JWT token authentication broken on debian 10 with openssl 1.1

Hi everyone,

I followed the instructions to set up token based authentication (https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md without success.

  1. Installation of jitsi-meet-tokens

  2. Konfiguration of prosody

  3. Restarting prosody for the changes to take effect

  4. Checking the prosody log file (prosody.err)
    Apr 07 12:05:45 modulemanager error Error initializing module 'token_verification' on 'conference.test-server.MYDOMAIN': /usr/lib/prosody/util/startup.lua:144: module 'basexx' not found:No LuaRocks module found for basexx no field package.preload['basexx'] no file '/usr/lib/prosody/basexx.lua' no file '/usr/local/share/lua/5.2/basexx.lua' no file '/usr/local/share/lua/5.2/basexx/init.lua' no file '/usr/local/lib/lua/5.2/basexx.lua' no file '/usr/local/lib/lua/5.2/basexx/init.lua' no file '/usr/share/lua/5.2/basexx.lua' no file '/usr/share/lua/5.2/basexx/init.lua' no file '/var/lib/prosody/.luarocks/share/lua/5.2/basexx.lua' no file '/var/lib/prosody/.luarocks/share/lua/5.2/basexx/init.lua' no file '/usr/lib/prosody/basexx.so' no file '/usr/local/lib/lua/5.2/basexx.so' no file '/usr/lib/x86_64-linux-gnu/lua/5.2/basexx.so' no file '/usr/lib/lua/5.2/basexx.so' no file '/usr/local/lib/lua/5.2/loadall.so' no file '/var/lib/prosody/.luarocks/lib/lua/5.2/basexx.so' stack traceback: [C]: in function '_real_require' /usr/lib/prosody/util/startup.lua:144: in function 'require' /usr/share/jitsi-meet/prosody-plugins/token/util.lib.lua:4: in main chunk (...tail calls...) ...re/jitsi-meet/prosody-plugins/mod_token_verification.lua:24: in main chunk [C]: in function 'xpcall' /usr/lib/prosody/core/modulemanager.lua:178: in function 'do_load_module' /usr/lib/prosody/core/modulemanager.lua:256: in function 'load' /usr/lib/prosody/core/modulemanager.lua:78: in function '?' /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/core/hostmanager.lua:108: in function 'activate' /usr/lib/prosody/core/hostmanager.lua:58: in function '?' /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/util/startup.lua:330: in function 'prepare_to_start' /usr/lib/prosody/util/startup.lua:551: in function 'f' /usr/lib/prosody/util/async.lua:139: in function 'func' /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>

  5. Install the missing module “basexx”
    sudo apt install lua-basexx

  6. Restarting the prosody service and having a look at the log again
    Apr 07 12:07:54 modulemanager error Error initializing module 'auth_token' on 'test-server.MYDOMAIN': /usr/lib/prosody/util/startup.lua:144: module 'luajwtjitsi' not found:No LuaRocks module found for luajwtjitsi no field package.preload['luajwtjitsi'] no file '/usr/lib/prosody/luajwtjitsi.lua' no file '/usr/local/share/lua/5.2/luajwtjitsi.lua' no file '/usr/local/share/lua/5.2/luajwtjitsi/init.lua' no file '/usr/local/lib/lua/5.2/luajwtjitsi.lua' no file '/usr/local/lib/lua/5.2/luajwtjitsi/init.lua' no file '/usr/share/lua/5.2/luajwtjitsi.lua' no file '/usr/share/lua/5.2/luajwtjitsi/init.lua' no file '/var/lib/prosody/.luarocks/share/lua/5.2/luajwtjitsi.lua' no file '/var/lib/prosody/.luarocks/share/lua/5.2/luajwtjitsi/init.lua' no file '/usr/lib/prosody/luajwtjitsi.so' no file '/usr/local/lib/lua/5.2/luajwtjitsi.so' no file '/usr/lib/x86_64-linux-gnu/lua/5.2/luajwtjitsi.so' no file '/usr/lib/lua/5.2/luajwtjitsi.so' no file '/usr/local/lib/lua/5.2/loadall.so' no file '/var/lib/prosody/.luarocks/lib/lua/5.2/luajwtjitsi.so' stack traceback: [C]: in function '_real_require' /usr/lib/prosody/util/startup.lua:144: in function 'require' /usr/share/jitsi-meet/prosody-plugins/token/util.lib.lua:7: in main chunk (...tail calls...) /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua:8: in main chunk [C]: in function 'xpcall' /usr/lib/prosody/core/modulemanager.lua:178: in function 'do_load_module' /usr/lib/prosody/core/modulemanager.lua:256: in function 'load' /usr/lib/prosody/core/usermanager.lua:67: in function '?' /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/core/hostmanager.lua:108: in function 'activate' /usr/lib/prosody/core/hostmanager.lua:58: in function '?' /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/util/startup.lua:330: in function 'prepare_to_start' /usr/lib/prosody/util/startup.lua:551: in function 'f' /usr/lib/prosody/util/async.lua:139: in function 'func' /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>

