Jitsi-meet only with internal IPs no FQDN


#1

Hi ppl,

i installed a new virtual machine with latest ubuntu on it. Installing jitsi-meet is rather straight forward but i’m not able to get it working. I have no fqdn and anyhow i want to use it only on the internal network, so lan only but it seems that it is not working that way.
I created self signed certificates, I installed jitsi-meet when it asked me i pointed it to my *.key and *.cert when i access jitsi-meet on e.g. laptop via url using IPs of the host machine it loads the jitsi page and i can join/create a room and i can see myself on the laptop, however my android phone with jitsi app, after adding the ip of my jitsi server in setting can join that room (the one i created earlier from my laptop) but only has a black screen. What am I doing wrong, does jitsi-meet work at all without FQDN and what needs to be added/changed to make it work only with IPs?

it seems also an issue with certificates, as logs indicate how to fix this or skip certificates completly:
Jicofo 2018-09-03 14:53:14.989 INFO: [1] org.jitsi.xmpp.component.ComponentBase.loadConfig().205 ping threshold: 3
Jicofo 2018-09-03 14:53:15.771 SEVERE: [27] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.doConnect().319 Failed to connect/login: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation fa$
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1072)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:994)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1010)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1067)
… 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)


#2

Hi ppl,

i installed a new virtual machine with Ubuntu 18.04.1 LTS server version on it. I configure it to have the static ip 192.168.1.4. The machine is behind my router/modem, which is at 192.168.1.1. Steps I took, first I edited:

nano /etc/netplan/50-cloud-init.yaml

to get a fixed ip to:

network:
version: 2
renderer: networkd
ethernets:
enp0s3:
dhcp4: no
dhcp6: no
addresses: [192.168.1.4/24]
gateway4: 192.168.1.1
nameservers:
addresses: [192.168.1.1]
to apply

sudo netplan apply

Next installed apache and oracle:

sudo apt install apache2 openjdk-8-jdk

Then create self signed certificates (not sure if that is needed but did it anyhow):

sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/private/chatbox.key -out /etc/ssl/certs/chatbox.crt

When it asks question name, organization etc. i guess it does not matter what you fill in but the question:

Common Name (e.g. server FQDN or YOUR name) []:server_IP_address

i answer with the ip of the machine so 192.168.1.4.
Then change apache to use the ssl (not sure if needed):

nano /etc/apache2/sites-available/default-ssl.conf
added under ServerAdmin line:

ServerName 192.168.1.4

and changed the certificate locations to point to mine that i generated above:

SSLCertificateFile /etc/ssl/certs/chatbox.crt
SSLCertificateKeyFile /etc/ssl/private/chatbox.key

Then created apache ssl snippet:

nano /etc/apache2/conf-available/ssl-params.conf
content:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains ; preload” Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLSessionTickets Off SSLUseStapling on SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

Then some other stuff for apache to work and test syntax:

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl
sudo a2enconf ssl-params
sudo apache2ctl configtest
For the moment no need for firewall stuff on my local network so disabling it:
sudo systemctl stop ufw.service
sudo systemctl disable ufw.service

Now time to do a reboot and install jitsi-meet, first download, check and install key and add jitsi as source to apt-get (the rest of my text is displayed as picture, attached to this post, as apparently there is a limit to new users having +2 links in a post, except log links:

jicofo.log:
https://pastebin.com/kD0qQp2c
jvb.log:
https://pastebin.com/HWkJ6PL0

apache_error.log.txt (3.2 KB)
jicofo.log.txt (24.4 KB)
prosody.txt (268 Bytes)
prosody.log.txt (2.2 KB)
jvb.log.txt (232.2 KB)


#3

To connect to a deployment using mobile you need the certificate from the deployment to be trusted on the mobile device. You need to make sure your certificate is trusted on all the mobile devices you will use or you need to use a real dns and let’s encrypt to have a trusted certificate.


#4

As I tried to explain above I’m making use of self signed certificates (not let’s encrypt), are you saying that it is a requirement to make jitsi-meet work? there is no way around it, on a local network? I have same behavior when I try to access from a second laptop btw, thanks in advance


#5

Using jitsi-meet in browser on laptop should be fine, if you see some kind of error when joining second participant, this is not because of certificates, you need to check the javascript console logs for more information, what is the problem.

On the other hand if you want to use the mobile app you need to install the certificate on the mobile device first, this is a requirement for the mobile app to work, it needs a trusted certificate. The only way to do that with a self-signed one is to transfer it to the mobile device and make make it trusted (not sure how it is done, but there should be plenty of information if you search using google). A simple test for mobile is to open the address in the mobile browser and to make sure you don’t see a certificate warning then the mobile app should work.