Secure Domain setup problem - Client disconnected: ssl handshake failed

eric.filippi · August 5, 2020, 9:00am

Hi,

I’m trying to install secure domain setup following the doc here

But I can’t make it work. I get the error message in prosdy.log :

Client disconnected: ssl handshake failed

prosody.log :

Aug 05 08:54:56 mydomain:muc_domain_mapper info Loading mod_muc_domain_mapper for host mydomain!
Aug 05 08:54:56 portmanager info Activated service ‘http’ on [::]:5280, [*]:5280
Aug 05 08:54:56 certmanager error SSL/TLS: Error initialising for https port 5281: invalid protocol (tlsv1_2+)
Aug 05 08:54:56 portmanager error Error binding encrypted port for https: invalid protocol (tlsv1_2+)
Aug 05 08:54:56 certmanager error SSL/TLS: Error initialising for https port 5281: invalid protocol (tlsv1_2+)
Aug 05 08:54:56 portmanager error Error binding encrypted port for https: invalid protocol (tlsv1_2+)
Aug 05 08:54:56 portmanager info Activated service ‘https’ on no ports
Aug 05 08:54:56 mydomain:muc_lobby_rooms warn Lobby rooms will not work with Prosody version 0.10 or less.
Aug 05 08:54:56 jcp55c5b1a6bff0 info Incoming Jabber component connection
Aug 05 08:54:56 focus.mydomain:component info External component successfully authenticated
Aug 05 08:54:58 mydomain:muc_domain_mapper warn Session filters applied
Aug 05 08:54:58 c2s55c5b1bb3ca0 info Client connected
Aug 05 08:54:58 c2s55c5b1bb3ca0 info Client disconnected: ssl handshake failed

jicofo.log :

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.base/java.security.cert.PKIXParameters.(PKIXParameters.java:120)
at java.base/java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:104)
at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:99)

jvb.log :

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.base/java.security.cert.PKIXParameters.(PKIXParameters.java:120)
at java.base/java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:104)
at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:99)
… 22 more
2020-08-05 08:30:34.408 GRAVE: [19] AbstractHealthCheckService.run#185: Health check failed in PT0.000058S:
java.lang.Exception: Address discovery through STUN failed
at org.jitsi.videobridge.health.Health.performCheck(Health.java:156)
at org.jitsi.health.AbstractHealthCheckService.run(AbstractHealthCheckService.kt:155)
at org.jitsi.utils.concurrent.RecurringRunnableExecutor.run(RecurringRunnableExecutor.java:216)
at org.jitsi.utils.concurrent.RecurringRunnableExecutor.runInThread(RecurringRunnableExecutor.java:292)
at org.jitsi.utils.concurrent.RecurringRunnableExecutor.access$000(RecurringRunnableExecutor.java:36)
at org.jitsi.utils.concurrent.RecurringRunnableExecutor$1.run(RecurringRunnableExecutor.java:328)

The installation worked fine before I tried to activate Secure Domain setup.

Can you help me solve that ?

Thank you

Eric

eric.filippi · August 6, 2020, 8:12am

No one to help me ?

corby · August 6, 2020, 10:55am

@eric.filippi, Welcome to the community!

Your issue starts here: invalid protocol (tlsv1_2+)

Can you attach your /etc/prosody/conf.avail/[your-hostname].cfg.lua so we can take a look?

eric.filippi · August 6, 2020, 5:10pm

Hi @corby !,

thank you
Here is the file :

mydomaine.cfg.lua.txt (4.2 KB)

Eric

mangopudding · August 6, 2020, 5:32pm

Hi @eric.filippi.

Which deployment guide did you use? [Debian/Ubuntu server, Docker or Manual installation]
Can you run the following two commands to tell us the version of Jitsi and Prosody

This will tell us what version of Jitsi has been installed’
dpkg -l | grep jitsi

This will tell us what version of Prosody you are running.
apt list -a prosody
Before following the Secure Domain Setup guide, was everything working?

i.e.
https://your-domain/bluemonday
http://your-domain/bluemonday

eric.filippi · August 6, 2020, 5:51pm

re-hi,

I used Debian.Ubuntu server guide

sudo dpkg -l | grep jitsi :
ii  jitsi-meet                      2.0.4857-1                                                    all          WebRTC JavaScript video conferences
ii  jitsi-meet-prosody              1.0.4289-1                                                    all          Prosody configuration for Jitsi Meet
ii  jitsi-meet-web                  1.0.4289-1                                                    all          WebRTC JavaScript video conferences
ii  jitsi-meet-web-config           1.0.4289-1                                                    all          Configuration for web serving of Jitsi Meet
ii  jitsi-videobridge2              2.1-273-g072dd44b-1                                           all          WebRTC compatible Selective Forwarding Unit (SFU)

sudo apt list -a prosody :
En train de lister... Fait
prosody/stretch-backports 0.11.2-1~bpo9+1 amd64
prosody/oldstable,oldstable,now 0.9.12-2+deb9u2 amd64  [installé, automatique]

before following the Secure Domaine Setup guide, I tried to open a room and it seems to work fine => I entered the room and my camera and audio was working well.

But, When I rolled back the Secure Domaine Setup, I checked again the logs and found out that there still was the error messages in jicofo. So I stopped all the daemon to prevent filling my logs :

systemctl stop prosody.service
systemctl stop jicofo.service
systemctl stop jitsi-videobridge2.service

Eric

gpatel-fr · August 6, 2020, 6:34pm

You seem to have succeeded to create a Let’sEncrypt certificate but it seems to lack the full chain so I suspect you did not setup the certificate correctly,

 openssl s_client -connect classes.xxxx.com:443
CONNECTED(00000005)
depth=0 CN = classes.xxxx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = classes.xxxx.com
verify error:num=21:unable to verify the first certificate
verify return:1

outside of this problem, you could eliminate the (unimportant) log error message about 5281 port by removing the comment in the following line:
– https_ports = { };

your authenticated setup is wrong, you should move the lobby and conference_duration lines to the guest host
See this post about the correct setup for lobby.

Another detail: when you tested your unauthenticated setup, you only connected from one computer; this is not a valid test since with only one user there is no conference created in fact, you are only testing your web server setup, not the video setup. A correct test should be done with 2 users first (p2p setup) and then with 3 users (videobridge setup)

eric.filippi · August 7, 2020, 10:00am

Hello,

Thank you for your help. I followed your instructions.

so I uncommented the line :

https_ports = { };

Here is the result of the openssl s_client -connect classes.xxxx.com:443

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = classes.mydomain.com
verify return:1
---
Certificate chain
 0 s:CN = classes.mydomain.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXX
-----END CERTIFICATE-----
subject=CN = classes.mydomain.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3049 bytes and written 455 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECD...
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECD...
    Session-ID:
    Session-ID-ctx:
    Master-Key: D7E42...
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1596793181
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed

I also modified the /etc/prosody/conf.avail/classes.mydomain.com.cfg.lua with

VirtualHost "guest.classes.mydomain.com"
    authentication = "anonymous"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/classes.mydomain.com.key";
        certificate = "/etc/prosody/certs/classes.mydomain.com.crt";
    }
    conference_duration_component = "conferenceduration.classes.mydomain.com"
    modules_enabled = {
            "conference_duration";
            "muc_lobby_rooms";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.classes.mydomain.com"
    main_muc = "conference.classes.mydomain.com"
    muc_lobby_whitelist = { "recorder.classes.mydomain.com" }

And removed the lobby module from the authenticated host.
Now I get the following message when I try to create a room

404 Not Found
You can create new conversation here

I still have errors in the prosody log and err files

prosody.err

Aug 07 09:32:25 certmanager     error   SSL/TLS: Error initialising for *: invalid protocol (tlsv1_2+)
Aug 07 09:32:25 modulemanager   error   Unable to load module 'storage_memory': /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 storagemanager  error   Failed to load storage driver plugin memory on internal.auth.classes.espacelyonjapon.com: /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 modulemanager   error   Unable to load module 'storage_memory': /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 storagemanager  error   Failed to load storage driver plugin memory on internal.auth.classes.espacelyonjapon.com: /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 modulemanager   error   Unable to load module 'storage_memory': /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 storagemanager  error   Failed to load storage driver plugin memory on lobby.classes.espacelyonjapon.com: /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 modulemanager   error   Unable to load module 'storage_memory': /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory
Aug 07 09:32:25 storagemanager  error   Failed to load storage driver plugin memory on lobby.classes.espacelyonjapon.com: /usr/lib/prosody/modules/mod_storage_memory.lua: No such file or directory

prosody.log

Aug 07 09:52:02 conference.classes.mydomain.com:muc_domain_mapper        warn    Session filters applied
Aug 07 09:52:02 c2s5625e9478480 info    Client connected
Aug 07 09:52:02 c2s5625e9478480 info    Client disconnected: ssl handshake failed

Here is an extract of my apache virtual host

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin contact@mydomain.com
        ServerName classes.mydomain.com
        DocumentRoot "/usr/share/jitsi-meet"
        <Directory "/usr/share/jitsi-meet">
                Options Indexes MultiViews Includes FollowSymLinks
                AddOutputFilter Includes html
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        Header always set Strict-Transport-Security "max-age=63072000"
        ErrorDocument 404 /static/404.html
        Alias "/config.js" "/etc/jitsi/meet/classes.mydomain.com-config.js"
        <Location /config.js>
                Require all granted
        </Location>
        Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
        <Location /external_api.js>
                Require all granted
        </Location>
        ProxyPreserveHost on
        ProxyPass /http-bind http://localhost:5280/http-bind/
        ProxyPassReverse /http-bind http://localhost:5280/http-bind/

        RewriteEngine on
        RewriteRule ^/([a-zA-Z0-9]+)$ /index.html

        # enable HTTP/2, if available
        Protocols h2 http/1.1
        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/letsencrypt/live/classes.mydomain.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/classes.mydomain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/classes.mydomain.com/chain.pem
        SSLProtocol all +TLSv1.2
        SSLHonorCipherOrder off
        SSLSessionTickets off
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    </VirtualHost>
</IfModule>

It still doesn’t work.

Eric

gpatel-fr · August 7, 2020, 10:27am

Yes certificate configuration is now correct

I think that this comes from the old prosody version (0.9.12 is not compatible with lobby anyway)

sorry I’m not familiar with Apache enough to be able to find out what could be wrong just by looking at a config file.

corby · August 7, 2020, 10:53am

@eric.filippi, to update your Prosody version follow this guide carefully.

By the way, most of us are using nginx since that’s what the Jitis development team recommends (and is the default install on new setups)

Hope this help!

mangopudding · August 7, 2020, 11:39pm

Hi @eric.filippi.

Thank-you for confirming you are using Apache2 (Another question we need to ask for troubleshooting issues - what is the primary web server running on the OS).

Lengthly posting below… but if you follow-it - it should make sense to help you troubleshoot the issue.

I spun up a FRESH Ubuntu 18.04 server and installed Apache2 WITHOUT setting up any virtual hosts.

I proceeded to install Jitsi via the Self-Hosting Guide - Debian/Ubuntu server.

I verified that I was able to access the site via http:// and https:// - where https:// would show that I had a self-signed certificate.

I made a copy of the Apache virtual host configuration so I can compare the Apache virtual host before the LetsEncrypt provisioning script.

For example:
cp /etc/apache2/sites-available/apache2.example.com.conf /home/service/BEFORE-SSL_apache2.example.com

Now…

I ran the LetsEncrypt script that comes included with the Jitsi installation package.

/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

The first time I run it - it installs all of the necessary components for LetsEncrypt. This is the assumption that the Ubuntu OS is a fresh install.

When I run it the second time, it will then proceed with asking you for your email address and proceed with provisioning the LetsEncrypt SSL certificate.

I verified that I was able to access the site via http:// (redirects to https://) and where https:// would show that I had the LetsEncrypt SSL certificate installed correctly.

I made a copy of the Apache virtual host configuration so I can compare the Apache virtual host before the LetsEncrypt provisioning script.

For example:
cp /etc/apache2/sites-available/apache2.example.com.conf /home/service/AFTER-SSL_apache2.example.com

Now, when I do a diff on the BEFORE and AFTER configuration files, I can see that the Jitsi LetsEncrypt script will really just modify the SSLCertificateFile and SSLCertificateKeyFile directory of where the LetsEncrypt fullchain.pem and privkey.pem reside.

Before:
SSLCertificateFile /etc/jitsi/meet/apache2.example.com.crt
SSLCertificateKeyFile /etc/jitsi/meet/apache2.example.com.key

After:
SSLCertificateFile /etc/letsencrypt/live/apache2.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/apache2.example.com/privkey.pem

I’ve attached my BEFORE and AFTER Apache Virtual Host config files for you to see and compare wit your own virtual host file.

My conclusion is that you have some specific Apache virtual host configs that need to be cleaned up or that you’re not using the LetsEncrypt script provided by the Jitsi Meet package.

Hope this helps!

BEFORE-SSL_apache2.example.com.conf.txt (1.8 KB)

AFTER-SSL_apache2.example.com.conf.txt (1.8 KB)

eric.filippi · August 31, 2020, 4:46pm

Hello @mangopudding,

thank you for your message. I just come back from vacation, I’ll try to follow your advice and see if it corrects my problem.

To answer your 1st point : I’m using Apache2 which is the primary web server on my Debian server

I’ll also analyse your before and after files.

Thanks again.

Eric