Jicofo checkServerCerts unable to find valid certification path to requested target

My jicofo log is filling up with messages related to this jave exception. P2P video calls are working but not in all circumstances. I have not yet tested conference calls.

I have obviously got something misconfigured. But I cannot work out what.

My prosody config looks like this.

=============================
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitsi.beardandsandals.co.uk";

turncredentials_secret = "xxxxxxxxxxxxxxxxxxxxx";

turncredentials = {
  { type = "stun", host = "jitsi.beardandsandals.co.uk", port = "3478" },
  { type = "turn", host = "jitsi.beardandsandals.co.uk", port = "3478", transport = "udp" },
  { type = "turns", host = "jitsi.beardandsandals.co.uk", port = "5349", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
  protocol = "tlsv1_2+";
  ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "jitsi.beardandsandals.co.uk"
        -- enabled = false -- Remove this line to enable this host
        authentication = "anonymous"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/jitsi.beardandsandals.co.uk.key";
                certificate = "/etc/prosody/certs/jitsi.beardandsandals.co.uk.crt";
        }
        speakerstats_component = "speakerstats.jitsi.beardandsandals.co.uk"
        conference_duration_component = "conferenceduration.jitsi.beardandsandals.co.uk"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
            "muc_lobby_rooms";
        }
        c2s_require_encryption = false
        lobby_muc = "lobby.jitsi.beardandsandals.co.uk"
        main_muc = "conference.jitsi.beardandsandals.co.uk"
        -- muc_lobby_whitelist = { "recorder.jitsi.beardandsandals.co.uk" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.jitsi.beardandsandals.co.uk" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focus@auth.jitsi.beardandsandals.co.uk" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.jitsi.beardandsandals.co.uk" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.jitsi.beardandsandals.co.uk", "jvb@auth.jitsi.beardandsandals.co.uk" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.jitsi.beardandsandals.co.uk"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.beardandsandals.co.uk.key";
        certificate = "/etc/prosody/certs/auth.jitsi.beardandsandals.co.uk.crt";
    }
    authentication = "internal_plain"

Component "focus.jitsi.beardandsandals.co.uk"
    component_secret = "xxxxxxxxxxx"

Component "speakerstats.jitsi.beardandsandals.co.uk" "speakerstats_component"
    muc_component = "conference.jitsi.beardandsandals.co.uk"

Component "conferenceduration.jitsi.beardandsandals.co.uk" "conference_duration_component"
    muc_component = "conference.jitsi.beardandsandals.co.uk"

Component "lobby.jitsi.beardandsandals.co.uk" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
================================

my nginx config looks like this

================================
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name jitsi.beardandsandals.co.uk;

# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_certificate /home/wearyhacker/.getssl/jitsi.beardandsandals.co.uk/fullchain.crt;
    ssl_certificate_key /home/wearyhacker/.getssl/jitsi.beardandsandals.co.uk/jitsi.beardandsandals.co.uk.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
    gzip_vary on;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;

    location = /config.js {
        alias /etc/jitsi/meet/jitsi.beardandsandals.co.uk-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files
        if ($arg_v) {
          expires 1y;
        }
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/jitsi.beardandsandals.co.uk-config.js;
    }`

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}
=============================

My jicofo config looks like this.

===============================
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.beardandsandals.co.uk

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=xxxxxxxxxx

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.beardandsandals.co.uk

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=xxxxxxxxxx

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home and logging config file)
JAVA_SYS_PROPS="-Dconfig.file=/etc/jitsi/jicofo/jicofo.conf -Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
=============================

/etc/prosody/certs contains the following certs

Found a complete certificate:
issuer=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = auth.jitsi.beardandsandals.co.uk, emailAddress = xmpp@auth.jitsi.beardandsandals.co.uk
subject=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = auth.jitsi.beardandsandals.co.uk, emailAddress = xmpp@auth.jitsi.beardandsandals.co.uk

Found a complete certificate:
issuer=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = jitsi.beardandsandals.co.uk, emailAddress = xmpp@jitsi.beardandsandals.co.uk
subject=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = jitsi.beardandsandals.co.uk, emailAddress = xmpp@jitsi.beardandsandals.co.uk

/etc/ssl/certs/ca-certificates.crt

Contains the same certificates (and many others)

Found a complete certificate:
issuer=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = auth.jitsi.beardandsandals.co.uk, emailAddress = xmpp@auth.jitsi.beardandsandals.co.uk
subject=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = auth.jitsi.beardandsandals.co.uk, emailAddress = xmpp@auth.jitsi.beardandsandals.co.uk

Found a complete certificate:
issuer=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = jitsi.beardandsandals.co.uk, emailAddress = xmpp@jitsi.beardandsandals.co.uk
subject=C = GB, L = The Internet, O = Your Organisation, OU = XMPP Department, CN = jitsi.beardandsandals.co.uk, emailAddress = xmpp@jitsi.beardandsandals.co.uk

The only place I do not see these certificates is in the jre truststore
/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre/lib/security/cacerts

I think I am missing something very basic here.

All help gratefully received.

Roger

Looks like it is using the default trust store rather than the one in /etc/ssl/certs/java.

javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 09:13:32.591      UTC|Logger.java:765|trustStore is: /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre/lib/security/cacerts

So I added -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts to JAVA_SYS_PROPS in jicofo/config.

Now I get a “Signature does not match.” error. Here is an edited log.

Jicofo 2020-12-09 11:10:49.541 INFO: [11] org.jitsi.impl.configuration.ConfigurationServiceImpl.log() javax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts

javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:51.703 UTC|Logger.java:765|trustStore is: /etc/ssl/certs/java/cacerts

  "certificate" : {
    "version"            : "v3",
    "serial number"      : "1D 86 95 B2 A0 17 F8 46 F8 20 6B C7 60 FC 73 E6 72 10 17 DE",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "EMAILADDRESS=xmpp@auth.jitsi.beardandsandals.co.uk, CN=auth.jitsi.beardandsandals.co.uk, OU=XMPP Department, O=Your Organisation, L=The Internet, C=GB",
    "not before"         : "2020-12-03 16:20:08.000 UTC",
    "not  after"         : "2021-12-03 16:20:08.000 UTC",
    "subject"            : "EMAILADDRESS=xmpp@auth.jitsi.beardandsandals.co.uk, CN=auth.jitsi.beardandsandals.co.uk, OU=XMPP Department, O=Your Organisation, L=The Internet, C=GB",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
          DNSName: internal.auth.jitsi.beardandsandals.co.uk
          DNSName: auth.jitsi.beardandsandals.co.uk
        ]
      }
    ]},
  
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "36 0C 05 69 8C 3D 05 19 65 C7 8C 0E F1 37 D7 E3 6E 9C F3 61",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "EMAILADDRESS=xmpp@auth.jitsi, CN=auth.jitsi, OU=XMPP Department, O=Your Organisation, L=The Internet, C=GB",
    "not before"         : "2020-12-03 16:16:20.000 UTC",
    "not  after"         : "2021-12-03 16:16:20.000 UTC",
    "subject"            : "EMAILADDRESS=xmpp@auth.jitsi, CN=auth.jitsi, OU=XMPP Department, O=Your Organisation, L=The Internet, C=GB",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: internal.auth.jitsi
          DNSName: auth.jitsi
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
        ]
      }
    ]},

