Jigasi recorder VirtualHost certs

I was told I should add a VirtualHost called “recorder.my-domain” for jigasi (or at least using the user @recorder.my-domain, which requires that this VirtualHost exists). The other VirtualHosts in the prosody configuration all have Let’s Encrypt certificates, but those were obtained by the jitsi-meet installer. I don’t know how to obtain certs for a prosody server, for a subdomain: recorder.

How to do this? Are these certs necessary?

I end up with

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: recorder.my-domain
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up A for
   recorder.my-domain - check that a DNS record exists for
   this domain

I have no DNS records for the other subdomains (auth and guest) in prosody either. So I wonder how they got certs?

You don’t need certs for the virtual host in prosody, but just for those in the webserver. It is just that one in prosody matches the one in the webserver

What about

VirtualHost "auth.my-domain"
    ssl = {
        key = "/etc/prosody/certs/auth.my-domain.key";
        certificate = "/etc/prosody/certs/auth.my-domain.crt";
    }
    authentication = "internal_plain"

I mean, should I just leave out that ssl section for recorder.my-domain? I tried that but I still get these errors (below) they may be related to other Jigasi conf properties.

Feb 25, 2020 5:35:11 PM net.java.sip.communicator.util.Logger info
INFO: JID allowed to make outgoing calls: jigasibrewery@internal.auth.my-domain
Feb 25, 2020 5:35:11 PM org.igniterealtime.jbosh.BOSHClient init
INFO: Starting with 1 request processors
Feb 25, 2020 5:35:11 PM org.jivesoftware.smack.bosh.XMPPBOSHConnection shutdown
WARNING: shutdown
java.lang.NullPointerException
	at org.igniterealtime.jbosh.BOSHClient.send(BOSHClient.java:494)
	at org.igniterealtime.jbosh.BOSHClient.disconnect(BOSHClient.java:586)
	at org.igniterealtime.jbosh.BOSHClient.disconnect(BOSHClient.java:567)
	at org.jivesoftware.smack.bosh.XMPPBOSHConnection.shutdown(XMPPBOSHConnection.java:266)
	at org.jivesoftware.smack.bosh.XMPPBOSHConnection.notifyConnectionError(XMPPBOSHConnection.java:417)
	at org.jivesoftware.smack.bosh.XMPPBOSHConnection$BOSHConnectionListener.connectionEvent(XMPPBOSHConnection.java:464)
	at org.igniterealtime.jbosh.BOSHClient.fireConnectionClosedOnError(BOSHClient.java:1684)
	at org.igniterealtime.jbosh.BOSHClient.dispose(BOSHClient.java:713)
	at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1138)
	at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:999)
	at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:100)
	at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1728)
	at java.base/java.lang.Thread.run(Thread.java:834)

Feb 25, 2020 5:35:11 PM org.jivesoftware.smack.AbstractXMPPConnection callConnectionClosedOnErrorListener
WARNING: Connection XMPPBOSHConnection[not-authenticated] (0) closed with error
org.igniterealtime.jbosh.BOSHException: Could not obtain response
	at org.igniterealtime.jbosh.ApacheHTTPResponse.awaitResponse(ApacheHTTPResponse.java:251)
	at org.igniterealtime.jbosh.ApacheHTTPResponse.getBody(ApacheHTTPResponse.java:192)
	at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1123)
	at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:999)
	at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:100)
	at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1728)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
	at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
	at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
	at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
	at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:403)
	at java.base/java.net.Socket.connect(Socket.java:609)
	at java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:285)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:479)
	at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:66)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at org.igniterealtime.jbosh.ApacheHTTPResponse.awaitResponse(ApacheHTTPResponse.java:235)
	... 6 more

Feb 25, 2020 5:35:11 PM org.jivesoftware.smack.SASLAuthentication selectMechanism
WARNING: Server did not report any SASL mechanisms
Feb 25, 2020 5:35:11 PM net.java.sip.communicator.util.Logger error
SEVERE: Failed to connect to XMPP service
org.jivesoftware.smack.SmackException: No supported and enabled SASL Mechanism provided by server. Server announced mechanisms: []. Registered SASL mechanisms with Smack: [SASL Mech: GSSAPI, Prio: 100, SASL Mech: SCRAM-SHA-1-PLUS, Prio: 100, SASL Mech: SCRAM-SHA-1, Prio: 110, SASL Mech: DIGEST-MD5, Prio: 200, SASL Mech: CRAM-MD5, Prio: 300, SASL Mech: PLAIN, Prio: 400, SASL Mech: X-OAUTH2, Prio: 410, SASL Mech: EXTERNAL, Prio: 500, SASL Mech: ANONYMOUS, Prio: 500]. Enabled SASL mechanisms for this connection: null. Blacklisted SASL mechanisms: [SCRAM-SHA-1-PLUS].
	at org.jivesoftware.smack.SASLAuthentication.selectMechanism(SASLAuthentication.java:361)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:192)
	at org.jivesoftware.smack.bosh.XMPPBOSHConnection.loginInternal(XMPPBOSHConnection.java:222)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:491)
	at net.java.sip.communicator.impl.protocol.jabber.LoginByPasswordStrategy.login(LoginByPasswordStrategy.java:98)
	at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin(ProtocolProviderServiceJabberImpl.java:1371)
	at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin(ProtocolProviderServiceJabberImpl.java:970)
	at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.initializeConnectAndLogin(ProtocolProviderServiceJabberImpl.java:795)
	at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.register(ProtocolProviderServiceJabberImpl.java:500)
	at org.jitsi.jigasi.util.RegisterThread.run(RegisterThread.java:59)

This is because jigasi cannot access the port 443 to establish a bosh connection.
It is this setting net.java.sip.communicator.impl.protocol.jabber.accxmpp.BOSH_URL=https://10.20.3.44/http-bind

I see, http works for the internal IP. Is that OK? It’s the nginx web server IP alright.

I guess not. I get the same errors with http.combined_prosody_conf.lua.txt (12.1 KB)properties.txt (8.6 KB)

What is that http-bind supposed to show or do?
In my browser http://10.0.2.15/http-bind gives a 404

I think it expects to find something there.

I can catch the Exception with the Debugger. The BOSHConfiguration at that point is:

config = {BOSHConfiguration@3924} 
 https = false
 file = "/http-bind"
 xmppServiceDomain = {DomainpartJid@3949} "auth.my-domain"
 hostAddress = null
 host = "10.0.2.15

In /etc/nginx/sites/available/my-domain.conf, I also have

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

That resolves to the web page logged in the trace, " 404 Not Found

Whatever you were looking for is not here. Keep looking.

Unknown host: localhost"
Which is probably generated by prosody.

It should be https

Should look like: https://meet.jit.si/http-bind

@damencho maybe I should use the external IP or my-domain somewhere in jigasis properties

Using the external IP here:
net.java.sip.communicator.impl.protocol.jabber.accxmpp.SERVER_ADDRESS
and here:
net.java.sip.communicator.impl.protocol.jabber.accxmpp.BOSH_URL=http://10.0.2.15/http-bind
and changing
net.java.sip.communicator.impl.protocol.jabber.accxmpp.ACCOUNT_UID=Jabber:jigasi@auth.my-domain@10.0.2.15 to net.java.sip.communicator.impl.protocol.jabber.accxmpp.ACCOUNT_UID=Jabber:jigasi@auth.my-domain

does change the errors in the trace to a single one:

SEVERE: Failed to connect to XMPP service
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:292)

It seems a little better now. I deleted the user transcriber@recorder.my-domain that was added before adding the VirtualHost properly. Then prosodyctl adduser it again

Of course, there are new errors.