Hi!

There is a problem: users inside the corporate network do not see the video and do not hear the sound. As soon as they switch to another, not so protected network, they immediately see and hear everything.

Already installed and configured “coturn”, changed the settings in sip-communicator. properties to:

org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=3480

No errors from turnserver log, certificates are all good.

I can post here any config if you need it.

Is there anything else need to do? Is it possible to configure work only via TCP 80 and port 443 (and the Teams or Zoom ports)?

Microsoft Teams and Zoom work fine in the corporate network , both video and audio.

Thanks!

There is no difference between 10000 and 3480 if some clients are behind a corporate firewall.

Probably there is a problem related with coturn config. I don’t want to mean it is not working but the clients traffic may not access to the turn service

There might be. If they allow Zoom / Teams ports, using a port they are using may make Jitsi work.

Right now we tried to connect via https://meet.jit.si/ - and there were video and audio. Where to find errors, please help?

my coturn config:

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=J0pS9PEMcXzynKSz
realm=meet.domain
cert=/etc/jitsi/meet/meet.domain.crt
pkey=/etc/jitsi/meet/meet.domain.key
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# jitsi-meet coturn relay disable config. Do not modify this line
#denied-peer-ip=0.0.0.0-0.255.255.255
#denied-peer-ip=10.0.0.0-10.255.255.255
#denied-peer-ip=100.64.0.0-100.127.255.255
#denied-peer-ip=127.0.0.0-127.255.255.255
#denied-peer-ip=169.254.0.0-169.254.255.255
#denied-peer-ip=127.0.0.0-127.255.255.255
#denied-peer-ip=172.16.0.0-172.31.255.255
#denied-peer-ip=192.0.0.0-192.0.0.255
#denied-peer-ip=192.0.2.0-192.0.2.255
#denied-peer-ip=192.88.99.0-192.88.99.255
#denied-peer-ip=192.168.0.0-192.168.255.255
#denied-peer-ip=198.18.0.0-198.19.255.255
#denied-peer-ip=198.51.100.0-198.51.100.255
#denied-peer-ip=203.0.113.0-203.0.113.255
#denied-peer-ip=240.0.0.0-255.255.255.255
syslog

Did you configure Nginx to redirect web and turn traffic correctly?

If this is a new installation on Debian 10 or Ubuntu 20.04, jitsi-buster-installer can help too

It’s hard to tell, it could the firewall filtering rules. meet.jit.si runs TURN on port 443, FWIW.

thank you for reply )

I setup Nginx by this manual Setting up TURN · Jitsi Meet Handbook

/etc/nginx/sites-available/meet.explosion.ru.conf.turn part:

server {
    listen 4444 ssl;
    listen [::]:4444 ssl;
    server_name meet.explosion.ru auth.explosion.ru;

/etc/nginx/modules-enabled/jitsi-coturn.conf:

stream {
    map $ssl_preread_server_name $name {
        #jitsi-meet.example.com web_backend;
        meet.explosion.ru web_backend;
        turnmeet.explosion.ru turn_backend;
    }

    upstream web_backend {
        server 127.0.0.1:4444;
    }

    upstream turn_backend {
        server 91.208.42.2:5349;
    }

    server {
        listen 443;
        listen [::]:443;

        # since 1.11.5
        ssl_preread on;

        proxy_pass $name;

        # Increase buffer to serve video
        proxy_buffer_size 100m;
    }
}

/etc/prosody/conf.avail/meet.explosion.ru.cfg.lua:

turncredentials = {
  { type = "stun", host = "meet.explosion.ru", port = "3478" },
  { type = "turn", host = "meet.explosion.ru", port = "3478", transport = "udp" },
--   { type = "turns", host = "meet.explosion.ru", port = "5349", transport = "tcp" }
  { type = "turns", host = "turnmeet.explosion.ru", port = "443", transport = "tcp" }
};

Certificates for all names were renewed.

Why do you have this server name in config?
And the certificate is for auth.meet.explosion.ru

Could you try to change it to local IP? There may be a routing issue on the router

It’s just the rest of the line, it doesn’t affect anything

What do mean - local IP? 127.0.0.1 ? I haven’t others except 91.208.42.2 and 127.0.0.1

then 91.208.42.2 is OK

Any coturn related errors in syslog?

When I had similar issues, it was first an issue with cert used by coturn followed by an issue with denied-peer-ip entries blocking requests.

