Stopped working on FreeBSD again

I have had Jitsi Meet running on FreeBSD 13.1 now since I managed to find a way to fix it after an update some months ago. Recently, also after an update of some package it was suddenly broken again. No audio or video and lots of errors in logs about localhost not served etc. So, I decided to start over again with fresh configuration files and just edit the things I need, since that is what helped me last time.

But, now it does not work at all, even if I start with the sample configuration files and just edit passwords, certificate paths and domain names according to my environment.

jicofo.log:

Jicofo 2022-10-27 00:49:35.587 SEVERE: [79] [xmpp_connection=client] XmppProviderImpl.doConnect#228: Failed to connect/login: SASLError using SCRAM-SHA-1: not-authorized
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized
        at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:286)
        at org.jivesoftware.smack.AbstractXMPPConnection.lambda$new$2(AbstractXMPPConnection.java:407)
        at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.accept(NonzaCallback.java:177)
        at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.access$200(NonzaCallback.java:166)
        at org.jivesoftware.smack.NonzaCallback.onNonzaReceived(NonzaCallback.java:46)
        at org.jivesoftware.smack.AbstractXMPPConnection.parseAndProcessNonza(AbstractXMPPConnection.java:1447)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1700(XMPPTCPConnection.java:130)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1007)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:913)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:936)
        at java.base/java.lang.Thread.run(Thread.java:829)

I have used prosodyctl register to register focus user with the same password as on the password line in jicofo.conf.

The jicofo.conf file:

jicofo {

  sctp {
    enabled = false
  }

  xmpp {
    client {
      enabled = true
      hostname = "localhost"
      port = 5222
      domain = "auth.my.domain.local"
      username = "focus"
      password = "SECRETpwd"
      conference-muc-jid = "conference.my.domain.local"
      client-proxy = "focus.my.domain.local"
      disable-certificate-verification = true
    }
  }
}

And jitsi-videobridge.conf:

videobridge {
  http-servers {
      public {
          port = 9090
      }
  }
  websockets {
      enabled = true
      domain = "my.domain.local:443"
      tls = true
      server-id = "default-id"
  }
  sctp {
       enabled = false
  }

  stats {
    # Enable broadcasting stats/presence in a MUC
    enabled = true
    transports = [
      { type = "colibri" }
    ]
  }

  apis {
    xmpp-client {
      configs {
        xmpp-server-1 {
          hostname="localhost"
          domain = "auth.my.domain.local"
          username = "jvb"
          password = "SECRETpwd"
          muc_jids = "JvbBrewery@internal.auth.my.domain.local"
          muc_nickname = "unique-instance-id"
          disable_certificate_verification = true
        }
      }
    }
  }

  ice {
    tcp {
      enabled = true
      port = 4443
    }

    udp {
      port = 10000
    }
  }
}

For Prosody, I just added Include conf.d/*.cfg.lua at the end of prosody.cfg.lua and then created conf.d/my.domain.local.cfg.lua:

plugin_paths = { "/usr/local/lib/jitsi-prosody-plugins" }

VirtualHost "my.domain.local"
    authentication = "anonymous"
    ssl = {
        key = "/var/db/prosody/my.domain.local.key";
        certificate = "/var/db/prosody/my.domain.local.crt";
    }
    modules_enabled = {
        "bosh";
        "pubsub";
    }
    c2s_require_encryption = false

VirtualHost "auth.my.domain.local"
    ssl = {
        key = "/var/db/prosody/auth.my.domain.local.key";
        certificate = "/var/db/prosody/auth.my.domain.local.crt";
    }
    authentication = "internal_hashed"

admins = { "focus@auth.my.domain.local" }

Component "conference.my.domain.local" "muc"
Component "jitsi-videobridge.my.domain.local"
    component_secret = "SECRETpwd"
Component "focus.my.domain.local"
    component_secret = "SECRETpwd"

Do anyone have any ideas? I have tried to remove all prosody users and register focus and jvb again with passwords matching corresponding config files, but nothing seems to help. Still log messages about “SASLError using SCRAM-SHA-1: not-authorized”.

You can change authentication method to internal_plain and you can check /var/lib/prosody whether its in the right folder matching the domain and in the file, whether the password is ok

Also your prosody config is very old, still using component for jvb …

Here is the latest template

Your jicofo config is missing the brewery:

The easiest way is to spin up a ubuntu vm install the debian packages and take the latest configs.

There is a command to execute for the focus user after it login successfully

To keep it updated you need to monitor changes in debian folder and the templates for the configs in jitsi-meet/doc/debian …

Thanks for your reply!

I tried several different Prosody and Jicofo configuration files found in this forum and from various scripts and locations just to see if I could get anything working, that is probably why I got the Component configuration for jvb, I did not have that last time I had this up and running.

Now I have tried instead with latest Prosody sample and used sample config files for jicofo and jvb (just changed domain names) and tried to set things up similar to how install scripts seem to do under Linux. That is, building certificates, calling mod_roster commands mentioned above etc etc. I still get authentication errors in jicofo.log, but there is an interesting thing going on in prosody.log when that happens. I had not noticed that before:

Oct 27 16:54:25 connn8qfzGbhXWoq        debug   New connection FD 17 (127.0.0.1, 60326, 127.0.0.1, 5222) on server FD 6 (*, 5222)
Oct 27 16:54:25 connn8qfzGbhXWoq        debug   Connected (FD 17 (127.0.0.1, 60326, 127.0.0.1, 5222))
Oct 27 16:54:25 c2s803d63f80    info    Client connected
Oct 27 16:54:25 runner4l5kra0Jb6WM      debug   creating new coroutine
Oct 27 16:54:25 c2s803d63f80    debug   Client sent opening <stream:stream> to auth.my.domain.local
Oct 27 16:54:25 c2s803d63f80    debug   Sending[c2s_unauthed]: <?xml version='1.0'?>
Oct 27 16:54:25 c2s803d63f80    debug   Sent reply <stream:stream> to client
Oct 27 16:54:25 c2s803d63f80    warn    No stream features to offer on insecure session. Check encryption and security settings.
Oct 27 16:54:25 c2s803d63f80    debug   Disconnecting client, <stream:error> is: <stream:error><undefined-condition xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>No stream features to proceed with</text></stream:error>
Oct 27 16:54:25 c2s803d63f80    debug   Sending[c2s_unauthed]: <stream:error>
Oct 27 16:54:25 c2s803d63f80    debug   Sending[c2s_unauthed]: </stream:stream>
Oct 27 16:54:25 c2s803d63f80    debug   c2s stream for 127.0.0.1 closed: No stream features to proceed with
Oct 27 16:54:25 c2s803d63f80    debug   Destroying session for (unknown) ((unknown)@auth.my.domain.local): No stream features to proceed with
Oct 27 16:54:25 connn8qfzGbhXWoq        debug   Close after writing remaining buffered data
Oct 27 16:54:25 connn8qfzGbhXWoq        debug   Closing now
Oct 27 16:54:25 c2s803d63f80    info    Client disconnected: connection closed
Oct 27 16:54:25 c2s803d63f80    debug   Destroying session for (unknown) ((unknown)@(unknown))

Particularly this “No stream features to offer on insecure session. Check encryption and security settings.”, could that be some kind of root cause to the problems here? It must be some kind of config issues with Prosody, right?

Any errors on starting up prosody?

Do you have this: jitsi-meet/prosody.cfg.lua-jvb.example at 75d7c4b160189eae144eb1eb27c617e22093ff27 · jitsi/jitsi-meet · GitHub

Yes, I used that sample file for Prosody this time and just changed domain names etc. I see that if I start Prosody with console logging, there are some error messages that are not written to the log files:

modulemanager                               error       Unable to load module 'end_conference': /usr/local/lib/prosody/modules/share/lua/5.4/mod_end_conference/mod_end_conference.lua: No such file or directory
modulemanager                               error       Unable to load module 'room_metadata_component': /usr/local/lib/prosody/modules/share/lua/5.4/mod_room_metadata_component/mod_room_metadata_component.lua: No such file or directory
modulemanager                                                     error Unable to load module 'room_metadata': /usr/local/lib/prosody/modules/share/lua/5.4/mod_room_metadata/mod_room_metadata.lua: No such file or directory
modulemanager                                                     error Unable to load module 'end_conference': /usr/local/lib/prosody/modules/share/lua/5.4/mod_end_conference/mod_end_conference.lua: No such file or directory

This looks bad. Those files are missing, entirely missing, they are not present anywhere. Am I missing some package that would install them? Or should references to them be disabled in prosody.cfg.lua?

I guess you are not using latest … that’s why they are missing … but that is not the source of your problem, this can be ignored for now.

Actually … the connection to 5222 has nothing to do with bosh (the thing I sent you earlier … ).
Hum … probably the certificate used for 5222 is not globally trusted in the system:

On debian based system this is done with:

To make jicofo ignore the certificate you can set this to true in your jicofo.conf:

Thanks a lot for all your help with this!

Not sure about what is latest or not, I have installed latest available packages. Versions right now:

# pkg info|grep jitsi
jitsi-meet-1.0.6155            Secure, Simple and Scalable Video Conferences
jitsi-meet-full-2.0.7287_1     All components to run Jitsi Meet video conferencing
jitsi-prosody-plugins-2.0.7287 Prosody plugins for Jitsi Meet
jitsi-srtp-native-1.1.7        Native libraties to speed up jitsi-srtp
jitsi-videobridge-2.1.681      WebRTC compatible video router or SFU
# pkg info|grep prosody
jitsi-prosody-plugins-2.0.7287 Prosody plugins for Jitsi Meet
prosody-0.12.1_2               Simple extensible XMPP server written in Lua
prosody-modules-20220319       Prosody Community modules repository snapshot

I based the prosody config on prosody.cfg.lua-jvb.example and just changed domains etc. Then, just to confirm, I installed Jitsi Meet on an Ubuntu VM just to see what config files looked like there and the prosody config actually looked quite different, with config split between prosody.cfg.lua and conf.d/*.cfg.lua. Tried to copy that config to the FreeBSD box as well to give it a try. I also tried to copy all *.lua files from plugin directory on Ubuntu over to FreeBSD to see if that would help.