  7. Install the missing module “luajwtjitsi”
    sudo luarocks install luajwtjitsi
    Installing http s://luarocks.org/luajwtjitsi-1.3-7.rockspec
    Missing dependencies for luajwtjitsi 1.3-7:
    luacrypto >= 0.3.2-1 (not installed)
    lua-cjson >= 2.1.0 (not installed)
    lbase64 >= 20120807-3 (not installed)

    luajwtjitsi 1.3-7 depends on luacrypto >= 0.3.2-1 (not installed)
    Installing http s://luarocks.org/luacrypto-0.3.2-2.src.rock
    gcc -O2 -fPIC -I/usr/include/lua5.2 -c src/lcrypto.c -o src/lcrypto.o -I/usr/include
    src/lcrypto.c:30:10: fatal error: lua.h: No such file or directory
    #include “lua.h”
    ^~~~~~~
    compilation terminated.
    Error: Failed installing dependency: http s://luarocks.org/luacrypto-0.3.2-2.src.rock - Build error: Failed compiling object src/lcrypto.o

Following https://github.com/jitsi/jitsi-meet/issues/2029#issuecomment-334091806 does not help.

There are many post about the incompatibility of luacrypto with openssl version 1.1.

Is there any official fix/workaround for this?

jitsi-meet-prosody/stable,now 1.0.3969-1 all [installed,automatic] 
jitsi-meet-tokens/stable,now 1.0.3969-1 all [installed]
jitsi-meet-web-config/stable,now 1.0.3969-1 all [installed,automatic]
jitsi-meet-web/stable,now 1.0.3969-1 all [installed,automatic]
jitsi-meet/stable,now 2.0.4384-1 all [installed]
jitsi-videobridge2/stable,now 2.1-164-gfdce823f-1 all [installed,automatic]

Maybe also related to the recent switch to lua5.2?

I have exactly the same bugs :confused:

To sum up the problems:

-luacrypto-0.3.2-2.src.rock should not be installed, because it doesn’t work in combination with openssl1.1
-jitsi-meet-tokens doesn’t install all the required dependencies, e.g. lua-basexx
-The installation of luajwtjitsi fails, even if you try to work around the mentioned issues above

Debian 10
Latest jitsi-meet release
Clean installation

Is there a way to make it work?

Hi I got the same Problems and have now found a fix.

I’m using Debian 9 Stretch with prosody backport (0.11.2-1~bpo9+1):

apt install -t stretch-backports prosody

Start with a clean install (run it twice):

apt-get purge jigasi jitsi-meet jitsi-meet-web-config jitsi-meet-prosody jitsi-meet-turnserver jitsi-meet-web jicofo jitsi-videobridge2 prosody

luarocks remove --force basexx
luarocks remove --force lbase64
luarocks remove --force luacrypto
luarocks remove --force lua-cjson
luarocks remove --force luajwtjitsi

I removed lua 5.1 and cheked that luarocks use lua 5.2

apt purge lua5.1
luarocks 

Check for:
CONFIGURATION: Lua version: 5.2

luarocks install basexx
luarocks install lbase64
luarocks install luacrypto

For cjson I compiled my own version:

git clone https://github.com/openresty/lua-cjson
cd lua-cjson

Edit lua_cjson.c (Line 743) and replace lua_objlen with lua_rawlen
lua_objlen is only compatible with 5.1 and was rplaced with lua_rawlen in 5.2

luarocks make

luarocks install luajwtjitsi
apt install jitsi-meet-tokens

Hopfully I don’t miss something, I changed a lot in my tries.

