[jitsi-users] jitsi meet broken after upgrade to jitsi-* 1.0.2635-1 on Debian GNU/Linux 9.2 (stretch)


#1

hi,

after i upgraded to jitsi-* 1.0.2635-1 we are unable to create new
meetings (creating a new meeting requires user's authentication by means
of authdomain: .. at out site)

this used to work fine before the upgrade but now the login box is
displayed over and over again.

/var/log/jitsi/jicofo.log states:

Jicofo 2017-12-08 09:10:01.441 WARNING: [368]
org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener()
Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

so i assume that at least one ca-cert is missing now. searching the
internet i found some hints which were not really helpful.

i would greatly appreciate any hint on how to fix this issue in order to
overcome the less of service.

thanks in advance, gustav


#2

Hi,
Did jitsi-meet-prosody package got updated? This is the one responsible for
doing the migration and fixing this problem.

You can also check the manual installation doc and check/execute everything
about auth.jitsi.example.com, the prosody config, make sure you restart
prosody if you make a change.
https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md

But first make sure you have updated version of jitsi-meet-prosody.

Regards
damencho

···

On Dec 8, 2017 02:19, "gustav spellauge" <Gustav.Spellauge@softing.com> wrote:

hi,

after i upgraded to jitsi-* 1.0.2635-1 we are unable to create new
meetings (creating a new meeting requires user's authentication by means
of authdomain: .. at out site)

this used to work fine before the upgrade but now the login box is
displayed over and over again.

/var/log/jitsi/jicofo.log states:

Jicofo 2017-12-08 09:10:01.441 WARNING: [368]
org.jivesoftware.smack.AbstractXMPPConnection.
callConnectionClosedOnErrorListener()
Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

so i assume that at least one ca-cert is missing now. searching the
internet i found some hints which were not really helpful.

i would greatly appreciate any hint on how to fix this issue in order to
overcome the less of service.

thanks in advance, gustav

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

No, it's not correct. You have an old jitsi-meet-prosody version.
Without any manual steps doing apt-get install jitsi-meet-prosody will fix
your problem, but if you have already done the prosodyctl command you need
to finish the manual steps, or you can mess up the certs on the system, it
can be fixed, but to save you some pain.

···

On Dec 8, 2017 08:35, "gustav spellauge" <Gustav.Spellauge@softing.com> wrote:

hi and thanks for your answer (sorry, i missed your answer to the list)

installed versions are:

pkg -l | grep jitsi
rc jitsi-archive-keyring 1.0.1
all The public key for the Jitsi packages repository
ii jitsi-meet 1.0.2635-1
all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.2441-1
all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.2441-1
all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.2441-1
all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 1011-1
amd64 WebRTC compatible Selective Forwarding Unit (SFU)

which i feel is ok.

so i think, i've to execute

1.prosodyctl register focus auth.jitsi.example.com YOURSECRET3

2../jicofo.sh --host=localhost --domain=jitsi.example.com
--secret=YOURSECRET2 --user_domain=auth.jitsi.example.com
--user_name=focus --user_password=YOURSECRET3

with jitsi.example.com replace by me server's name right.

i can retrieve YOURSECRET2 from
/etc/prosody/conf.avail/jitsi.example.com.cfg.lua, but what about
YOURSECRET3? is it sufficient that it is the same in both steps or is it
shared with any other component?

regards, gustav

Am 12/08/2017 um 02:37 PM schrieb Damian Minkov:
> Hi,
> Did jitsi-meet-prosody package got updated? This is the one responsible
for
> doing the migration and fixing this problem.
>
> You can also check the manual installation doc and check/execute
everything
> about auth.jitsi.example.com, the prosody config, make sure you restart
> prosody if you make a change.
> https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
>
> But first make sure you have updated version of jitsi-meet-prosody.
>
> Regards
> damencho
>
> On Dec 8, 2017 02:19, "gustav spellauge" <Gustav.Spellauge@softing.com> > > wrote:
>
>> hi,
>>
>> after i upgraded to jitsi-* 1.0.2635-1 we are unable to create new
>> meetings (creating a new meeting requires user's authentication by means
>> of authdomain: .. at out site)
>>
>> this used to work fine before the upgrade but now the login box is
>> displayed over and over again.
>>
>> /var/log/jitsi/jicofo.log states:
>>
>> Jicofo 2017-12-08 09:10:01.441 WARNING: [368]
>> org.jivesoftware.smack.AbstractXMPPConnection.
>> callConnectionClosedOnErrorListener()
>> Connection XMPPTCPConnection[not-authenticated] (0) closed with error
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>> so i assume that at least one ca-cert is missing now. searching the
>> internet i found some hints which were not really helpful.
>>
>> i would greatly appreciate any hint on how to fix this issue in order to
>> overcome the less of service.
>>
>> thanks in advance, gustav
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users