Have no ideas, where to find…

is it ok with /etc/prosody/conf.avail/meet.explosion.ru.cfg.lua ?

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meet.explosion.ru";

turncredentials_secret = "J0pS9PEMcXzynKSz";

turncredentials = {
  { type = "stun", host = "meet.explosion.ru", port = "3478" },
  { type = "turn", host = "meet.explosion.ru", port = "3478", transport = "udp" },
--   { type = "turns", host = "meet.explosion.ru", port = "5349", transport = "tcp" }
  { type = "turns", host = "turnmeet.explosion.ru", port = "443", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
  protocol = "tlsv1_2+";
  ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "meet.explosion.ru"
        -- enabled = false -- Remove this line to enable this host
        -- authentication = "anonymous"
	authentication = "internal_hashed"
	-- authentication = "internal_plain"
	
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/home/letsencrypt/letsencrypt/certs/meet.explosion.ru/privkey.pem";
                certificate = "/home/letsencrypt/letsencrypt/certs/meet.explosion.ru/fullchain.pem";
        }
        speakerstats_component = "speakerstats.meet.explosion.ru"
        conference_duration_component = "conferenceduration.meet.explosion.ru"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
            "muc_lobby_rooms";
        }
        c2s_require_encryption = false
        lobby_muc = "lobby.meet.explosion.ru"
        main_muc = "conference.meet.explosion.ru"
        -- muc_lobby_whitelist = { "recorder.meet.explosion.ru" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.meet.explosion.ru" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focus@auth.meet.explosion.ru" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.meet.explosion.ru" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.meet.explosion.ru", "jvb@auth.meet.explosion.ru" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.meet.explosion.ru"
    ssl = {
        -- key = "/etc/prosody/certs/auth.meet.explosion.ru.key";
        -- certificate = "/etc/prosody/certs/auth.meet.explosion.ru.crt";
        key = "/home/letsencrypt/letsencrypt/certs/meet.explosion.ru/privkey.pem";
        certificate = "/home/letsencrypt/letsencrypt/certs/meet.explosion.ru/fullchain.pem";
    }
    authentication = "internal_plain"

Component "focus.meet.explosion.ru"
    component_secret = "loMCDNhv1NogjVlW"

Component "speakerstats.meet.explosion.ru" "speakerstats_component"
    muc_component = "conference.meet.explosion.ru"

Component "conferenceduration.meet.explosion.ru" "conference_duration_component"
    muc_component = "conference.meet.explosion.ru"

Component "lobby.meet.explosion.ru" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "guest.meet.explosion.ru"
    authentication = "anonymous"
    c2s_require_encryption = false
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }

-- internal muc component, meant to enable pools of jibri and jigasi clients
Component "internal.auth.meet.meet.explosion.ru" "muc"
    modules_enabled = {
        "ping";
    }
    storage = "memory"
    muc_room_cache_size = 1000

VirtualHost "recorder.meet.explosion.ru"
    modules_enabled = {
        "ping";
    }
    authentication = "internal_plain"

Sorry, haven’t seen it before… invalid private key in logs:

Feb  3 14:09:04 meet systemd[1]: Starting coTURN STUN/TURN Server...
Feb  3 14:09:04 meet turnserver: 0: Bad configuration format: no-loopback-peers
Feb  3 14:09:04 meet turnserver: 0: #012RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server#012Version Coturn-4.5.1.1 'dan Eider'
Feb  3 14:09:04 meet turnserver: 0: #012Max number of open files/sockets allowed for this process: 524288
Feb  3 14:09:04 meet turnserver: 0: #012Due to the open files/sockets limitation,#012max supported number of TURN Sessions possible is: 262000 (approximately)
Feb  3 14:09:04 meet turnserver: 0: #012#012==== Show him the instruments, Practical Frost: ====#012
Feb  3 14:09:04 meet turnserver: 0: TLS supported
Feb  3 14:09:04 meet turnserver: 0: DTLS supported
Feb  3 14:09:04 meet turnserver: 0: DTLS 1.2 supported
Feb  3 14:09:04 meet turnserver: 0: TURN/STUN ALPN supported
Feb  3 14:09:04 meet turnserver: 0: Third-party authorization (oAuth) supported
Feb  3 14:09:04 meet turnserver: 0: GCM (AEAD) supported
Feb  3 14:09:04 meet turnserver: 0: OpenSSL compile-time version: OpenSSL 1.1.1d  10 Sep 2019 (0x1010104f)
Feb  3 14:09:04 meet turnserver: 0: 
Feb  3 14:09:04 meet turnserver: 0: SQLite supported, default database location is /var/lib/turn/turndb
Feb  3 14:09:04 meet turnserver: 0: Redis supported
Feb  3 14:09:04 meet turnserver: 0: PostgreSQL supported
Feb  3 14:09:04 meet turnserver: 0: MySQL supported
Feb  3 14:09:04 meet turnserver: 0: MongoDB is not supported
Feb  3 14:09:04 meet turnserver: 0: 
Feb  3 14:09:04 meet turnserver: 0: Default Net Engine version: 3 (UDP thread per CPU core)#012#012=====================================================#012
Feb  3 14:09:04 meet turnserver: 0: Domain name: 
Feb  3 14:09:04 meet turnserver: 0: Default realm: meet.explosion.ru
Feb  3 14:09:04 meet turnserver: 0: #012CONFIG: --no-tcp-relay: TCP relay endpoints are not allowed.
Feb  3 14:09:04 meet turnserver: 0: #012CONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
Feb  3 14:09:04 meet turnserver: 0: WARNING: cannot find certificate file: /etc/jitsi/meet/meet.explosion.ru.crt (1)
Feb  3 14:09:04 meet turnserver: 0: WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
Feb  3 14:09:04 meet turnserver: 0: WARNING: cannot find private key file: /etc/jitsi/meet/meet.explosion.ru.key (1)
Feb  3 14:09:04 meet turnserver: 0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
Feb  3 14:09:04 meet turnserver: 0: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
Feb  3 14:09:04 meet turnserver: 0: ===========Discovering listener addresses: =========
Feb  3 14:09:04 meet turnserver: 0: Listener address to use: 127.0.0.1
Feb  3 14:09:04 meet turnserver: 0: Listener address to use: 91.208.42.2
Feb  3 14:09:04 meet turnserver: 0: Listener address to use: ::1
Feb  3 14:09:04 meet turnserver: 0: =====================================================
Feb  3 14:09:04 meet turnserver: 0: Total: 1 'real' addresses discovered
Feb  3 14:09:04 meet turnserver: 0: =====================================================
Feb  3 14:09:04 meet turnserver: 0: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
Feb  3 14:09:04 meet turnserver: 0: ===========Discovering relay addresses: =============
Feb  3 14:09:04 meet turnserver: 0: Relay address to use: 91.208.42.2
Feb  3 14:09:04 meet turnserver: 0: Relay address to use: ::1
Feb  3 14:09:04 meet turnserver: 0: =====================================================
Feb  3 14:09:04 meet turnserver: 0: Total: 2 relay addresses discovered
Feb  3 14:09:04 meet turnserver: 0: =====================================================
Feb  3 14:09:04 meet turnserver: 0: pid file created: /run/turnserver/turnserver.pid
Feb  3 14:09:04 meet turnserver: 0: IO method (main listener thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: Wait for relay ports initialization...
Feb  3 14:09:04 meet turnserver: 0:   relay 91.208.42.2 initialization...
Feb  3 14:09:04 meet turnserver: 0:   relay 91.208.42.2 initialization done
Feb  3 14:09:04 meet turnserver: 0:   relay ::1 initialization...
Feb  3 14:09:04 meet turnserver: 0:   relay ::1 initialization done
Feb  3 14:09:04 meet turnserver: 0: Relay ports initialization done
Feb  3 14:09:04 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: turn server id=2 created
Feb  3 14:09:04 meet turnserver: 0: turn server id=0 created
Feb  3 14:09:04 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: turn server id=3 created
Feb  3 14:09:04 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: turn server id=1 created
Feb  3 14:09:04 meet turnserver: 0: Total General servers: 4
Feb  3 14:09:04 meet turnserver: 0: IO method (auth thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: IO method (auth thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: IO method (admin thread): epoll (with changelist)
Feb  3 14:09:04 meet turnserver: 0: SQLite DB connection success: /var/lib/turn/turndb

invalid private key in logs:

Progress

Once you point to a valid cert/key file in /etc/turnserver for turnmeet.explosion.ru, come back to this logs. I’d expect to see like “0: IPv4. TLS/SCTP listener opened on…” in the logs if TLS certs are valid.

If the other config is correct you should then see connection attempts here and related logs.