"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "79 FC 13 51 EB FA 87 0C 1A 4C DE FB 5E FE 07 E0 12 1E D5 59 2E 68 EF D5 25 5F E6 7C 11 41 82 FC",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=auth.jitsi.beardandsandals.co.uk
    },
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2, TLSv1.1, TLSv1]
    }
  ]
}
)
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.243 UTC|Logger.java:765|WRITE: TLS12 handshake, length = 303
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.244 UTC|Logger.java:765|Raw write (
  0000: 16 03 03 01 2F 01 00 01   2B 03 03 79 FC 13 51 EB  ..../...+..y..Q.
  0010: FA 87 0C 1A 4C DE FB 5E   FE 07 E0 12 1E D5 59 2E  ....L..^......Y.
  0020: 68 EF D5 25 5F E6 7C 11   41 82 FC 00 00 56 C0 2C  h..%_...A....V.,
  0030: C0 2B C0 30 00 9D C0 2E   C0 32 00 9F 00 A3 C0 2F  .+.0.....2...../
  0040: 00 9C C0 2D C0 31 00 9E   00 A2 C0 24 C0 28 00 3D  ...-.1.....$.(.=
  0050: C0 26 C0 2A 00 6B 00 6A   C0 0A C0 14 00 35 C0 05  .&.*.k.j.....5..
  0060: C0 0F 00 39 00 38 C0 23   C0 27 00 3C C0 25 C0 29  ...9.8.#.'.<.%.)
  0070: 00 67 00 40 C0 09 C0 13   00 2F C0 04 C0 0E 00 33  .g.@...../.....3
  0080: 00 32 00 FF 01 00 00 AC   00 00 00 25 00 23 00 00  .2.........%.#..
  0090: 20 61 75 74 68 2E 6A 69   74 73 69 2E 62 65 61 72   auth.jitsi.bear
  00A0: 64 61 6E 64 73 61 6E 64   61 6C 73 2E 63 6F 2E 75  dandsandals.co.u
  00B0: 6B 00 0A 00 12 00 10 00   17 00 18 00 19 01 00 01  k...............
  00C0: 01 01 02 01 03 01 04 00   0B 00 02 01 00 00 0D 00  ................
  00D0: 28 00 26 04 03 05 03 06   03 08 04 08 05 08 06 08  (.&.............
  00E0: 09 08 0A 08 0B 04 01 05   01 06 01 04 02 03 03 03  ................
  00F0: 01 03 02 02 03 02 01 02   02 00 32 00 28 00 26 04  ..........2.(.&.
  0100: 03 05 03 06 03 08 04 08   05 08 06 08 09 08 0A 08  ................
  0110: 0B 04 01 05 01 06 01 04   02 03 03 03 01 03 02 02  ................
  0120: 03 02 01 02 02 00 17 00   00 00 2B 00 07 06 03 03  ..........+.....
  0130: 03 02 03 01                                        ....
)
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.250 UTC|Logger.java:765|Raw read (
  0000: 16 03 03 00 3D                                     ....=
)
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.250 UTC|Logger.java:765|READ: TLSv1.2 handshake, length = 61
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.251 UTC|Logger.java:765|Raw read (
  0000: 02 00 00 39 03 03 79 3A   81 CC 35 DE 61 F8 50 1B  ...9..y:..5.a.P.
  0010: DD BE 3E 7B 18 53 B3 44   0D A4 78 5E B3 66 44 4F  ..>..S.D..x^.fDO
  0020: 57 4E 47 52 44 01 00 C0   2F 00 00 11 FF 01 00 01  WNGRD.../.......
  0030: 00 00 0B 00 04 03 00 01   02 00 17 00 00           .............
)
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.251 UTC|Logger.java:765|READ: TLSv1.2 handshake, length = 61
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.255 UTC|Logger.java:765|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "79 3A 81 CC 35 DE 61 F8 50 1B DD BE 3E 7B 18 53 B3 44 0D A4 78 5E B3 66 44 4F 57 4E 47 52 44 01",
  "session id"          : "",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
  "compression methods" : "00",
  "extensions"          : [
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
    },
    "extended_master_secret (23)": {
      <empty>
    }
  ]
}
)

javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.282 UTC|Logger.java:765|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "69 A3 F1 3B 81 87 B0 7D 38 C7 B6 FA D0 9E 16 2A D5 A2 7B ED",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "EMAILADDRESS=xmpp@auth.jitsi.beardandsandals.co.uk, CN=auth.jitsi.beardandsandals.co.uk, OU=XMPP Department, O=Your Organisation, L=The Internet, C=GB",
    "not before"         : "2020-12-07 15:04:20.000 UTC",
    "not  after"         : "2021-12-07 15:04:20.000 UTC",
    "subject"            : "EMAILADDRESS=xmpp@auth.jitsi.beardandsandals.co.uk, CN=auth.jitsi.beardandsandals.co.uk, OU=XMPP Department, O=Your Organisation, L=The Internet, C=GB",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: auth.jitsi.beardandsandals.co.uk
          DNSName: internal.auth.jitsi.beardandsandals.co.uk
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.7
          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
        ]
      }
    ]}
]
)
javax.net.ssl|SEVERE|13|Smack Reader (0)|2020-12-09 11:10:52.372 UTC|Logger.java:765|Fatal (BAD_CERTIFICATE): PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:386)
  	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:291)
  	at sun.security.validator.Validator.validate(Validator.java:271)
  	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
  	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
  	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
  	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
  	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
  	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
  	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
  	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
  	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
  	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
  	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
  	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
  	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
  	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
  	at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
  	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
  	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
  	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
  	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
  	at java.lang.Thread.run(Thread.java:748)
  Caused by: java.security.cert.CertPathValidatorException: signature check failed
  	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
  	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
  	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
  	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
  	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
  	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:381)
  	... 22 more
  Caused by: java.security.SignatureException: Signature does not match.
  	at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:457)
  	at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
  	at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
  	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
  	... 27 more}