#4

The manual steps are to make sure you have this in your prosody config:

VirtualHost "auth.jitsi.example.com"
    ssl = {
        key = "/var/lib/prosody/auth.jitsi.example.com.key";
        certificate = "/var/lib/prosody/auth.jitsi.example.com.crt";
    }
    authentication = "internal_plain"

And then:

prosodyctl cert generate auth.jitsi.example.com

ln -sf /var/lib/prosody/auth.jitsi.example.com.crt
/usr/local/share/ca-certificates/auth.jitsi.example.com.crt
update-ca-certificates

And that's it, then you can continue using it as installed from the
debian packages, using init.d scripts.

···

On Fri, Dec 8, 2017 at 8:39 AM, Damian Minkov <damencho@jitsi.org> wrote:

No, it's not correct. You have an old jitsi-meet-prosody version.
Without any manual steps doing apt-get install jitsi-meet-prosody will fix
your problem, but if you have already done the prosodyctl command you need
to finish the manual steps, or you can mess up the certs on the system, it
can be fixed, but to save you some pain.

On Dec 8, 2017 08:35, "gustav spellauge" <Gustav.Spellauge@softing.com> > wrote:

hi and thanks for your answer (sorry, i missed your answer to the list)

installed versions are:

pkg -l | grep jitsi
rc jitsi-archive-keyring 1.0.1
all The public key for the Jitsi packages repository
ii jitsi-meet 1.0.2635-1
all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.2441-1
all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.2441-1
all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.2441-1
all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 1011-1
amd64 WebRTC compatible Selective Forwarding Unit (SFU)

which i feel is ok.

so i think, i've to execute

1.prosodyctl register focus auth.jitsi.example.com YOURSECRET3

2../jicofo.sh --host=localhost --domain=jitsi.example.com
--secret=YOURSECRET2 --user_domain=auth.jitsi.example.com
--user_name=focus --user_password=YOURSECRET3

with jitsi.example.com replace by me server's name right.

i can retrieve YOURSECRET2 from
/etc/prosody/conf.avail/jitsi.example.com.cfg.lua, but what about
YOURSECRET3? is it sufficient that it is the same in both steps or is it
shared with any other component?

regards, gustav

Am 12/08/2017 um 02:37 PM schrieb Damian Minkov:
> Hi,
> Did jitsi-meet-prosody package got updated? This is the one responsible
for
> doing the migration and fixing this problem.
>
> You can also check the manual installation doc and check/execute
everything
> about auth.jitsi.example.com, the prosody config, make sure you restart
> prosody if you make a change.
> https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
>
> But first make sure you have updated version of jitsi-meet-prosody.
>
> Regards
> damencho
>
> On Dec 8, 2017 02:19, "gustav spellauge" <Gustav.Spellauge@softing.com> >> > wrote:
>
>> hi,
>>
>> after i upgraded to jitsi-* 1.0.2635-1 we are unable to create new
>> meetings (creating a new meeting requires user's authentication by
means
>> of authdomain: .. at out site)
>>
>> this used to work fine before the upgrade but now the login box is
>> displayed over and over again.
>>
>> /var/log/jitsi/jicofo.log states:
>>
>> Jicofo 2017-12-08 09:10:01.441 WARNING: [368]
>> org.jivesoftware.smack.AbstractXMPPConnection.
>> callConnectionClosedOnErrorListener()
>> Connection XMPPTCPConnection[not-authenticated] (0) closed with error
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>> so i assume that at least one ca-cert is missing now. searching the
>> internet i found some hints which were not really helpful.
>>
>> i would greatly appreciate any hint on how to fix this issue in order
to
>> overcome the less of service.
>>
>> thanks in advance, gustav
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users


#5

Hi again,

I'm wondering how did you upgrade, what command did you use?

Wondering, how it is possible upgrading jitsi-meet to not upgrade
jitsi-meet-prosody, as it depends on an exact version of it.
And by the way I see "ii jitsi-meet-web 1.0.2441-1"
which holds the actual jitsi-meet js app and this is not updated. The
jitsi-meet package is just a meta package which depends on some exact
package versions:
https://github.com/jitsi/jitsi-meet-debian-meta/blob/master/control-tmpl#L12

Thanks
damencho

···

On Fri, Dec 8, 2017 at 9:17 AM, Damian Minkov <damencho@jitsi.org> wrote:

The manual steps are to make sure you have this in your prosody config:

VirtualHost "auth.jitsi.example.com"
    ssl = {
        key = "/var/lib/prosody/auth.jitsi.example.com.key";
        certificate = "/var/lib/prosody/auth.jitsi.example.com.crt";
    }
    authentication = "internal_plain"

And then:

prosodyctl cert generate auth.jitsi.example.com

ln -sf /var/lib/prosody/auth.jitsi.example.com.crt /usr/local/share/ca-certificates/auth.jitsi.example.com.crt
update-ca-certificates

And that's it, then you can continue using it as installed from the
debian packages, using init.d scripts.

On Fri, Dec 8, 2017 at 8:39 AM, Damian Minkov <damencho@jitsi.org> wrote:

No, it's not correct. You have an old jitsi-meet-prosody version.
Without any manual steps doing apt-get install jitsi-meet-prosody will
fix your problem, but if you have already done the prosodyctl command you
need to finish the manual steps, or you can mess up the certs on the
system, it can be fixed, but to save you some pain.

On Dec 8, 2017 08:35, "gustav spellauge" <Gustav.Spellauge@softing.com> >> wrote:

hi and thanks for your answer (sorry, i missed your answer to the list)

installed versions are:

pkg -l | grep jitsi
rc jitsi-archive-keyring 1.0.1
all The public key for the Jitsi packages repository
ii jitsi-meet 1.0.2635-1
all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.2441-1
all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.2441-1
all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.2441-1
all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 1011-1
amd64 WebRTC compatible Selective Forwarding Unit (SFU)

which i feel is ok.

so i think, i've to execute

1.prosodyctl register focus auth.jitsi.example.com YOURSECRET3

2../jicofo.sh --host=localhost --domain=jitsi.example.com
--secret=YOURSECRET2 --user_domain=auth.jitsi.example.com
--user_name=focus --user_password=YOURSECRET3

with jitsi.example.com replace by me server's name right.

i can retrieve YOURSECRET2 from
/etc/prosody/conf.avail/jitsi.example.com.cfg.lua, but what about
YOURSECRET3? is it sufficient that it is the same in both steps or is it
shared with any other component?

regards, gustav

Am 12/08/2017 um 02:37 PM schrieb Damian Minkov:
> Hi,
> Did jitsi-meet-prosody package got updated? This is the one
responsible for
> doing the migration and fixing this problem.
>
> You can also check the manual installation doc and check/execute
everything
> about auth.jitsi.example.com, the prosody config, make sure you
restart
> prosody if you make a change.
> https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
>
> But first make sure you have updated version of jitsi-meet-prosody.
>
> Regards
> damencho
>
> On Dec 8, 2017 02:19, "gustav spellauge" <Gustav.Spellauge@softing.com >>> > >>> > wrote:
>
>> hi,
>>
>> after i upgraded to jitsi-* 1.0.2635-1 we are unable to create new
>> meetings (creating a new meeting requires user's authentication by
means
>> of authdomain: .. at out site)
>>
>> this used to work fine before the upgrade but now the login box is
>> displayed over and over again.
>>
>> /var/log/jitsi/jicofo.log states:
>>
>> Jicofo 2017-12-08 09:10:01.441 WARNING: [368]
>> org.jivesoftware.smack.AbstractXMPPConnection.
>> callConnectionClosedOnErrorListener()
>> Connection XMPPTCPConnection[not-authenticated] (0) closed with error
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>> so i assume that at least one ca-cert is missing now. searching the
>> internet i found some hints which were not really helpful.
>>
>> i would greatly appreciate any hint on how to fix this issue in order
to
>> overcome the less of service.
>>
>> thanks in advance, gustav
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users


#6

I know we have another problem here, and it is that I need to be more
careful writing emails before getting some coffee.
Yep having jitsi-meet 1.0.2635-1 (the meta package version) and its
corresponding jitsi-meet-web 1.0.2441-1 is fine and this is how it is
supposed to be.

Doing those things twice can result overridden certificate in
/usr/local/share/ca-certificates/ which is a problem cause the java
trusstore is not updating this correctly.
So the solution is back up /etc/ssl/certs/java just in case anything
goes wrong and force run update-ca-certificates.
Not sure why running the command will fix it.

···

On Fri, Dec 8, 2017 at 11:13 AM, gustav spellauge <Gustav.Spellauge@softing.com> wrote:

thanks, damencho!

update was done by
apt-get -y update
apt-get -y upgrade

leaving the system in the state i showed you.

upgrade to unstable ( deb https://download.jitsi.org unstable/ ) resulted in

dpkg -l|grep jitsi
rc jitsi-archive-keyring 1.0.1
all The public key for the Jitsi packages repository
ii jitsi-meet 1.0.2690-1
all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.2493-1
all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.2493-1
all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.2493-1
all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 1015-1
amd64 WebRTC compatible Selective Forwarding Unit (SFU)

and the issue remains, but that could be because i perforemed the two
steps specified in my last mail.
the strage thing is: if i start jicofo by hand (after service jicofo
stop) using

./jicofo.sh --host=localhost --domain=jitsi.example.com
--secret=YOURSECRET2 --user_domain=auth.jitsi.example.com
--user_name=focus --user_password=YOURSECRET3 as specified in
https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
everything seems to work fine which terminated the
'loss-of-service-state'. i know, it's a workaround but at least
jitsi-meet seems to work now. will have a closer look at it on monday.
thanks again & regards, gustav ps.: apt-get install jitsi-meet-prosody
did not change anything.

