[jitsi-users] Certificate Issues with jicofo


#1

Hi there!

I have installed jitsi-meet (basing on Prosody/Apache) on my Ubuntu machine and somewhat got it running. However, I noticed that whenever I start the jicofo daemon, the log file of prosody, /var/log/prosody/prosody.log, gets filled periodically with the message

Jan 24 16:39:04 c2s5560e3e067b0 info Client connected
Jan 24 16:39:04 c2s5560e3e067b0 info Client disconnected: ssl handshake error: sslv3 alert certificate unknown
Jan 24 16:39:09 c2s5560e3fc5930 info Client connected
...
and so on

It stops when I terminate the jicofo daemon and indeed, /var/log/jitsi/jicofo.log contains many copies of the message:

Jicofo 2018-01-24 18:52:32.339 WARNING: [56] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
...

So I believe those are related. I however do not understand what this in particular means. I am using the automatically-generated self-signed certificates for my domains auth.jitsy.example.com and focus.jitsy.example.com and both should be added to the trusted certificate list. What could I have done wrong?

These are my configurations:

prosody:

···

-----------------------------------------------------------------
Component "conference.jitsi.example.com" "muc"
     storage = "null"
     --modules_enabled = { "token_verification" }
admins = { "focus@auth.jitsi.example.com" }

Component "jitsi-videobridge.jitsi.example.com"
     component_secret = "32LArB6Y"

VirtualHost "auth.jitsi.example.com"
     ssl = {
         key = "/etc/prosody/certs/auth.jitsi.example.com.key";
         certificate = "/etc/prosody/certs/auth.jitsi.example.com.crt";
     }
     authentication = "internal_plain"

Component "focus.jitsi.example.com"
     component_secret = "ioaXCVK6"
     ssl = {
             certificate = "/etc/prosody/certs/focus.jitsi.example.com.crt";
             key = "/etc/prosody/certs/focus.jitsi.example.com.key";
     }
--------------------------------------------------------------------

jicofo
--------------------------------------------------------------------
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.example.com

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=ioaXCVK6

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.example.com

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=MBrIpJjj

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home and logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
---------------------------------------------------------------------------------------------------------------------------

Any help would be highly appreciated!

Kind regards,
HV


#2

Hi there!

Sorry for the possible double posting. I am facing a problem with my jitsi-meet configuration.
I have installed jitsi-meet (basing on Prosody/Apache) on my Ubuntu machine and somewhat got it running. However, I noticed that whenever I start the jicofo daemon, the log file of prosody, /var/log/prosody/prosody.log, gets filled periodically with the message

Jan 24 16:39:04 c2s5560e3e067b0 info Client connected
Jan 24 16:39:04 c2s5560e3e067b0 info Client disconnected: ssl handshake error: sslv3 alert certificate unknown
Jan 24 16:39:09 c2s5560e3fc5930 info Client connected
...
and so on

It stops when I terminate the jicofo daemon and indeed, /var/log/jitsi/jicofo.log contains many copies of the message:

Jicofo 2018-01-24 18:52:32.339 WARNING: [56] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
...

So I believe those are related. I however do not understand what this in particular means. I am using the automatically-generated self-signed certificates for my domains auth.jitsy.example.com and focus.jitsy.example.com and both should be added to the trusted certificate list. What could I have done wrong?

These are my configurations:

prosody:

···

-----------------------------------------------------------------
Component "conference.jitsi.example.com" "muc"
     storage = "null"
     --modules_enabled = { "token_verification" }
admins = { "focus@auth.jitsi.example.com" }

Component "jitsi-videobridge.jitsi.example.com"
     component_secret = "32LArB6Y"

VirtualHost "auth.jitsi.example.com"
     ssl = {
         key = "/etc/prosody/certs/auth.jitsi.example.com.key";
         certificate = "/etc/prosody/certs/auth.jitsi.example.com.crt";
     }
     authentication = "internal_plain"

Component "focus.jitsi.example.com"
     component_secret = "ioaXCVK6"
     ssl = {
             certificate = "/etc/prosody/certs/focus.jitsi.example.com.crt";
             key = "/etc/prosody/certs/focus.jitsi.example.com.key";
     }
--------------------------------------------------------------------

jicofo
--------------------------------------------------------------------
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.example.com

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=ioaXCVK6

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.example.com

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=MBrIpJjj

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home and logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
---------------------------------------------------------------------------------------------------------------------------

Any help would be highly appreciated!

Kind regards,
HV


#3

Hi,

You need to have /etc/prosody/certs/auth.jitsi.example.com.crt in
/usr/local/share/ca-certificates/. If the file is already there try
running 'update-ca-certificates -f' and see whether this changes
anything?
Are you running using openjdk8?

Regards
damencho

···

On Wed, Jan 24, 2018 at 4:39 PM, Hakon Volkmann <administrator@hak-on.de> wrote:

Hi there!

Sorry for the possible double posting. I am facing a problem with my
jitsi-meet configuration.
I have installed jitsi-meet (basing on Prosody/Apache) on my Ubuntu machine
and somewhat got it running. However, I noticed that whenever I start the
jicofo daemon, the log file of prosody, /var/log/prosody/prosody.log, gets
filled periodically with the message

Jan 24 16:39:04 c2s5560e3e067b0 info Client connected
Jan 24 16:39:04 c2s5560e3e067b0 info Client disconnected: ssl handshake
error: sslv3 alert certificate unknown
Jan 24 16:39:09 c2s5560e3fc5930 info Client connected
...
and so on

It stops when I terminate the jicofo daemon and indeed,
/var/log/jitsi/jicofo.log contains many copies of the message:

Jicofo 2018-01-24 18:52:32.339 WARNING: [56]
org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener()
Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors
...

So I believe those are related. I however do not understand what this in
particular means. I am using the automatically-generated self-signed
certificates for my domains auth.jitsy.example.com and
focus.jitsy.example.com and both should be added to the trusted certificate
list. What could I have done wrong?

These are my configurations:

prosody:
-----------------------------------------------------------------
Component "conference.jitsi.example.com" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = { "focus@auth.jitsi.example.com" }

Component "jitsi-videobridge.jitsi.example.com"
    component_secret = "32LArB6Y"

VirtualHost "auth.jitsi.example.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.example.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.example.com.crt";
    }
    authentication = "internal_plain"

Component "focus.jitsi.example.com"
    component_secret = "ioaXCVK6"
    ssl = {
            certificate = "/etc/prosody/certs/focus.jitsi.example.com.crt";
            key = "/etc/prosody/certs/focus.jitsi.example.com.key";
    }
--------------------------------------------------------------------

jicofo
--------------------------------------------------------------------
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.example.com

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=ioaXCVK6

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.example.com

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=MBrIpJjj

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home and
logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi
-Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo
-Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi
-Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
---------------------------------------------------------------------------------------------------------------------------

Any help would be highly appreciated!

Kind regards,
HV

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

Hello,

wow, that "-f" to the update-ca-certificates did the trick, I haven't tried that before. Thank you so much for that swift and helpful answer!

Kind regards,
HV

···

Am 25.01.2018 00:00, schrieb Damian Minkov:

Hi,

You need to have /etc/prosody/certs/auth.jitsi.example.com.crt in
/usr/local/share/ca-certificates/. If the file is already there try
running 'update-ca-certificates -f' and see whether this changes
anything?
Are you running using openjdk8?

Regards
damencho

On Wed, Jan 24, 2018 at 4:39 PM, Hakon Volkmann <administrator@hak-on.de> wrote:

Hi there!

Sorry for the possible double posting. I am facing a problem with my
jitsi-meet configuration.
I have installed jitsi-meet (basing on Prosody/Apache) on my Ubuntu machine
and somewhat got it running. However, I noticed that whenever I start the
jicofo daemon, the log file of prosody, /var/log/prosody/prosody.log, gets
filled periodically with the message

Jan 24 16:39:04 c2s5560e3e067b0 info Client connected
Jan 24 16:39:04 c2s5560e3e067b0 info Client disconnected: ssl handshake
error: sslv3 alert certificate unknown
Jan 24 16:39:09 c2s5560e3fc5930 info Client connected
...
and so on

It stops when I terminate the jicofo daemon and indeed,
/var/log/jitsi/jicofo.log contains many copies of the message:

Jicofo 2018-01-24 18:52:32.339 WARNING: [56]
org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener()
Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors
...

So I believe those are related. I however do not understand what this in
particular means. I am using the automatically-generated self-signed
certificates for my domains auth.jitsy.example.com and
focus.jitsy.example.com and both should be added to the trusted certificate
list. What could I have done wrong?

These are my configurations:

prosody:
-----------------------------------------------------------------
Component "conference.jitsi.example.com" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = { "focus@auth.jitsi.example.com" }

Component "jitsi-videobridge.jitsi.example.com"
    component_secret = "32LArB6Y"

VirtualHost "auth.jitsi.example.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.example.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.example.com.crt";
    }
    authentication = "internal_plain"

Component "focus.jitsi.example.com"
    component_secret = "ioaXCVK6"
    ssl = {
            certificate = "/etc/prosody/certs/focus.jitsi.example.com.crt";
            key = "/etc/prosody/certs/focus.jitsi.example.com.key";
    }
--------------------------------------------------------------------

jicofo
--------------------------------------------------------------------
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.example.com

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=ioaXCVK6

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.example.com

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=MBrIpJjj

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home and
logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi
-Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo
-Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi
-Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
---------------------------------------------------------------------------------------------------------------------------

Any help would be highly appreciated!

Kind regards,
HV

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

Yep, it forces re-creating symlinks basically if you override a cert
in /usr/local/share/ca-certificates/ and you do
update-ca-certificates, the cert do not end up in the store used by
java, but forcing it fixes it.

···

On Wed, Jan 24, 2018 at 5:11 PM, Hakon Volkmann <administrator@hak-on.de> wrote:

Hello,

wow, that "-f" to the update-ca-certificates did the trick, I haven't tried
that before. Thank you so much for that swift and helpful answer!

Kind regards,
HV

Am 25.01.2018 00:00, schrieb Damian Minkov:

Hi,

You need to have /etc/prosody/certs/auth.jitsi.example.com.crt in
/usr/local/share/ca-certificates/. If the file is already there try
running 'update-ca-certificates -f' and see whether this changes
anything?
Are you running using openjdk8?

Regards
damencho

On Wed, Jan 24, 2018 at 4:39 PM, Hakon Volkmann <administrator@hak-on.de>
wrote:

Hi there!

Sorry for the possible double posting. I am facing a problem with my
jitsi-meet configuration.
I have installed jitsi-meet (basing on Prosody/Apache) on my Ubuntu
machine
and somewhat got it running. However, I noticed that whenever I start the
jicofo daemon, the log file of prosody, /var/log/prosody/prosody.log,
gets
filled periodically with the message

Jan 24 16:39:04 c2s5560e3e067b0 info Client connected
Jan 24 16:39:04 c2s5560e3e067b0 info Client disconnected: ssl
handshake
error: sslv3 alert certificate unknown
Jan 24 16:39:09 c2s5560e3fc5930 info Client connected
...
and so on

It stops when I terminate the jicofo daemon and indeed,
/var/log/jitsi/jicofo.log contains many copies of the message:

Jicofo 2018-01-24 18:52:32.339 WARNING: [56]

org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener()
Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with
any
of the trust anchors
...

So I believe those are related. I however do not understand what this in
particular means. I am using the automatically-generated self-signed
certificates for my domains auth.jitsy.example.com and
focus.jitsy.example.com and both should be added to the trusted
certificate
list. What could I have done wrong?

These are my configurations:

prosody:
-----------------------------------------------------------------
Component "conference.jitsi.example.com" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = { "focus@auth.jitsi.example.com" }

Component "jitsi-videobridge.jitsi.example.com"
    component_secret = "32LArB6Y"

VirtualHost "auth.jitsi.example.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.example.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.example.com.crt";
    }
    authentication = "internal_plain"

Component "focus.jitsi.example.com"
    component_secret = "ioaXCVK6"
    ssl = {
            certificate =
"/etc/prosody/certs/focus.jitsi.example.com.crt";
            key = "/etc/prosody/certs/focus.jitsi.example.com.key";
    }
--------------------------------------------------------------------

jicofo
--------------------------------------------------------------------
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.example.com

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=ioaXCVK6

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.example.com

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=MBrIpJjj

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home
and
logging config file)

JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi
-Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo
-Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi
-Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"

---------------------------------------------------------------------------------------------------------------------------

Any help would be highly appreciated!

Kind regards,
HV

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users