Jitsi with Nginx don't resolve http-01 ACME challenge

Hello folks!

I’ve been trying to install Jits on an Ubuntu 22.04 instance hosted on Oracle Cloud, but I’ve been having difficulties with this. I hope to have your support.

I managed to do the entire installation but when I try to use certbot I get the error below:
"You need to agree to the ACME server’s Subscriber Agreement
by providing an email address for important account notifications
Enter your email and press [ENTER]: jorgeaugustorc@gmail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for voice.temtrampo.com.br
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification…
Challenge failed for domain voice.temtrampo.com.br
http-01 challenge for voice.temtrampo.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: voice.temtrampo.com.br
    Type: connection
    Detail: Fetching
    http://voice.temtrampo.com.br/.well-known/acme-challenge/tIFDTpwEYyffHgtSfYdaGLo-zbIeZSEXf-FNZX1a9c8:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided."

Below netstat output:
root@voice:~# netstat -nap | grep 80
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 7110/lua5.2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5090/nginx: master
tcp 0 0 10.0.0.142:42106 169.254.169.254:80 ESTABLISHED 21460/gomon
tcp6 0 0 :::5280 :::* LISTEN 7110/lua5.2
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 7114/java
tcp6 0 0 :::80 :::* LISTEN 5090/nginx: master

root@voice:~# netstat -nap | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5090/nginx: master
tcp6 0 0 :::443 :::* LISTEN 5090/nginx: master

Bellow ufw rules:
image

The problem seems to be that I somehow have port 80 blocked for the ACME-HTTP-01 challenge, and I have no idea why.

Within this same VCN I have another server that responds on port 80 and 443 normally, I believe it is a local problem on this machine.

Can you help me?

this not yet officially released OS is not supported fully for Jitsi-meet installation, as it looks very likely that it will not include Coturn, an important component of Jitsi-meet.

this assumes that your server can be accessed on port 80. Some cloud providers include a firewall that you have to configure to allow input for any port (except one allowed implicitly for management, often SSH, port 22).

gpatel-fr, thanks for the help!

I allowed the ports as shown below:

In this case, what would be the best version?

If there is no external JVB or Jibri, you only need to open

  • TCP/80
  • TCP/443
  • UDP/10000

if there are external JVBs or Jibris, add

  • TCP/5222

Debian 11 Bullseye or Ubuntu 20.04

Emra, thanks for the reply!

I redid a new instance with version 20.04 of Ubuntu, but I still have the same error.

It seems to me that the refusal of the http connection happens because of Nginx. Follow the print below:

By print it is possible to see that http is refused but informs that the ip certificate is currently a self-signed certificate.

Since the problem happens while running certbot and while installing Jitsi I decide to go with a self-signed certificate. But I have no idea why Nginx might be refusing this connection.

AFAIK LetsEncrypt does not create a certificate for IP. Can you try to install using FQDN

I don’t know your firewall, but it’s a bit strange that port 22 is shown as ‘stateless=yes’ and it should work because you are connecting to your server, while the other ports are shown as ‘stateless=no’. What happens if you switch ports 80 and 443 to yes ?
Edit: darn these double negations are confusing :-/

@gpatel-fr

Just in case I changed the policies to stateless as requested, but it didn’t change the problem.

I have another server that is under the same Firewall policies and it works perfectly:
https://temtrampo.com.br

Letsencrypt requires an FQDN.

Same reason as above.

If you install it using this installer, it will inform you about the problem.

Sorry for my possible lack of knowledge. But wouldn’t the DNS Record A voice.temtrampo.com.br solve this problem?

Yes, the FQDN is fine, but the screenshot your shared above shows you were using an IP address.

@Freddie
Thanks for the help, after change /etc/hosts and /etc/hostname for the same name de certboot work and i have my Jitsi server now!

Excellent!

Unfortunately new problems have arisen, when I try to connect to the conference I get this screen:

Also follow the error logs:
Also follow the error logs:
<stream.error></stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:981)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:913)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:936)
at java.base/java.lang.Thread.run(Thread.java:833)
Jicofo 2022-04-17 19:42:38.524 SEVERE: [59] [xmpp_connection=client] XmppProviderImpl$XmppConnectionListener.connectionClosedOnError#380: XMPP connection closed on error: connection-timeout You can read more about the meaning of this stream error at //xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:error</stream:error>
Jicofo 2022-04-17 19:42:39.524 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 12
Jicofo 2022-04-17 19:42:40.525 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 11
Jicofo 2022-04-17 19:42:41.525 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 10
Jicofo 2022-04-17 19:42:42.526 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 9
Jicofo 2022-04-17 19:42:43.526 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 8
Jicofo 2022-04-17 19:42:44.526 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 7
Jicofo 2022-04-17 19:42:45.527 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 6
Jicofo 2022-04-17 19:42:46.527 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 5
Jicofo 2022-04-17 19:42:47.528 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 4
Jicofo 2022-04-17 19:42:48.528 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 3
Jicofo 2022-04-17 19:42:49.529 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 2
Jicofo 2022-04-17 19:42:50.529 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 1
Jicofo 2022-04-17 19:42:51.530 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 0
Jicofo 2022-04-17 19:42:51.530 INFO: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectingIn#400: XMPP reconnecting in: 0
Jicofo 2022-04-17 19:42:51.559 SEVERE: [60] [xmpp_connection=client] XmppProviderImpl$XmppReConnectionListener.reconnectionFailed#406: XMPP reconnection failed: SASLError using SCRAM-SHA-1: not-authorized

You have a wrong password somewhere. Check Jicofo and prosody.

@Freddie
Where can i check this information?

if you followed the quick install for Debian, you should definitely not get this error message as the installer takes care of that. If you want to try to fix it instead of zapping and installing again, the Jicofo password is stored in the /etc/jitsi/jicofo/config file (JICOFO_AUTH_PASSWORD=)
You can reset the prosody password for the ‘focus’ user with prosodyctl (sudo prosodyctl register) - you can’t see the prosody passwords, they are (normally) encoded.