installation and they are about to expire

Is there a way to update those without doing a reinstall? We did try creating a new self-signed one and using that but we’re getting errors both on prosody and jicofo/jvb side. The prosody error is:
Client disconnected: ssl handshake error: sslv3 alert certificate unknown

did you use prosodyctl cert generate my-host ?

Yes, both that and using openssl - both result in the error mentioned above
In fact, the generated cnf file, using the prosody method, is identical to the original one

It works for me. Just tried it and it seems that the syntax cert generate HOSTNAME [HOSTNAME+] don’t seem to work for the HOSTNAME+ at least, I had to generate it host by host.
actually if you regenerate a certificate, I don’t see a reason why the .cnf file should change; the begin validity date is not in it.
You can test if the problem comes from the jicofo/jvb side by using (from the server of course):

openssl s_client -connect localhost:5222 -starttls xmpp -xmpphost yourhostwhatever -showcerts | openssl x509 -text

you should see your new certificate. If not check the symbolic links from /etc/prosody/certs.

I think you may be right and that I’m missing a step somewhere:
If I check the certificate directly (openssl x509 -in auth.jitsi.example.com.crt -text) it works fine
If I check it using your command, I get an error:
PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Any ideas?

By the way, the symlink in /etc/prosody/certs is fine, I checked it and, to be doubly sure, deleted and recreated it
I also did try running the update-ca-certificates command
And I only tried creating the one certificate so the syntax is not the problem.
Finally, I only mentioned the cnf file to illustrate that the two certificates should theoretically be equivalent

err, you are not using my example as is right ? If I include in it ‘yourhostwhatever’ it’s an indication that you have to replace this string with your local real host name.

edit;

you have to replace 2 certificates (host and auth.host)

Yes sorry - I’ve been trying a few things and got confused - the error I mentioned above is with the openssl generated certificate that I tried since the prosody one didn’t work

The one generated with prosody is read without a problem, and yes, I am using the proper host name

I am still getting lots of the error mentioned below in the prosody log though
Client disconnected: ssl handshake error: sslv3 alert certificate unknown

As for the actual host - not the auth one - we’ve always used our own proper certificate for that and we updated that one a few months ago without any issues.

Again did you run the prosodyctl cert generate TWO times, one for each host (yourhost.tld and auth.yourhost.tld) ?

No, I ran it for auth.myhost.tld only

What I was trying to explain above is that we use a different certificate for myhost.tld, which is not due to expire for a good while yet. We’ve always had this setup where we use two different certificates for the two hosts and it hadn’t caused us any issues.

Sorry, I can’t decipher what you are saying exactly, it’s very confusing for me.
It’s not clear what was the output of the command I posted for the auth.yourhost.tld. Was a certificate displayed ? was the expiration date corresponding to what you expect (that is, valid) ?

Yes on both counts: the certificate was displayed and the expiration date a year from now, as I would expect

in this case the problem don’t seem to come from the certificate, but from Java (used by Jicofo and Jvb).
Try to disable certificate verification (not optimal solution of course)
should be something like that In jicofo.conf:

  xmpp: {
    service {
        disable-certificate-verification = true
       }
  }

Right, I got it to work, indirectly thanks to your suggestion above, although it was my bad:
As I mentioned above, I checked the symlink in etc/prosody but completely forgot about the one in etc/ssl/certs

After I added your suggestion above and restarted all relevant services I noticed I started getting errors to do with the java certs (I’d been getting these too with the openssl generated cert but weirdly not the prosody generated one). So I reimported the certificates using update-ca-certificates and, since that didn’t work, tried again using the --fresh flag, which did the trick
Then I restored the jicofo.conf file, and it still works

So, thank you very much for your help and patience. I should have marshalled my information better at first. However, I did look through various other issues, installation instructions, etc. and saw no mention of those symlinks so they completely escaped my notice

Again, thanks and feel free to close the issue

to summarize:

sudo prosodyctl cert generate myjitsihost 
sudo prosodyctl cert generate auth.myjitsihost
sudo update-ca-certificates -f
sudo systemctl restart jicofo jitsi-videobridge2
1 Like