Thank you, now certificates are all fine.

Feb  3 17:20:51 meet systemd[1]: Starting coTURN STUN/TURN Server...
Feb  3 17:20:51 meet turnserver: 0: Bad configuration format: no-loopback-peers
Feb  3 17:20:51 meet turnserver: 0: #012RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server#012Version Coturn-4.5.1.1 'dan Eider'
Feb  3 17:20:51 meet turnserver: 0: #012Max number of open files/sockets allowed for this process: 524288
Feb  3 17:20:51 meet turnserver: 0: #012Due to the open files/sockets limitation,#012max supported number of TURN Sessions possible is: 262000 (approximately)
Feb  3 17:20:51 meet turnserver: 0: #012#012==== Show him the instruments, Practical Frost: ====#012
Feb  3 17:20:51 meet turnserver: 0: TLS supported
Feb  3 17:20:51 meet turnserver: 0: DTLS supported
Feb  3 17:20:51 meet turnserver: 0: DTLS 1.2 supported
Feb  3 17:20:51 meet turnserver: 0: TURN/STUN ALPN supported
Feb  3 17:20:51 meet turnserver: 0: Third-party authorization (oAuth) supported
Feb  3 17:20:51 meet turnserver: 0: GCM (AEAD) supported
Feb  3 17:20:51 meet turnserver: 0: OpenSSL compile-time version: OpenSSL 1.1.1d  10 Sep 2019 (0x1010104f)
Feb  3 17:20:51 meet turnserver: 0: 
Feb  3 17:20:51 meet turnserver: 0: SQLite supported, default database location is /var/lib/turn/turndb
Feb  3 17:20:51 meet turnserver: 0: Redis supported
Feb  3 17:20:51 meet turnserver: 0: PostgreSQL supported
Feb  3 17:20:51 meet turnserver: 0: MySQL supported
Feb  3 17:20:51 meet turnserver: 0: MongoDB is not supported
Feb  3 17:20:51 meet turnserver: 0: 
Feb  3 17:20:51 meet turnserver: 0: Default Net Engine version: 3 (UDP thread per CPU core)#012#012=====================================================#012
Feb  3 17:20:51 meet turnserver: 0: Domain name: 
Feb  3 17:20:51 meet turnserver: 0: Default realm: meet.explosion.ru
Feb  3 17:20:51 meet turnserver: 0: #012CONFIG: --no-tcp-relay: TCP relay endpoints are not allowed.
Feb  3 17:20:51 meet turnserver: 0: #012CONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
Feb  3 17:20:51 meet turnserver: 0: SSL23: Certificate file found: /etc/jitsi/meet/meet.explosion.ru.crt
Feb  3 17:20:51 meet turnserver: 0: SSL23: Private key file found: /etc/jitsi/meet/meet.explosion.ru.key
Feb  3 17:20:51 meet turnserver: 0: set_ctx: ERROR: cannot set DH
Feb  3 17:20:51 meet turnserver: 0: TLS1.2: Certificate file found: /etc/jitsi/meet/meet.explosion.ru.crt
Feb  3 17:20:51 meet turnserver: 0: TLS1.2: Private key file found: /etc/jitsi/meet/meet.explosion.ru.key
Feb  3 17:20:51 meet turnserver: 0: TLS cipher suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Feb  3 17:20:51 meet turnserver: 0: DTLS: Certificate file found: /etc/jitsi/meet/meet.explosion.ru.crt
Feb  3 17:20:51 meet turnserver: 0: DTLS: Private key file found: /etc/jitsi/meet/meet.explosion.ru.key
Feb  3 17:20:51 meet turnserver: 0: DTLS1.2: Certificate file found: /etc/jitsi/meet/meet.explosion.ru.crt
Feb  3 17:20:51 meet turnserver: 0: DTLS1.2: Private key file found: /etc/jitsi/meet/meet.explosion.ru.key
Feb  3 17:20:51 meet turnserver: 0: DTLS cipher suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Feb  3 17:20:51 meet turnserver: 0: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
Feb  3 17:20:51 meet turnserver: 0: ===========Discovering listener addresses: =========
Feb  3 17:20:51 meet turnserver: 0: Listener address to use: 127.0.0.1
Feb  3 17:20:51 meet turnserver: 0: Listener address to use: 91.208.42.2
Feb  3 17:20:51 meet turnserver: 0: Listener address to use: ::1
Feb  3 17:20:51 meet turnserver: 0: =====================================================
Feb  3 17:20:51 meet turnserver: 0: Total: 1 'real' addresses discovered
Feb  3 17:20:51 meet turnserver: 0: =====================================================
Feb  3 17:20:51 meet turnserver: 0: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
Feb  3 17:20:51 meet turnserver: 0: ===========Discovering relay addresses: =============
Feb  3 17:20:51 meet turnserver: 0: Relay address to use: 91.208.42.2
Feb  3 17:20:51 meet turnserver: 0: Relay address to use: ::1
Feb  3 17:20:51 meet turnserver: 0: =====================================================
Feb  3 17:20:51 meet turnserver: 0: Total: 2 relay addresses discovered
Feb  3 17:20:51 meet turnserver: 0: =====================================================
Feb  3 17:20:51 meet turnserver: 0: pid file created: /run/turnserver/turnserver.pid
Feb  3 17:20:51 meet turnserver: 0: IO method (main listener thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: Wait for relay ports initialization...
Feb  3 17:20:51 meet turnserver: 0:   relay 91.208.42.2 initialization...
Feb  3 17:20:51 meet turnserver: 0:   relay 91.208.42.2 initialization done
Feb  3 17:20:51 meet turnserver: 0:   relay ::1 initialization...
Feb  3 17:20:51 meet turnserver: 0:   relay ::1 initialization done
Feb  3 17:20:51 meet turnserver: 0: Relay ports initialization done
Feb  3 17:20:51 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: turn server id=1 created
Feb  3 17:20:51 meet turnserver: 0: turn server id=0 created
Feb  3 17:20:51 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: turn server id=2 created
Feb  3 17:20:51 meet turnserver: 0: IO method (general relay thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: turn server id=3 created
Feb  3 17:20:51 meet turnserver: 0: Total General servers: 4
Feb  3 17:20:51 meet turnserver: 0: IO method (auth thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: IO method (auth thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: IO method (admin thread): epoll (with changelist)
Feb  3 17:20:51 meet turnserver: 0: SQLite DB connection success: /var/lib/turn/turndb
Feb  3 17:20:53 meet systemd[1]: Started coTURN STUN/TURN Server.

