[SOLVED] How to manually set up jigasi for outgoing calls

Hi,

A year ago I struggled and managed to configure jigasi for outgoing calls.
Now, I’m trying to do the same and it seems that the configuration has changed.

So I’m starting from scratch.

Unfortunately, I find the jigasi documentation hard to follow.

The most relevant references I’ve found are:

(just a few options to secure jigasi)

which in a nutshell states I should define this in prosody:

Component "internal.auth.meet.example.com" "muc"
   storage = "memory"
   modules_enabled = {
     "ping";
   }
   admins = { "focus@auth.meet.example.com", "jigasi@auth.meet.example.com" }
   muc_room_locking = false
   muc_room_default_public_jids = true 

then set up sip-communicator.properties with SIP user and password.

Finally run:

prosodyctl register jigasi auth.meet.example.com topsecret

where “topsecret” is a password that should then be base64-encoded and set to net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.PASSWORD (sip-communicator.properties).

That should be it, right?

Well, I can see that the jigasi SIP extension is registered in my Asterisk PBX, but when I try to invite a number from a Jitsi Meet room I get a failure. This is what I see in the jigasi log:

2021-02-23 00:17:46.431 INFO: [82] org.igniterealtime.jbosh.BOSHClient.init() Starting with 1 request processors
2021-02-23 00:17:46.582 SEVERE: [82] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin().1003 Failed to connect to XMPP service
org.jivesoftware.smack.SmackException$SecurityRequiredByClientException: SSL/TLS required by client but not supported by server
        at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:390)
        at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin(ProtocolProviderServiceJabberImpl.java:1309)
        at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin(ProtocolProviderServiceJabberImpl.java:970)
        at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.initializeConnectAndLogin(ProtocolProviderServiceJabberImpl.java:795)
        at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.register(ProtocolProviderServiceJabberImpl.java:500)
        at org.jitsi.jigasi.util.RegisterThread.run(RegisterThread.java:59)
2021-02-23 00:17:46.586 SEVERE: [82] org.jitsi.jigasi.JvbConference.registrationStateChanged().688 [ctx=1614035866370397052051] XMPP Connection failed.

The prosody log doesn’t show any errors:

Feb 23 00:16:25 c2s557248a39830 info    Authenticated as jigasi@auth.meet.example.com
Feb 23 00:17:21 mod_bosh        info    New BOSH session, assigned it sid '4858a079-a326-418e-9089-8b3890919571'
Feb 23 00:17:22 bosh4858a079-a326-418e-9089-8b3890919571        info    Authenticated as vm8fdycy4q4u3ono@guest.meet.example.com
Feb 23 00:17:33 mod_bosh        info    New BOSH session, assigned it sid '3006d288-d7a7-40b3-8725-c6c68ea3b9c6'
Feb 23 00:17:33 bosh3006d288-d7a7-40b3-8725-c6c68ea3b9c6        info    Authenticated as myuser@meet.example.com
Feb 23 00:17:34 bosh3006d288-d7a7-40b3-8725-c6c68ea3b9c6        info    BOSH client disconnected: session close
Feb 23 00:17:46 mod_bosh        info    New BOSH session, assigned it sid '195dc791-6fe1-478e-92f3-59b3e2a768e1'
Feb 23 00:17:46 bosh195dc791-6fe1-478e-92f3-59b3e2a768e1        info    BOSH client disconnected: session close

except for:

portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

So, is this simply a login mismatch or is there an SSL/TLS problem here?

This is my full jigasi sip-comm file:

# grep -v ^# /etc/jitsi/jigasi/sip-communicator.properties | grep -v ^$
org.jitsi.jigasi.MUC_SERVICE_ADDRESS=conference.meet.example.com
net.java.sip.communicator.impl.protocol.SingleCallInProgressPolicy.enabled=false
net.java.sip.communicator.impl.neomedia.codec.audio.opus.encoder.COMPLEXITY=10
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=false
net.java.sip.communicator.impl.protocol.sip.acc1403273890647=acc1403273890647
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.ACCOUNT_UID=SIP\:4901@pbx.example.com
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PASSWORD=TWVldFVwQXRITWFu
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PROTOCOL_NAME=SIP
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_ADDRESS=pbx.example.com
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.USER_ID=4901@pbx.example.com
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.KEEP_ALIVE_INTERVAL=25
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.KEEP_ALIVE_METHOD=OPTIONS
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.VOICEMAIL_ENABLED=false
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.AMR-WB/16000=750
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.G722/8000=700
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.GSM/8000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.H263-1998/90000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.H264/90000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.PCMA/8000=600
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.PCMU/8000=650
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.SILK/12000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.SILK/16000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.SILK/24000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.SILK/8000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.VP8/90000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.iLBC/8000=10
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.opus/48000=1000
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.red/90000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.speex/16000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.speex/32000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.speex/8000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.telephone-event/8000=1
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.Encodings.ulpfec/90000=0
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.OVERRIDE_ENCODINGS=true
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.DEFAULT_ENCRYPTION=false
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.DOMAIN_BASE=meet.example.com
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1=acc-xmpp-1
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ACCOUNT_UID=Jabber:jigasi@auth.meet.example.com
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.USER_ID=jigasi@auth.meet.example.com
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_SERVER_OVERRIDDEN=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.SERVER_ADDRESS=127.0.0.1
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.SERVER_PORT=5222
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ALLOW_NON_SECURE=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.PASSWORD=bGFMcjk3YWRNQXlzY1U3RQ==
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.AUTO_GENERATE_RESOURCE=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.RESOURCE_PRIORITY=30
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.KEEP_ALIVE_METHOD=XEP-0199
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.KEEP_ALIVE_INTERVAL=30
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.CALLING_DISABLED=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.JINGLE_NODES_ENABLED=false
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_CARBON_DISABLED=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.DEFAULT_ENCRYPTION=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_USE_ICE=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_ACCOUNT_DISABLED=false
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_PREFERRED_PROTOCOL=false
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.AUTO_DISCOVER_JINGLE_NODES=false
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.PROTOCOL=Jabber
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_USE_UPNP=false
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IM_DISABLED=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.SERVER_STORED_INFO_DISABLED=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.IS_FILE_TRANSFER_DISABLED=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.USE_DEFAULT_STUN_SERVER=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ENCRYPTION_PROTOCOL.DTLS-SRTP=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ENCRYPTION_PROTOCOL_STATUS.DTLS-SRTP=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.OVERRIDE_ENCODINGS=true
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.G722/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.GSM/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.H263-1998/90000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.H264/90000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.PCMA/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.PCMU/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.SILK/12000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.SILK/16000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.SILK/24000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.SILK/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.VP8/90000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.iLBC/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.opus/48000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.speex/16000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.speex/32000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.Encodings.speex/8000=0
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.BREWERY=JigasiBrewery@internal.auth.meet.example.com
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.BOSH_URL_PATTERN=https://{host}{subdomain}/http-bind?room={roomName}
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.DOMAIN_BASE=meet.example.com
org.jitsi.jigasi.ALLOWED_JID=JigasiBrewery@internal.auth.meet.example.com
org.jitsi.jigasi.BREWERY_ENABLED=true
org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true
org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS=127.0.0.1
org.jitsi.jigasi.xmpp.acc.VIDEO_CALLING_DISABLED=true
org.jitsi.jigasi.xmpp.acc.JINGLE_NODES_ENABLED=false
org.jitsi.jigasi.xmpp.acc.AUTO_DISCOVER_STUN=false
org.jitsi.jigasi.xmpp.acc.IM_DISABLED=true
org.jitsi.jigasi.xmpp.acc.SERVER_STORED_INFO_DISABLED=true
org.jitsi.jigasi.xmpp.acc.IS_FILE_TRANSFER_DISABLED=true
org.jitsi.jigasi.ENABLE_SIP=true
net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED=true
org.jitsi.jigasi.USE_SIP_USER_AS_XMPP_RESOURCE=true
org.jitsi.jigasi.xmpp.acc.USER_ID=meetvoip@meet.example.com
org.jitsi.jigasi.xmpp.acc.PASS=TuIfCJM2vOiP07500hOm
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PREFERRED_TRANSPORT=udp
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.ACCOUNT_UID=SIP\:4901@10.215.147.115
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_ADDRESS=10.215.147.115
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_ADDRESS_VALIDATED=true
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_PORT=5060
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PROXY_ADDRESS=10.215.147.115
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PROXY_PORT=5060
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PROXY_ADDRESS_VALIDATED=true
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PROXY_AUTO_CONFIG=false
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.USER_ID=4901@10.215.147.115
org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME=testroom

And this is my complete prosody config file:

# cat /etc/prosody/conf.d/meet.example.com.cfg.lua
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meet.example.com";

turncredentials_secret = "aF9VS2uVJEzkDCDk";

turncredentials = {
    { type = "stun", host = "meet.example.com", port = "3478" },
    { type = "turn", host = "meet.example.com", port = "3478", transport = "udp" },
    { type = "turns", host = "meet.example.com", port = "5349", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "meet.example.com"
    -- enabled = false -- Remove this line to enable this host
    authentication = "cyrus"
    cyrus_application_name = "xmpp"
    allow_unencrypted_plain_auth = true

    -- authentication = "ldap2"

    -- authentication = "external"
    -- external_auth_command = "/etc/prosody/conf.avail/custom_prosody_auth.sh"

    -- authentication = "internal_hashed"

    -- authentication = "anonymous"

    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/meet.example.com.key";
        certificate = "/etc/prosody/certs/meet.example.com.crt";
    }
    speakerstats_component = "speakerstats.meet.example.com"
    conference_duration_component = "conferenceduration.meet.example.com"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
        "auth_cyrus";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.meet.example.com"
    main_muc = "conference.meet.example.com"
    -- muc_lobby_whitelist = { "recorder.meet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.meet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        --"token_verification";
    }
    admins = { "focus@auth.meet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.meet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.meet.example.com", "jvb@auth.meet.example.com", "jigasi@auth.meet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.meet.example.com"
    ssl = {
        key = "/etc/prosody/certs/auth.meet.example.com.key";
        certificate = "/etc/prosody/certs/auth.meet.example.com.crt";
    }
    authentication = "internal_plain"

Component "focus.meet.example.com"
    component_secret = "4pSePkRM"

Component "speakerstats.meet.example.com" "speakerstats_component"
    muc_component = "conference.meet.example.com"

Component "conferenceduration.meet.example.com" "conference_duration_component"
    muc_component = "conference.meet.example.com"

Component "lobby.meet.example.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "guest.meet.example.com"
    authentication = "anonymous"
    speakerstats_component = "speakerstats.meet.example.com"
    conference_duration_component = "conferenceduration.meet.example.com"
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
    }
    lobby_muc = "lobby.meet.example.com"
    main_muc = "conference.meet.example.com"
    c2s_require_encryption = false

root@meet:/var/lib/prosody/auth%2emeet%2eexample%2ecom/accounts# ls
focus.dat jigasi.dat jvb.dat
root@meet:/var/lib/prosody/auth%2emeet%2eexample%2ecom/accounts# cat *
return {
[“password”] = “wripIhDX”;
};
return {
[“password”] = “laLr97adMAyscU7E”;
};
return {
[“password”] = “gnY0Ym9o”;
};

What can I try (like I said, I’m only interested in outgoing jigasi calls)?

I’m also aware of a third-party setup script found at jitsi/jitsi_setup.sh at master · pregalla/jitsi · GitHub.
However, correct me if I’m wrong, but it seems that org.jitsi.jigasi.xmpp.acc.USER_ID and org.jitsi.jigasi.xmpp.acc.PASS are not used for outgoing calls, are they?
Also, I don’t understand the “hidden domain” part of the script below (in any case, it differs from the “official” jigasi guide):

enable_jigasi_authentication()
{
    logit
    logit "Enabling Authentication for jigasi..."

    JIGASI_SIP_COMM_FILE=/etc/jitsi/jigasi/sip-communicator.properties

    #JIGASI_USER=$(< /dev/urandom tr -dc a-z0-9 | head -c10)
    JIGASI_USER="transcriber"

    JIGASI_PASSWORD=$(< /dev/urandom tr -dc a-z0-9 | head -c10)
    
    #Add a new domain in prodosy
    #Modify to internal_hashed if needed
    echo -e "\nVirtualHost \"$HIDDEN_DOMAIN\"\n\tauthentication = \"internal_plain\"\n\tc2s_require_encryption = false"|sudo tee -a /etc/prosody/conf.d/"$SERVER_FQDN".cfg.lua > /dev/null

    #Register this domain so that transcriber joins hidden
    sudo prosodyctl register "$JIGASI_USER" "$HIDDEN_DOMAIN" "$JIGASI_PASSWORD"
    [ $? = 0 ] && logit "Registered user '$JIGASI_USER'..." ||
            logit "*** ERROR ***: prosodyctl - Error registering user '$JIGASI_USER' to $HIDDEN_DOMAIN"
    
    sudo sed -i "s/^#.*org.jitsi.jigasi.xmpp.acc.USER_ID=.*/org.jitsi.jigasi.xmpp.acc.USER_ID="$JIGASI_USER"@"$HIDDEN_DOMAIN"/" "$JIGASI_SIP_COMM_FILE"
    sudo sed -i "s/^#.*org.jitsi.jigasi.xmpp.acc.PASS=.*/org.jitsi.jigasi.xmpp.acc.PASS="$JIGASI_PASSWORD"/" "$JIGASI_SIP_COMM_FILE"
    sudo sed -i 's/^#.*org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=.*/org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false/' "$JIGASI_SIP_COMM_FILE"

    #Also allow non secure connections to xmpp(for self-signed certs, I think)
    sudo sed -i '/org.jitsi.jigasi.xmpp.acc.USER_ID=/i org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true' "$JIGASI_SIP_COMM_FILE"

    logit "Enabling Authentication for jigasi: COMPLETE..."
    logit
}

where

HIDDEN_DOMAIN="$PRODUCT_NAME.hiddendomain.com"

PRODUCT_NAME=jitsi

Try adding org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true, does that makes a difference?

That did the trick. Thanks, damencho.

So, just to clear things up a little, what’s the difference between

net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ALLOW_NON_SECURE=true

and

org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true

?

This is the account that is used to connect to the control room, it connects when jigasi is started. And is connected till it is stopped.

These are the settings for the account used to connect in room. This account is created every time jigasi tries to connect to a room/conference. And when it leaves the conference that account is removed.

Thanks, Damian.

It was working until for some odd reason it started failing again, but this time with the following SASL error in the jigasi log.

2021-02-23 18:39:35.038 INFO: [87] org.jitsi.jigasi.xmpp.CallControl.handleDialIq().195 [ctx=1614101975037581935972] Got dial request fromnumber -> 123456789 room: room5@conference.meet.example.com
2021-02-23 18:39:35.052 INFO: [87] org.jitsi.jigasi.JvbConference.start().490 [ctx=1614101975037581935972] Starting JVB conference room: room5@conference.meet.example.com
2021-02-23 18:39:35.063 INFO: [87] org.jitsi.jigasi.JvbConference.setXmppProvider().633 [ctx=1614101975037581935972] Using ProtocolProviderServiceJabberImpl(Jabber:123456789@meet.example.com/123456789)
2021-02-23 18:39:35.111 INFO: [90] org.igniterealtime.jbosh.BOSHClient.init() Starting with 1 request processors
2021-02-23 18:39:35.262 INFO: [90] impl.protocol.jabber.OperationSetBasicTelephonyJabberImpl.registrationStateChanged().127 Jingle : ON
2021-02-23 18:39:35.262 INFO: [90] org.jitsi.jigasi.JvbConference.registrationStateChanged().684 [ctx=1614101975037581935972] Registering XMPP.
2021-02-23 18:39:35.310 SEVERE: [90] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin().1003 Failed to connect to XMPP service
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using PLAIN: not-authorized
        at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:292)
        at org.jivesoftware.smack.bosh.XMPPBOSHConnection$BOSHPacketReader.responseReceived(XMPPBOSHConnection.java:538)
        at org.igniterealtime.jbosh.BOSHClient.fireResponseReceived(BOSHClient.java:1610)
        at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1145)
        at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:999)
        at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:100)
        at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1728)
        at java.base/java.lang.Thread.run(Thread.java:834)
2021-02-23 18:39:35.312 SEVERE: [90] org.jitsi.jigasi.JvbConference.registrationStateChanged().688 [ctx=1614101975037581935972] XMPP Connection failed.

I don’t know why it’s trying to authenticate via SASL if I set
authentication = "internal_plain"
in the auth.meet.example.com VirtualHost.

The only SASL authentication is used within the meet.example.com VirtualHost.

Here’s my prosody conf file:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meet.example.com";

turncredentials_secret = "aF9VS2uVJEzkDCDk";

turncredentials = {
    { type = "stun", host = "meet.example.com", port = "3478" },
    { type = "turn", host = "meet.example.com", port = "3478", transport = "udp" },
    { type = "turns", host = "meet.example.com", port = "5349", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "meet.example.com"
    -- enabled = false -- Remove this line to enable this host
    authentication = "cyrus"
    cyrus_application_name = "xmpp"
    allow_unencrypted_plain_auth = true

    -- authentication = "ldap2"

    -- authentication = "external"
    -- external_auth_command = "/etc/prosody/conf.avail/custom_prosody_auth.sh"

    -- authentication = "internal_hashed"

    -- authentication = "anonymous"

    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/meet.example.com.key";
        certificate = "/etc/prosody/certs/meet.example.com.crt";
    }
    speakerstats_component = "speakerstats.meet.example.com"
    conference_duration_component = "conferenceduration.meet.example.com"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
        "auth_cyrus";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.meet.example.com"
    main_muc = "conference.meet.example.com"
    -- muc_lobby_whitelist = { "recorder.meet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.meet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        --"token_verification";
    }
    admins = { "focus@auth.meet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.meet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.meet.example.com", "jvb@auth.meet.example.com", "jigasi@auth.meet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.meet.example.com"
    ssl = {
        key = "/etc/prosody/certs/auth.meet.example.com.key";
        certificate = "/etc/prosody/certs/auth.meet.example.com.crt";
    }
    authentication = "internal_plain"

Component "focus.meet.example.com"
    component_secret = "4pSePkRM"

Component "speakerstats.meet.example.com" "speakerstats_component"
    muc_component = "conference.meet.example.com"

Component "conferenceduration.meet.example.com" "conference_duration_component"
    muc_component = "conference.meet.example.com"

Component "lobby.meet.example.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "guest.meet.example.com"
    authentication = "anonymous"
    speakerstats_component = "speakerstats.meet.example.com"
    conference_duration_component = "conferenceduration.meet.example.com"
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
    }
    lobby_muc = "lobby.meet.example.com"
    main_muc = "conference.meet.example.com"
    c2s_require_encryption = false

These are the registered users:

# ls /var/lib/prosody/auth%2emeet%2eexample%2ecom/accounts/
focus.dat  jigasi.dat  jvb.dat

I guess it’s back to the old drawing board.

What did I do wrong?

OK, so I keep mixing these users up.
The problem I’m facing is that when I activated sasl auth for VirtualHost meet.example.com, I had my org.jitsi.jigasi.xmpp.acc.USER_ID defined in the same domain.
I am thinking of changing it to something like:
org.jitsi.jigasi.xmpp.acc.USER_ID=whatever@auth.meet.example.com

and then create/register that user with prosodyctl in that domain.

Is it safe to do so?
Or should I use a “hidden” make-believe domain like the third-party setup script I mentioned earlier does?

Yep, that is fine.

OK, finally got it working.
However, there’s still one use case where jigasi outgoing calls seem to fail.
When I create a new room and enable the lobby feature, the dialed numbers do not ring.
I get this in the jigasi log:

2021-02-23 22:43:24.778 INFO: [798] org.jitsi.jigasi.xmpp.CallControl.handleDialIq().195 [ctx=16141166047781302897791] Got dial request fromnumber -> 123456789 room: room10@conference.meet.example.com
2021-02-23 22:43:24.778 INFO: [798] org.jitsi.jigasi.JvbConference.start().490 [ctx=16141166047781302897791] Starting JVB conference room: room10@conference.meet.example.com
2021-02-23 22:43:24.780 INFO: [798] org.jitsi.jigasi.JvbConference.setXmppProvider().633 [ctx=16141166047781302897791] Using ProtocolProviderServiceJabberImpl(Jabber:123456789@meet.example.com/123456789)
2021-02-23 22:43:24.784 INFO: [802] org.igniterealtime.jbosh.BOSHClient.init() Starting with 1 request processors
2021-02-23 22:43:24.811 INFO: [802] impl.protocol.jabber.OperationSetBasicTelephonyJabberImpl.registrationStateChanged().127 Jingle : ON
2021-02-23 22:43:24.812 INFO: [802] org.jitsi.jigasi.JvbConference.registrationStateChanged().684 [ctx=16141166047781302897791] Registering XMPP.
2021-02-23 22:43:24.843 INFO: [802] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.authenticated().2423 Authenticated: false
2021-02-23 22:43:24.845 INFO: [802] org.jitsi.jigasi.JvbConference.joinConferenceRoom().775 [ctx=16141166047781302897791] Joining JVB conference room: room10@conference.meet.example.com
2021-02-23 22:43:24.873 WARNING: [412] impl.protocol.jabber.ChatRoomJabberImpl.processStanza().3257 Unable to handle packet: Presence Stanza [to=meetvoip@auth.meet.example.com/123456789,from=room10@conference.meet.example.com/123456789,id=837w2-518,type=error,]
2021-02-23 22:43:24.873 SEVERE: [802] impl.protocol.jabber.ChatRoomJabberImpl.joinAs().770 Failed to join chat room room10@conference.meet.example.com with nickname: 123456789. The chat room requires registration.
2021-02-23 22:43:24.873 INFO: [802] org.jitsi.jigasi.JvbConference.joinConferenceRoom().985 [ctx=16141166047781302897791] Lobby enabled by moderator! Will try to join lobby!
2021-02-23 22:43:24.881 SEVERE: [802] org.jitsi.jigasi.JvbConference.registrationStateChanged().673 [ctx=16141166047781302897791] Registered bosh sid: 98cf2e4f-7cc1-4ef3-b020-dc141c0b207e

Is this on purpose?

Shouldn’t the call be made and the user be put in the lobby until he/she is admitted in the room?
I see the message “Will try to join lobby!”, but the destination number doesn’t even ring.

That is true.

Never mind. I think it’s because I had the “lobby modules and settings” within the guest.domain.com VirtualHost. I believe it is now improtant NOT to specify anything regarding lobby in there. Basically, I left it as:
VirtualHost “guest.meet.example.com
authentication = “anonymous”
c2s_require_encryption = false

and I now get an “allow” button in the room BEFORE the number gets dialed. Which makes sense.

Works great now.

Big thanks!