Jitsi stopped working after upgrade

Hello,

I have a self hosted jitsi installation that was working fine untill I updated it a few hours ago. On updating, I can’t connect to any conference room as I get a “something went wrong” message and the browser keeps trying reconnecting.

Both jicofo and jvb logs show a problem building the PKI certificate chain, but I haven’t done any change to the certificates as far as I know:

/var/log/jitsi/jvb.log
JVB 2021-05-03 11:40:44.173 WARNING: [16] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$8#591: [MucClient id=shard hostname=localhost] error connecting
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:748)
/var/log/jitsi/jicofo.log
Jicofo 2021-05-03 11:42:13.364 SEVERE: [342] [xmpp_connection=client] XmppProviderImpl.doConnect#225: Failed to connect/login: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuil
derException: unable to find valid certification path to requested target
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:748)

Besides, prosody log keeps showing these messages:

May 03 11:46:09 c2s55a8c6f65fe0 info    Client connected
May 03 11:46:09 c2s55a8c6f65fe0 info    Client disconnected: ssl handshake error: sslv3 alert certificate unknown

I would be grateful if you could give me a hand to solve this issue.

Should you need more information, do not hesitate to ask me.

Regards,

You can set these settings to resolve this
jicofo/reference.conf at bdfc7706ba86558681bdf8e5b3c685a1a95f8a91 · jitsi/jicofo · GitHub in jicofo.con
And for jvb you can add org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
in the properties file.

1 Like

Hi!

I do apologize. I’m snowed under here and I couldn’t answer before. Eventually, I managed to fix the problem. Here’s what I did, in case it helps other people.

I’m using OpenJDK Development Kit 8 (JDK) with Hotspot by AdoptOpenJDK and it seems that that package was also upgraded today.

Prosody is using self-signed certificates for auth.myjitsi.domain.com and for call.domain.com and, although the certificates were copied in /usr/share/ca-certificates and I ran update-ca-certificates -f the JDK didn’t trust in the self-signed certificate. I had to manually add it to the JRE keystore:

keytool -importcert -alias auth.jitsi.domain.com -keystore cacerts -file /tmp/auth.der

Afterwards, the JDK began to trust the self-signed certificate and both jicofo and jvb stopped complaining about the certificate. Nevertheless, I’m going to use the settings you told me about to avoid problems the next time I upgrade jitsi.

I truly appreciate your help.

Best wishes,
Jesús Ángel.

Yep, problems with certs and that java version is known …

The thing is that the upgrade did a backup of the old keystore, but the self-signed certificate wasn’t either in there. It’s been quite a long time since I set up this Jitsi server and I don’t remember what I did the first time to get the self-signed certificate to be trusted by jicofo and jvb.

Anyway, now that I have applied the config you suggested to avoid the certificate validation, I hope the problem won’t raise again.

I am most grateful for your assistance to fix this issue.

I am also seeing the problem with Debian 10 (buster) and openjdk-11-jre-headless:amd64 11.0.12+7-2~deb10u1. Is there an OpenJDK version, that problem does not occur with?

Your version works well. Probably you have an another problem unrelated with Java version

I created a separate topic: `XmppProviderImpl.doConnect#225: Failed to connect/login: javax.net.ssl.SSLHandshakeException: PKIX path building failed: […] unable to find valid certification path to requested target