But while restarting prosody I found these stringsin syslog (they were from the very begining). Is it critical?

Feb  3 17:21:43 meet prosody[31443]: portmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281
Feb  3 17:21:43 meet prosody[31443]: portmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

Video still not working after fixing the cert? any new errors in syslog after you attempt connection?

I think that error can be ignored. Related posts:

• Prosody error in binding encrypted port · Issue #3639 · jitsi/jitsi-meet · GitHub
• portmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 528 · Issue #6473 · jitsi/jitsi-meet · GitHub

If that bothers you, you can uncomment this line in /etc/prosody/conf.avail/meet.explosion.ru.cfg.lua and the error should go away.

https_ports = { }; -- Remove this line to prevent listening on port 5284

Unfortunately, I can’t answer you yet, the office is remote, and my colleagues have left. I will definitely answer tomorrow, but in any case, thank you very much for your participation!

Everything is fine! It worked, thank you very much again!

It was precisely the wrong certificate chain for Coturn, so the key was not seen. You need to substitute not just the Let’sencrypt certificate, but the full chain.

For all who will read later: everything can be configured for the corporate network where all ports are closed, except 80 and 443.

First, check if your video conference is working here: https://meet.jit.si/

If everything works, then you need to configure the Coturn service as indicated here: Setting up TURN · Jitsi Meet Handbook

IMPORTANT: You shuold reissue certificates for all domains: both “meet” and “coturn” , restart Prosody, restart Coturn

service coturn restart

Next, check your log file. On Debian 10, it is in /var/log/syslog - it is important that all messages from turnserver do not contain errors, but something similar:

meet turnserver: 0: TLS1.2: Certificate file found: /etc/jitsi/meet/meet.domain.crt
meet turnserver: 0: TLS1.2: Private key file found: /etc/jitsi/meet/meet.domain.key

If no errors - try to connect to your conference. If it doesn’t work check everything again, view the manual.

Good luck to everyone!

Hello xdimx,
Is your solution work with firewall opened just 80 et 443 ports please ?
Your jitsi-meet and your corturn are in the same server ?
Can you give me more détails please ?
My config work but not with users behind a more restricted firewall.
Thank you in adavance.