Manual install on ubuntu 19.10

Sorry in advance but I tried to work my way around the 2 links filter for new users, since I think they’re very much relevant.

I’ve tried following jitsi.github .io/handbook/docs/devops-guide/devops-guide-manual but this is apparently very out of date, so I tried to make the best out of the debian install scripts, mainly this prosody example and the example configs, but at best I could do 1:1 confs over p2p anything that would require a turn server didn’t work and now somehow I can’t even do 1:1 any longer.

Target

I want to run jitsi behind a nginx server that already has an le cert on the domain jitsi.dmnd.sh.

Setup

I installed prosody, jitsi-videobridge2 and jicofo all via apt and git cloned jitsi/jitsi-meet to /opt/jitsi-meet/

this is my most recent config:

-- /etc/prosody/conf.d/jitsi.dmnd.sh.cfg.lua
plugin_paths = { "/opt/jitsi-meet/resources/prosody-plugins" }

muc_mapper_domain_base = "jitsi.dmnd.sh";

cross_domain_bosh = false;
consider_bosh_secure = true;

turncredentials_secret = "redacted";

turncredentials = {
  { type = "stun", host = "turn1.dmnd.sh", port = "3748" },
  { type = "turn", host = "turn1.dmnd.sh", port = "3748", transport = "udp" },
  { type = "turn", host = "turn1.dmnd.sh", port = "3478", transport = "tcp" },
  { type = "turns", host = "turn1.dmnd.sh", port = "5349", transport = "udp" },
  { type = "turns", host = "turn1.dmnd.sh", port = "5349", transport = "tcp" }
};

-- ssl = {
--   protocol = "tlsv1_2+";
--   ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
-- }

VirtualHost "jitsi.dmnd.sh"
    authentication = "anonymous"
    ssl = {
        key = "/var/lib/prosody/jitsi.dmnd.sh.key";
        certificate = "/var/lib/prosody/jitsi.dmnd.sh.crt";
    }
    c2s_require_encryption = false
    speakerstats_component = "speakerstats.jitsi.dmnd.sh"
    conference_duration_component = "conferenceduration.jitsi.dmnd.sh"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
    }
    lobby_muc = "lobby.jitsi.dmnd.sh"
    main_muc = "conference.jitsi.dmnd.sh"


-- Component "jitsi-videobridge.jitsi.dmnd.sh"
--     component_secret = "VQoDKTViBy8Dmir6rULk"

Component "conference.jitsi.dmnd.sh" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focusUser@auth.jitsi.dmnd.sh" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.jitsi.dmnd.sh" "muc"
    ssl = {
        key = "/var/lib/prosody/jitsi.dmnd.sh.key";
        certificate = "/var/lib/prosody/jitsi.dmnd.sh.crt";
    }
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.jitsi.dmnd.sh", "jvb@auth.jitsi.dmnd.sh" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.jitsi.dmnd.sh"
    authentication = "internal_plain"

Component "focus.jitsi.dmnd.sh"
    component_secret = "njpVCF6T9a6d9TGmLVHQ"

Component "speakerstats.jitsi.dmnd.sh" "speakerstats_component"
    muc_component = "conference.jitsi.dmnd.sh"

Component "conferenceduration.jitsi.dmnd.sh" "conference_duration_component"
    muc_component = "conference.jitsi.dmnd.sh"

Component "lobby.jitsi.dmnd.sh" "muc"
    storage = "memory"
    restrict_room_creation = false
    muc_room_locking = false
    muc_room_default_public_jids = true                                           

I then generated self signed certs (not exactly sure what requires self signed certs here? ideally, since everything is behind a reverse proxy and this is just internal communciation, I would just not use tls at all) for everything here and tried to symlink /var/lib/prosody/internal.auth.jitsi.dmnd.sh.crt /usr/local/share/ca-certificates/internal.auth.jitsi.dmnd.sh.crt

and I also tried just auth.jitsi.dmnd.sh and both internal.auth and auth.
After symlinking I always run:

sudo update-ca-certificates -f
sudo prosodyctl register focus auth.jitsi.dmnd.sh 936has8HF3VnkN9C84Z5
sudo prosodyctl restart

My JICONFO conf:

# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.dmnd.sh

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=njpVCF6T9a6d9TGmLVHQ

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.dmnd.sh

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=936has8HF3VnkN9C84Z5

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

# adds java system props that are passed to jicofo (default are for home and logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.propertie"

and my videobridge config:

# Jitsi Videobridge settings

# sets the XMPP domain (default: none)
JVB_HOSTNAME=jitsi.dmnd.sh

# sets the hostname of the XMPP server (default: domain if set, localhost otherwise)
JVB_HOST=

# sets the port of the XMPP server (default: 5275)
JVB_PORT=5347

# sets the shared secret used to authenticate to the XMPP server
JVB_SECRET="VQoDKTViBy8Dmir6rULk"

# extra options to pass to the JVB daemon
JVB_OPTS="--apis=,"


# adds java system props that are passed to jvb (default are for home and logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=videobridge -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties"

my nginx config I am fairly sure works since it worked with the quickinstall guide:

server {
        listen [::]:443 ssl http2;
        listen 443 ssl http2;
        server_name jitsi.dmnd.sh;

        include snippets/ssl-dmnd.sh.conf;
        include snippets/robots.conf;

        root /opt/jitsi-meet;
        index index.html index.htm;
        error_page 404 /static/404.html;

        location ~ ^/([a-zA-Z0-9=\?]+)$ {
                rewrite ^/(.*)$ / break;
        }

        location / {
                ssi on;
        }

        # BOSH
        location /http-bind {
                proxy_pass              http://localhost:5280/http-bind;
                proxy_set_header        X-Forwarded-For $remote_addr;
                proxy_set_header        Host $http_host;
        }

        # xmpp websockets
        location /xmpp-websocket {
                proxy_pass http://127.0.0.1:5280/xmpp-websocket;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                tcp_nodelay on;
        }
}

and my config.js looks like this:

var config = {
    // Connection
    //

    hosts: {
        // XMPP domain.
        domain: 'jitsi.dmnd.sh',

        // When using authentication, domain for guest users.
        // anonymousdomain: 'guest.example.com',

        // Domain for authenticated users. Defaults to <domain>.
        // authdomain: 'jitsi.dmnd.sh',

        // Jirecon recording component domain.
        // jirecon: 'jirecon.jitsi.dmnd.sh',

        // Call control component (Jigasi).
        // call_control: 'callcontrol.jitsi.dmnd.sh',

        // Focus component domain. Defaults to focus.<domain>.
        focus: 'focus.jitsi.dmnd.sh',
        bridge: 'jitsi-videobridge.jitsi.dmnd.sh',

        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
        muc: 'conference.jitsi.dmnd.sh'
    },

    // BOSH URL. FIXME: use XEP-0156 to discover it.
    bosh: '//jitsi.dmnd.sh/http-bind',
//... the rest is exactly like https://github.com/jitsi/jitsi-meet/blob/master/config.js

I definitely think something with the videobridge is misconfigured since the secret isn’t being used anywhere, but the newer examples all don’t use jitsi-videobridge.jitsi.JVB_HOSTNAME anywhere?

Additionally I opened up these ports for jitsi:

  • 10000/udp
  • 4443/tcp
    and additionally for turn
  • 49152:65535/udp
  • 5349/udp
  • 5349/tcp
  • 3478/tcp
  • 3478/udp

and of course 80/443 for https? and 20 for ssh.

Errors

prosody mainly seems to have trouble connecting to focus.jitsi:
Jun 30 14:25:53 focus.jitsi.dmnd.sh:component warn Component not connected, bouncing error for: <iq type='get' from='focus@auth.jitsi.dmnd.sh/focus4525085858935' id='1lXFD-33' to='focus.jitsi.dmnd.sh'>

also the error log keeps telling me:
Jun 30 14:25:33 portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

But someone in the forums claims this can be ignored?

jicovo complains about XMPP error reply received from pretty every component
the domains here are correct though

videobridge says community.jitsi. org/t/saslerror-using-scram-sha-1-not-authorized-on-debian-buster-system-with-existing-prosody/26775 which I get since I definitely am not setting the videobridge secret correctly.

I am 99% sure my turn servers work cos they seem to work with my matrix instance, but I also tried using the default jitsi stun/turn servers and also respond well to webrtc.github. io/samples/src/content/peerconnection/trickle-ice/

I realize that using the quick-install is recommended and I did have that working for sometime, but it’s very frustrating when I update my system that jitsi always destroys both my turnserver and nginx and I would rather administrate my configs myself if possible.

Thank you very much for your help!