Meetings do not work if moderator uses login

Hello Community!
I just installed Jitsi freshly on my Ubuntu server. (Ubuntu 18.04.5 LTS)
It runs directly on it, not in the Doker.
The installation itself went through without any problems.
As far as I do not secure the server, everything works fine.
Participants can join a room and start the meeting.
As soon as I set that a moderator needs a login, nothing works anymore.
I can start a meeting as a moderator and log in, but he only logs me in correctly after a reload of the page.
I am still alone in the room as a moderator. No one can join me.
As a moderator I can also adjust my camera / microphone or share a screen.
If a participant joins the meeting, he only has to wait for the moderator.
The chat will then no longer work.
I have tested it with several browsers and the Android app.
Ports 80, 443, 10000 and 4443 are open.

-> All Services are working / running
-> Lets Encrypt is active
-> I use nginx as webserver

I still have three logs here that might help:

jicofo

Jicofo 2020-10-25 17:26:05.340 SEVERE: [318] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:832)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1215)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1158)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1475)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1381)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
… 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1324)
… 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 22 more

jvb

2020-10-25 17:26:07.174 WARNING: [2777] [hostname=localhost id=shard] MucClient$1.connectionClosedOnError#317: Closed on error:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1215)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1158)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1475)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1381)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:832)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1324)
… 17 more

prosody
Oct 25 17:28:52 conference.meeting.MY-DOMAIN.DE:muc_domain_mapper warn Session filters applied
Oct 25 17:28:52 c2s55a44f224c50 info Client connected
Oct 25 17:28:52 c2s55a44f224c50 info Client disconnected: ssl handshake error: sslv3 alert certificate unknown

I installed Jitsi on a vServer (LXC - Debian 10) 3 months ago, everything worked fine there.

No idea what goes wrong :frowning:

Haven’t really looked through your logs, but I suspect this is a configuration error. How did you configure your lua file (yourdomain.cfg.lua)?

I only did what the instructions on the Internet describe.
Changed the authentication to “internal_hashed” in the Config and added the following code at the end

VirtualHost "guest.meeting.MY-DOMAIN.DE" authentication = "anonymous" -- modules_enabled = { -- "turncredentials"; -- } c2s_require_encryption = false

I intentionally disabled the turn server module, I might need it later.

I’m going to take it that you meant the cfg.lua file when you said “Config”.
If you’re not using TURN right now, why not just:

VirtualHost “guest.yourdomain.com
authentication = “anonymous”
c2s_require_encryption = false

Also, don’t forget to restart all services after making changes (a page reload is not sufficient).

I might need the turn server later, so I already have the code in the config.
With NextCloud Talk, a turn server helps to correctly connect two devices from the same network over the internet.
It may well be that I need it for Jitsi as well.

Even if I remove the turn code, it does not work.
It is also commented out, so it doesn’t do anything.

Wait… are you using a self-signed certificate? Also, what version of Java do you have?

see this post

@Freddie I use my Let’s Encrypt Certificates.
I had them created with Certbot and specified them during the installation.

Java:
java version “14.0.2” 2020-07-14
Java™ SE Runtime Environment (build 14.0.2+12-46)
Java HotSpot™ 64-Bit Server VM (build 14.0.2+12-46, mixed mode, sharing)

@gpatel-fr Unfortunately your tip does not work.
update-ca-certificates -f
Clearing symlinks in /etc/ssl/certs…
done.
Updating certificates in /etc/ssl/certs…
128 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…
done.

I have restarted all affected services. Unfortunately it did not help.
Do I have to restart the whole server?


jicofo.log

Jicofo 2020-10-26 17:34:52.775 WARNING: [160] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1215) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1158) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1475) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1381) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412) at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810) at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016) at java.base/java.lang.Thread.run(Thread.java:832) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1324) ... 17 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 22 more

jvb.log

2020-10-26 17:34:46.912 WARNING: [113] [hostname=localhost id=shard] MucClient$1.connectionClosedOnError#317: Closed on error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1215) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1158) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1475) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1381) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412) at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810) at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016) at java.base/java.lang.Thread.run(Thread.java:832) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1324) ... 17 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 22 more

prosody.log

Oct 26 17:34:47 conference.meeting.MY-DOMAIN.DE:muc_domain_mapper warn Session filters applied Oct 26 17:34:47 c2s55d7d259fe70 info Client connected Oct 26 17:34:47 c2s55d7d259fe70 info Client disconnected: ssl handshake error: sslv3 alert certificate unknown

By the way, the error also spams the logs.
Since yesterday evening there are 240MB logs. Great.

Add this org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true to /etc/jitsi/jicofo/sip-communicator.properties and restart jicofo and try again

You did this and it didn’t work?

Can you get your js console logs for when you have this error?

Aaah shit I missed that / the browser scrolled down two posts.
If I add org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true to /etc/jitsi/jicofo/sip-communicator.properties, I can now log in without problems and I also have moderator rights.
As soon as a second client is added, all clients will be disconnected.
This repeats itself until all clients have closed the connection and I am alone with my moderator account.

that’s another problem then. Post jicofo.log after the change (if you can’t edit the file, at least stop the jicofo service, delete the log and restart the service to not post a gigantic file here thanks)

Here is the log.
I recorded the crash two times.
jicofo.log (34.6 KB)

the log says that
Failed to select initial bridge for participantRegion=null
it means that Jvb has not registered with prosody I think. Well, no need to post jvb.log, your original jvb.log shows the same problem as jicofo, that is, a certificate problem.
I can’t understand why you adding a secure domain could have such an effect. Unless you are using a more exotic authentication scheme (I knoiw only the basic secure domain)

anyway, try to set

org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
(I assume that sip-communicator.properties has default values for jvb else adapt xmpp server name)

and restart jvb.

now I have an idea. There is is setting that I never touched in any way and reproduced on any setup of mine:
c2s_require_encryption = false
well, c2s is the connexion done by Jicofo and jvb to prosody on port 5222. So that’s could be missing in this case.

I set
org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
but unfortunately it does not help. It will still restart the session as soon as the second person joins.

c2s_require_encryption = false
Is already set like this. This is also written in several manuals on the net.

Meanwhile I installed it on a fresh Debian 10 system.
There everything runs without problems.
But the server runs via LXC and has only IPv4 and no IPv6.
My normal system is a dedicated server with IPv4 and IPv6.

My suggestion would be to completely uninstall and reinstall on your dedicated server. Clearly something went wrong with the previous install. Installing only takes a few minutes and if you have any customizations you’d like to keep, you can save your config files and just overwrite once you have a functional instance.

I have done this several times and also made sure that all data was gone.
Unfortunately this does not help at all.

The next thing I try is the whole thing in the docker container.

Yeah, that’s weird. Do you have anything else installed on that baremetal other than Ubuntu? If not, I’d recommend doing a complete wipeout (meaning reinstall Ubuntu on the baremetal - probably 20.04 LTS even, this time), then reinstall Jitsi. I did this a number of times on my baremetal when I ran into issues and couldn’t wait to debug them. Again, this will have you up and running sooner than trying to find the cog in the wheel, in this case.

Unfortunately, some services are running on the server in the meantime.
Beside a pure webserver there is also a mailserver, several gameservers, …
Only for Jitsi a new installation is not worth the effort.
If that doesn’t work with Docker, I’ll see if I can use a second server for it.

Since (in my opinion) the logs are not very meaningful, I don’t feel like searching for the error.

The logs are actually usually very meaningful and incredibly helpful. Sometimes, it just takes a bit of investigative work to determine exactly what the issue is. With Jitsi, you have several components at work, so, searching through all of them can be daunting at times.

But yeah, perhaps try the dockerized version and see if that works for you. Goodluck with it! :+1:t5: