Questions about the prosody certificates

Assuming we setup jitsi-meet with domain name jitsi.example.com, after the installation, 2 VirtualHosts will be created in prosody with 2 sets of self-signed certificates.

VirtualHost “jitsi.example.com
authentication = “anonymous”
ssl = {
key = “/var/lib/prosody/jitsi.example.com.key”;
certificate = “/var/lib/prosody/jitsi.example.com.crt”;
}
c2s_require_encryption = false

VirtualHost “auth.jitsi.example.com
ssl = {
key = “/var/lib/prosody/auth.jitsi.example.com.key”;
certificate = “/var/lib/prosody/auth.jitsi.example.com.crt”;
}
authentication = “internal_plain”

My questions are:

  1. The first virtual host has a “c2s_require_encryption = false”. Is it because the http-bind mapped http, i.e. http://localhost:5280/http-bind?

  2. Since c2s_require_encryption is false, is the certificate in the first virtual host mainly for the s2s communication?

  3. The certificates have an expiration date set one year from the date created. Are we suppose to update them periodically? Or is it ok for them to expire since they are self-signed anyway?

Thanks in advance!

Yes and there is no s2s communication. Jitsi-meet prosody is used internally between components and there is no federation.

Yep, you are not supposed to update them.

The only certificate that needs to be taken care of and the only client facing is the one on the web server.

Got it! Thanks for explaining Damian.

Hi there,

I’m jumping a bit late on this thread, but I’m trying to install a remote JVB instance on my existing Jitsi-meet install, and it seems to me that Prosody needs proper certificates to be accessed remotely by a distant videobridge. Does your above answer @damencho answers only a single machine install right?

I try to follow this tutorial here and I’m stumbling on a certificate connexion error on my JVB instance.

Thanks for your lights

There is a property you can use org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
Or you can get the certificate and set it to be trusted on that machine.
Like this: