Issue with secure domain function of newly installed JM (stable and nightly)

Dear All,
I have installed recently again from scratch a new virtual JM server with Vultr (first with stable build, then also using nightly build), everything went smoothly, also noted that lobby feature is now already enabled as default (great!).

However, after I added the usual steps required for authentication the error “Something went wrong” appeared. Basically same steps as I described previously have been applied (without touching lobby feature):

When I tried to compare with my older version from October I have noticed that there are changes in Prosody (which I am not able to coordinate correctly), probably I miss something “simple but substantial” but so far I cannot find it. Here my steps:

1) Changes in Prosody
sudo nano -w /etc/prosody/conf.d/meet.jitsiserver.org.cfg.lua

VirtualHost “meet.jitsiserver.org"
authentication = “internal_plain”

at the very bottom of the file I added:

VirtualHost “guest.meet.jitsiserver.org

  • authentication = “anonymous”*
  • c2s_require_encryption = false*

2) Changes in config.js
sudo nano -w /etc/jitsi/meet/meet.jitsiserver.org-config.js
uncommenting/adding:
anonymousdomain: ‘guest.meet.jitsiserver.org’,

3) Changes in Jicofo
sudo nano -w /etc/jitsi/jicofo/sip-communicator.properties
Add a new line at the bottom of this file:
org.jitsi.jicofo.auth.URL=XMPP:meet.jitsiserver.org

4) Restarting services
sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2

5) Activate Authorisation requirement each time for login
sudo nano -w /etc/jitsi/jicofo/sip-communicator.properties
add the line:
org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true

the restart jitsi meet components:
sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2

6) ADD or Remove users (=moderators) on your Jitsi Meet server
sudo prosodyctl register username meet.jitsiserver.org password

7) Result: “something went wrong”
I am not able to access my server via browser or Jitsi Meet Electron app.

Any ideas?

What errors do you see in your js console?
Also, share your cfg.lua file

Dear Freddie, thx for prompt reply!
below my cfg.lua file, real domain name replaced by “meet.jitsiserver.org

how to access js console?

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “meet.jitsiserver.org”;

turncredentials_secret = “RLdALpr0fzXgMPUf”;

turncredentials = {
{ type = “stun”, host = “meet.jitsiserver.org”, port = “3478” },
{ type = “turn”, host = “meet.jitsiserver.org”, port = “3478”, transport = “udp” },
{ type = “turns”, host = “meet.jitsiserver.org”, port = “5349”, transport = “tcp” }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
– https_ports = { }; – Remove this line to prevent listening on port 5284

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl$
ssl = {
protocol = “tlsv1_2+”;
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256$
}

VirtualHost “meet.jitsiserver.org
– enabled = false – Remove this line to enable this host
authentication = “internal_plain”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will a$
– use the global one.
ssl = {
key = “/etc/prosody/certs/meet.jitsiserver.org.key”;
certificate = “/etc/prosody/certs/meet.jitsiserver.org.crt”;
}
speakerstats_component = “speakerstats.meet.jitsiserver.org
conference_duration_component = “conferenceduration.meet.jitsiserver.org
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“turncredentials”;
“conference_duration”;
“muc_lobby_rooms”;
}
c2s_require_encryption = false
lobby_muc = “lobby.meet.jitsiserver.org
main_muc = “conference.meet.jitsiserver.org
– muc_lobby_whitelist = { “recorder.meet.jitsiserver.org” } – Here we can whitelist jibri to en$

Component “conference.meet.jitsiserver.org” “muc”
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
– “token_verification”;
}
admins = { “focus@auth.meet.jitsiserver.org” }
muc_room_locking = false
muc_room_default_public_jids = true

– internal muc component
Component “internal.auth.meet.jitsiserver.org” “muc”
storage = “memory”
modules_enabled = {
“ping”;
}
admins = { “focus@auth.meet.jitsiserver.org”, “jvb@auth.meet.jitsiserver.org” }
muc_room_locking = false
muc_room_default_public_jids = true

VirtualHost “auth.meet.jitsiserver.org
ssl = {
key = “/etc/prosody/certs/auth.meet.jitsiserver.org.key”;
certificate = “/etc/prosody/certs/auth.meet.jitsiserver.org.crt”;
}
authentication = “internal_plain”

Component “focus.meet.jitsiserver.org
component_secret = “@VyQuVqA

Component “speakerstats.meet.jitsiserver.org” “speakerstats_component”
muc_component = “conference.meet.jitsiserver.org

Component “conferenceduration.meet.jitsiserver.org” “conference_duration_component”
muc_component = “conference.meet.jitsiserver.org

Component “lobby.meet.jitsiserver.org” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true

VirtualHost “guest.meet.jitsiserver.org
authentication = “anonymous”
c2s_require_encryption = false

found entrance into console, here some errors:

Logger.js:154 2020-12-13T21:30:49.801Z [JitsiMeetJS.js] <Object.getGlobalOnErrorHandler>: UnhandledError: Focus error, retry after 8000 Script: null Line: null Column: null StackTrace: Error: Focus error, retry after 8000
at l._allocateConferenceFocusError (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:10:176452)
at https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:10:175503
at I.Handler.handler (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:31248)
at I.Handler.run (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:26547)
at https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:34985
at Object.forEachChild (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:18209)
at I.Connection._dataRecv (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:34834)
at D.Bosh._onRequestStateChange (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:54819)
Logger.js:154 2020-12-13T21:30:49.801Z [modules/xmpp/moderator.js] <l._allocateConferenceFocusError>: Focus error, retry after 8000
Logger.js:154 2020-12-13T21:30:49.804Z [conference.js] <ee._onConferenceFailed>: CONFERENCE FAILED: conference.focusDisconnected focus.meet.jitsiserver.org

Logger.js:154 2020-12-13T21:28:00.567Z [JitsiMeetJS.js] <Object.getGlobalOnErrorHandler>: UnhandledError: Focus error, retry after 8000 Script: null Line: null Column: null StackTrace: Error: Focus error, retry after 8000
at l._allocateConferenceFocusError (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:10:176452)
at https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:10:175503
at I.Handler.handler (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:31248)
at I.Handler.run (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:26547)
at https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:34985
at Object.forEachChild (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:18209)
at I.Connection._dataRecv (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:34834)
at D.Bosh._onRequestStateChange (https://meet.jitsiserver.org/libs/lib-jitsi-meet.min.js?v=4582:1:54819)
Logger.js:154 2020-12-13T21:28:00.568Z [modules/xmpp/moderator.js] <l._allocateConferenceFocusError>: Focus error, retry after 8000
Logger.js:154 2020-12-13T21:28:00.571Z [conference.js] <ee._onConferenceFailed>: CONFERENCE FAILED: conference.focusDisconnected focus.meet.jitsiserver.org 8

Your cfg.lua is a bit wrong. Try this:

> plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }
> 
> -- domain mapper options, must at least have domain base set to use the mapper
> muc_mapper_domain_base = “meet.jitsiserver.org”;
> 
> turncredentials_secret = “RLdALpr0fzXgMPUf”;
> 
> turncredentials = {
> { type = “stun”, host = “meet.jitsiserver.org”, port = “3478” },
> { type = “turn”, host = “meet.jitsiserver.org”, port = “3478”, transport = “udp” },
> { type = “turns”, host = “meet.jitsiserver.org”, port = “5349”, transport = “tcp” }
> };
> 
> cross_domain_bosh = false;
> consider_bosh_secure = true;
> -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl$
> ssl = {
> protocol = “tlsv1_2+”;
> ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
> }
> 
> VirtualHost “meet.jitsiserver.org”
> -- enabled = false – Remove this line to enable this host
> authentication = “internal_plain”
> -- Properties below are modified by jitsi-meet-tokens package config
> -- and authentication above is switched to “token”
> --app_id=“example_app_id”
> --app_secret=“example_app_secret”
> -- Assign this host a certificate for TLS, otherwise it would use the one
> -- set in the global section (if any).
> -- Note that old-style SSL on port 5223 only supports one certificate, and will a$
> -- use the global one.
> ssl = {
> key = “/etc/prosody/certs/meet.jitsiserver.org.key”;
> certificate = “/etc/prosody/certs/meet.jitsiserver.org.crt”;
> }
> speakerstats_component = “speakerstats.meet.jitsiserver.org”
> conference_duration_component = “conferenceduration.meet.jitsiserver.org”
> -- we need bosh
> modules_enabled = {
> “bosh”;
> “pubsub”;
> “ping”; -- Enable mod_ping
> “speakerstats”;
> “turncredentials”;
> “conference_duration”;
> }
> 
> Component “conference.meet.jitsiserver.org” “muc”
> storage = “memory”
> modules_enabled = {
> “muc_meeting_id”;
> “muc_domain_mapper”;
> -- “token_verification”;
> }
> admins = { “focus@auth.meet.jitsiserver.org” }
> muc_room_locking = false
> muc_room_default_public_jids = true
> 
> -- internal muc component
> Component “internal.auth.meet.jitsiserver.org” “muc”
> storage = “memory”
> modules_enabled = {
> “ping”;
> }
> admins = { “focus@auth.meet.jitsiserver.org”, “jvb@auth.meet.jitsiserver.org” }
> muc_room_locking = false
> muc_room_default_public_jids = true
> 
> VirtualHost “auth.meet.jitsiserver.org”
> ssl = {
> key = “/etc/prosody/certs/auth.meet.jitsiserver.org.key”;
> certificate = “/etc/prosody/certs/auth.meet.jitsiserver.org.crt”;
> }
> authentication = “internal_plain”
> 
> Component “focus.meet.jitsiserver.org”
> component_secret = “@VyQuVqA”
> 
> Component “speakerstats.meet.jitsiserver.org” “speakerstats_component”
> muc_component = “conference.meet.jitsiserver.org”
> 
> Component “conferenceduration.meet.jitsiserver.org” “conference_duration_component”
> muc_component = “conference.meet.jitsiserver.org”
> 
> VirtualHost “guest.meet.jitsiserver.org”
> authentication = “anonymous”
> c2s_require_encryption = false
> modules_enabled = {
>             "muc_lobby_rooms";
>         }
> 
> lobby_muc = “lobby.meet.jitsiserver.org”
> main_muc = “conference.meet.jitsiserver.org”
> -- muc_lobby_whitelist = { “recorder.meet.jitsiserver.org” } – Here we can whitelist jibri to en$
> 
> Component “lobby.meet.jitsiserver.org” “muc”
> storage = “memory”
> restrict_room_creation = true
> muc_room_locking = false
> muc_room_default_public_jids = true

Dear Freddie,
thanks a lot for your help. Unfortunately, still no changes “something went wrong”.
unless I oversaw something I found the major difference in our cfg files in this 2 parts:

1) I have removed this part
– https_ports = { }; – Remove this line to prevent listening on port 5284

  1. the difference in the used ciphers in tls happened due to inappropriate copy/paste on my part (sorry!), your and my settings are now the same:

a) my settings:
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”
}

b) your posting:
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”

3) I have removed this line under the VirtualHost:
“muc_lobby_rooms”;

unfortunately, same results (“something went wrong”)
(if I reset my changes from my initial post everything is working normally, without authorisation)

I remember that I started from scratch because during my (regular) updates using my JM server (based on unstable version installed in October) once suddenly the lobby feature in my GUI disappeared, I was waiting for the next update (did not touch cfg lua in between), after the 2nd update could not access the web interface anymore.
therefore, I suspect that some changes have been introduced that interfere with my “old” settings, however no idea which one…

I had a lot of problems after switching to secure domain with java.
Please have a look at the logs /var/log/jitsi/jicofo.log.
If there are certificates problems look here unable-to-switch-to-secure-domain

Dear Klaus,
thanks a lot, highly appreciated! the issues on your post look very similar.
in connection to your post:
+) when I tried to install a droplet based on Debian 9 the creation of Lets Encrypt certificate failed
+) therefore I switched to Debian 10, where creation of certificate worked smoothly as usual,
+) now with Debian 10 I have installed Java8 (as indicated in the handbook - and as you did:

Initially I aimed also to install Jibri for recording directy on server, Jibri requires java 8
wanted to follow this instructions* but already got stuck at the secure domain as described above, I cannot find so far anything conclusive in the cfg lua file, probably Java is the issue (?)

I will try now to install new droplet (vultr.com) with Debian 10 and using apt install default-jre

*installing Jibri in Jitsi:

I already went through the pain of re-working your cfg.lua, you just need copy what I pasted and edit to reflect your domain name - that’s all. There may be other issues, but not having the right cfg.lua is a non-starter.

Dear Freddie,
thanks again for your efforts and patience.
I have replaced now the cfg.lua accordingly.
Yes, already a bit further: now I can access the GUI of my Jitsi Meet electron, however I am neither asked to authorise my server in the beginning nor the lobby/e2ee options appear in the GUI. Also I cannot activated my microphone and camera, both are strike-through. I will keep digging, hopefully I did not make a typo…

What version of Prosody are you using?

prosody/stable,now 0.11.2-1 amd64 [installed,automatic]

I’m not even sure you’re actually in a meeting, judging from the screenshot.
Try this: start a meeting, then add 2 other participants to the meeting (you can use multiple tabs on your browser).

If you’re not successful, then you may just need to restart services:

sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2

Restarting prosody alone would often do it, but no harm restarting all 3.

yes, I can copy/past link into several tabs, same window as shown above appear, so “conference” is active

No, conference is not active if ALL 3 users (tabs) are not in the same meeting (showing on the same screen together).

1 screen on Jitsi Meet Electron, 2 other tabs on Google Chrome browser (all 3 with same window)
yes, conference is not active.

Okay - yes, conference is not yet active. Restart services.

I have restarted services with same result:
tile view is not possible, only option “invite people” in right corner (in all three windows: Electron and 2 browser tabs)

after the conference URL this line appears in the browser:
#config.startWithAudioMuted=true&config.startWithVideoMuted=true