)
javax.net.ssl|ALL|13|Smack Reader (0)|2020-12-09 11:10:52.376 UTC|Logger.java:765|Invalidated session:  Session(1607512252158|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|ALL|13|Smack Reader (0)|2020-12-09 11:10:52.378 UTC|Logger.java:765|Invalidated session:  Session(1607512252260|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.380 UTC|Logger.java:765|WRITE: TLS12 alert(bad_certificate), length = 2
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.381 UTC|Logger.java:765|Raw write (
  0000: 15 03 03 00 02 02 2A                               ......*
)
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.382 UTC|Logger.java:765|close the underlying socket
javax.net.ssl|FINE|13|Smack Reader (0)|2020-12-09 11:10:52.382 UTC|Logger.java:765|close the SSL connection (initiative)
Jicofo 2020-12-09 11:10:52.384 SEVERE: [17] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
	... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:386)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:291)
	at sun.security.validator.Validator.validate(Validator.java:271)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 16 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:381)
	... 22 more
Caused by: java.security.SignatureException: Signature does not match.
	at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:457)
	at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
	at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
	... 27 more

Looks like I will have to dig deeper.

Any help still gratefully received.

Continuing my interior monologue.

There was a rogue old certificate in /etc/ssl/certs/java/cacerts. This was causing the signature mismatch.

The reason it was there was, that the update-ca-certificates update hook to update the java cacerts file was exiting and doing nothing. This was because the /usr/share/ca-certificates-java directory was missing.

Looking through the dpkg logs showed that this was caused by an uninstall of jistsi-meet a clean up using autoremove and and a reinstall of jistsi-meet. The ca-certificates-java package was removed by the autoremove. I will leave working out why to someone else :-).

A reinstall of ca-certificates-java and a manual run of “update-ca-certificates -f” cleared the signature mismatch. The change to the JAVA_SYS_PROPS is still required though.

Whether or not my videoconferencing set up actually works now remains to be seen.

You are not the first bitten by this adoptopenjdk thing. Using a different Java than the system one can lead to some strange behaviour around certificates indeed. The fine Jitsi manual insists on Jitsi users “adopt” Java 8 on platforms that do not support it, yet I doubt that meet.jit.si is actually using Java 8 since Java 11 support was officially added in May 2019 (except for Jibri that seems to be welded to this old relic)

And I did that reinstall so I could roll back the jre to the “supported” version :angry:

We added support for java11 just to be sure everything works as new ubuntu LTS and latest Debian having those by default … But still the bridge is optimised to perform better using java 8, so this is what is used and for meet.jit.si.

right. It’s a bit sad (for Java) that seven years of Java development are not compelling enough to justify a version upgrade.

It is not as easy as it sounds. And it is also a historical reason: last year when we were rewriting the jvb1 to jvb2 and as jvb1 was already running and performing well in production using java8, it is the only comparison we have so jvb2 was written and optimized to work on the same environment.
So now we need to find time to spend on doing some testing and tuning to make it work the same way on java11 …

1 Like

I think this leaves one issue outstanding. It can probably be resolved in documentation.

Why was the truststore left pointing to the default set by the jdk install?

I have taken a look at the Debian situation here. Everyone is right and everything breaks :slight_smile:

Thank you! This was exactly what I observed:

  • package ca-certificates-java was missing / never installed in the first place
  • consequently java keystore /etc/ssl/certs/java/cacerts did not exist
  • consequently update-ca-certificates -f could not copy the prosody cert to java keystore
  • installing ca-certificates-java and running update-ca-certificates -f fixed keystore
  • still need to set JAVA_SYS_PROPS in jicofo/conf for the VM to actually use keystore

I wish I’d found your post sooner :slight_smile:

I ran into this error message in Dec 2021 using Debian 11 Bullseye.

I did an install from a bare server using the Debian repository instructions and ended up with what looked like working Jitsi. But when a 2nd participant connected it would explode with this error in the jvb.log file.

I found this thread and noted that ca-certificates-java was already installed on my system. I tried:

update-ca-certificates -f

as the root user and that properly added the missing cert to the java trust store. then after a restart of the jitsi-videobridge service my problem was fixed and everything worked perfectly!