2 Likes

I was having problems with JWT and found your thread. Thanks for posting your solution! I found it very helpful and on point! Thanks again

apt-get install lua5.2-dev should fix your compilation issue.
But probably not your main problem.

Thank you, the steps mentioned by you do work.

On Debian 10 you also have to compile your own version of luacrypto and create a symlink.

git clone https://github.com/evanlabs/luacrypto
cd luacrypto
sudo luarocks make
sudo ln -s /usr/local/lib/lua/crypto.so /usr/local/lib/lua/5.2/crypto.so

The Problem with this solution is that for example after an upgrade of some components everything can easily break again, so not really future proof and kinda messy.

It does but I still get a warning so more or less you also have to compile cjson manually as stated by @manlo above.
lua_cjson.c:743:19: warning: implicit declaration of function ‘lua_objlen’; did you mean ‘lua_len’? [-Wimplicit-function-declaration]
len = lua_objlen(l, -1);
**^~~~~~~~~~**
lua_len

So basically the documentation there is out of date and need rewriting?

Thanks,

I think some rewriting will not be enough.

luacrypto seems to be more or less depricated, at least when you look at the developement activities. luaossl is used as a successor in many projects.

Also the installer for jitsi-meet-tokens doesn’t fetch all the required dependencies (e.g. basexx).

So maybe developement effort is needed in this case to make this future proof and fix the current problems?

I was thinking to integrate JWT but apparently now is not the time to do so :frowning:

By doing the following step by step I was able to manage an installation without errors. With a certain version of lua you can even skip the manual compilation of your own version of lua-cjson.

Prerequisites are a clean installation of Debian 10 and jitsi-meet.

wget https://packages.prosody.im/debian/pool/main/p/prosody-trunk/prosody-trunk_1nightly1253-1~buster_amd64.deb
sudo apt install lua5.1
sudo dpkg -i prosody-trunk_1nightly1253-1~buster_amd64.deb

sudo apt install git cmake luarocks libssl-dev
git clone https://github.com/evanlabs/luacrypto
cd luacrypto
sudo luarocks make
cd ..
sudo rm -rf luacrypto/

sudo apt install liblua5.2
sudo luarocks install lua-cjson
sudo luarocks install lbase64
sudo luarocks install basexx
sudo luarocks install luajwtjitsi

sudo ln -s /usr/local/lib/lua/crypto.so /usr/local/lib/lua/5.1/crypto.so

sudo apt install jitsi-meet-tokens

You still have to modify the configuration files of prosody according to the documentation (https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md. If the token authentication really works in the end I couldn’t test yet.

4 Likes

Got it finally to work using the procedure by snow. Awesome thank you!

Does the jitsi-meet-tokens package install any module files or does it just attempt to make changes to the configuration files? I’t doesn’t seem to make ant configuration changes anymore, which is fine IMO as the changes can be made manually. It just used to make the configuration changes.

Is there a recommended distribution/extra sources for jitsi with jwt as it’s a bit finicky about certain package versions. Especially prosody and lua versions are a bane.

See my solution: Jitsi-meet-tokens unable to install

Guys i have the same issue, How to fix this issue, please include all steps to fix this issue.
thanks.

Follow the method posted by snow and remember to check your configuration and possibly manually making the prosody changes described under “Patching Prosody” and “Manual plugin configuration”

I would not recommend that as it broke my Jitsi Meet instance.

There is also a discussion about that document:

I created two docs with how to install jitsi meet + jwt on ubuntu 18 and 20 (with video)

https://github.com/christiancuri/Docs

NodeJS example how to create jwt

const jsonwebtoken = require(‘jsonwebtoken’)

const obj = {
context: {
user: {
email: ‘email@example.dev’,
name: Christian Curi,
}
},
room: ‘ChristianCuri’,
};

const jwt = jsonwebtoken.sign(obj, ‘secret’, {
issuer: “zellim”,
subject: https://jitmeet.example.com,
expiresIn: “12h”,
audience: “zellim”,
});

console.log(jwt)