Am 12/08/2017 um 04:34 PM schrieb Damian Minkov:

Hi again,

I'm wondering how did you upgrade, what command did you use?

Wondering, how it is possible upgrading jitsi-meet to not upgrade
jitsi-meet-prosody, as it depends on an exact version of it.
And by the way I see "ii jitsi-meet-web 1.0.2441-1"
which holds the actual jitsi-meet js app and this is not updated. The
jitsi-meet package is just a meta package which depends on some exact
package versions:
https://github.com/jitsi/jitsi-meet-debian-meta/blob/master/control-tmpl#L12

Thanks
damencho

On Fri, Dec 8, 2017 at 9:17 AM, Damian Minkov <damencho@jitsi.org> wrote:

The manual steps are to make sure you have this in your prosody config:

VirtualHost "auth.jitsi.example.com"
    ssl = {
        key = "/var/lib/prosody/auth.jitsi.example.com.key";
        certificate = "/var/lib/prosody/auth.jitsi.example.com.crt";
    }
    authentication = "internal_plain"

And then:

prosodyctl cert generate auth.jitsi.example.com

ln -sf /var/lib/prosody/auth.jitsi.example.com.crt /usr/local/share/ca-certificates/auth.jitsi.example.com.crt
update-ca-certificates

And that's it, then you can continue using it as installed from the
debian packages, using init.d scripts.

On Fri, Dec 8, 2017 at 8:39 AM, Damian Minkov <damencho@jitsi.org> wrote:

No, it's not correct. You have an old jitsi-meet-prosody version.
Without any manual steps doing apt-get install jitsi-meet-prosody will
fix your problem, but if you have already done the prosodyctl command you
need to finish the manual steps, or you can mess up the certs on the
system, it can be fixed, but to save you some pain.

On Dec 8, 2017 08:35, "gustav spellauge" <Gustav.Spellauge@softing.com> >>>> wrote:

hi and thanks for your answer (sorry, i missed your answer to the list)

installed versions are:

pkg -l | grep jitsi
rc jitsi-archive-keyring 1.0.1
all The public key for the Jitsi packages repository
ii jitsi-meet 1.0.2635-1
all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.2441-1
all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.2441-1
all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.2441-1
all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 1011-1
amd64 WebRTC compatible Selective Forwarding Unit (SFU)

which i feel is ok.

so i think, i've to execute

1.prosodyctl register focus auth.jitsi.example.com YOURSECRET3

2../jicofo.sh --host=localhost --domain=jitsi.example.com
--secret=YOURSECRET2 --user_domain=auth.jitsi.example.com
--user_name=focus --user_password=YOURSECRET3

with jitsi.example.com replace by me server's name right.

i can retrieve YOURSECRET2 from
/etc/prosody/conf.avail/jitsi.example.com.cfg.lua, but what about
YOURSECRET3? is it sufficient that it is the same in both steps or is it
shared with any other component?

regards, gustav

Am 12/08/2017 um 02:37 PM schrieb Damian Minkov:

Hi,
Did jitsi-meet-prosody package got updated? This is the one

responsible for

doing the migration and fixing this problem.

You can also check the manual installation doc and check/execute

everything

about auth.jitsi.example.com, the prosody config, make sure you

restart

prosody if you make a change.
https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md

But first make sure you have updated version of jitsi-meet-prosody.

Regards
damencho

On Dec 8, 2017 02:19, "gustav spellauge" <Gustav.Spellauge@softing.com >>>>>> >>>>>> wrote:

hi,

after i upgraded to jitsi-* 1.0.2635-1 we are unable to create new
meetings (creating a new meeting requires user's authentication by

means

of authdomain: .. at out site)

this used to work fine before the upgrade but now the login box is
displayed over and over again.

/var/log/jitsi/jicofo.log states:

Jicofo 2017-12-08 09:10:01.441 WARNING: [368]
org.jivesoftware.smack.AbstractXMPPConnection.
callConnectionClosedOnErrorListener()
Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

so i assume that at least one ca-cert is missing now. searching the
internet i found some hints which were not really helpful.

i would greatly appreciate any hint on how to fix this issue in order

to

overcome the less of service.

thanks in advance, gustav

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users