I also found that I had mistakenly got wrong permissions on /usr/local/etc/jitsi/jicofo/truststore.jks so that was probably why the certificates did not validate correctly.

If I use prosody.cfg.lua based on the jvb-example file, I get this output in prosody.log:

Oct 28 12:04:02 mod_posix       info    Successfully daemonized to PID 5460
Oct 28 12:04:39 conn06m-1UNPCu6I        debug   New connection FD 17 (127.0.0.1, 54592, 127.0.0.1, 5222) on server FD 6 (*, 5222)
Oct 28 12:04:39 conn06m-1UNPCu6I        debug   Connected (FD 17 (127.0.0.1, 54592, 127.0.0.1, 5222))
Oct 28 12:04:39 c2s803d786c0    info    Client connected
Oct 28 12:04:39 runnerSY-dIRgM9M5L      debug   creating new coroutine
Oct 28 12:04:39 c2s803d786c0    debug   Client sent opening <stream:stream> to auth.my.domain.local
Oct 28 12:04:39 c2s803d786c0    debug   Sending[c2s_unauthed]: <?xml version='1.0'?>
Oct 28 12:04:39 c2s803d786c0    debug   Sent reply <stream:stream> to client
Oct 28 12:04:39 c2s803d786c0    warn    No stream features to offer on insecure session. Check encryption and security settings.
Oct 28 12:04:39 c2s803d786c0    debug   Disconnecting client, <stream:error> is: <stream:error><undefined-condition xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>No stream features to proceed with</text></stream:error>
Oct 28 12:04:39 c2s803d786c0    debug   Sending[c2s_unauthed]: <stream:error>
Oct 28 12:04:39 c2s803d786c0    debug   Sending[c2s_unauthed]: </stream:stream>
Oct 28 12:04:39 c2s803d786c0    debug   c2s stream for 127.0.0.1 closed: No stream features to proceed with
Oct 28 12:04:39 c2s803d786c0    debug   Destroying session for (unknown) ((unknown)@auth.my.domain.local): No stream features to proceed with
Oct 28 12:04:39 conn06m-1UNPCu6I        debug   Close after writing remaining buffered data
Oct 28 12:04:39 conn06m-1UNPCu6I        debug   Closing now
Oct 28 12:04:39 c2s803d786c0    info    Client disconnected: connection closed
Oct 28 12:04:39 c2s803d786c0    debug   Destroying session for (unknown) ((unknown)@(unknown))

If I use prosody.cfg.lua and conf.d/*.cfg.lua based on what I found in the Ubuntu install, I get this output in prosody.log:

Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Globally load module", "http://prosody.im/protocol/modules#global-load"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Reload modules", "http://prosody.im/protocol/modules#reload"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Globally reload module", "http://prosody.im/protocol/modules#global-reload"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Shut Down Service", "http://jabber.org/protocol/admin#shutdown"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Unload modules", "http://prosody.im/protocol/modules#unload"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Globally unload module", "http://prosody.im/protocol/modules#global-unload"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Activate host", "http://prosody.im/protocol/hosts#activate"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_admin_adhoc: "Deactivate host", "http://prosody.im/protocol/hosts#deactivate"
Oct 28 12:07:26 modulemanager   warn    Not loading module, due to conflicting features 'mod_bookmarks': /usr/local/lib/prosody-modules/mod_bookmarks.lua
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_uptime: "Get uptime", "uptime"
Oct 28 12:07:26 modulemanager   debug   pep is already loaded for auth.my.domain.local, so not loading again
Oct 28 12:07:26 auth.my.domain.local:csi        debug   moduleapi: ignoring status [prio 0 override false]: Loaded
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_invites_adhoc: "Create new contact invite", "urn:xmpp:invite#invite"
Oct 28 12:07:26 auth.my.domain.local:adhoc      debug   Command added by mod_invites_adhoc: "Create new account invite", "urn:xmpp:invite#create-account"
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 breakout.my.domain.local:muc_domain_mapper      info    Loading mod_muc_domain_mapper for host auth.my.domain.local!
Oct 28 12:07:26 conference.my.domain.local:muc_domain_mapper    info    Loading mod_muc_domain_mapper for host auth.my.domain.local!
Oct 28 12:07:26 portmanager     debug   Gathering certificates for SNI for host auth.my.domain.local, default service
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "auth.my.domain.local"
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "auth.my.domain.local"
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "auth.my.domain.local"
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "auth.my.domain.local"
Oct 28 12:07:26 hostmanager     debug   Activated host: localhost
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 usermanager     debug   Host 'localhost' now set to use user provider 'internal_hashed'
Oct 28 12:07:26 localhost:tls   debug   Creating context for c2s
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host localhost
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 certmanager     info    No certificate present in SSL/TLS configuration for localhost. SNI will be required.
Oct 28 12:07:26 localhost:tls   debug   Creating context for s2sout
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host localhost
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 localhost:tls   debug   Creating context for s2sin
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host localhost
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 certmanager     info    No certificate present in SSL/TLS configuration for localhost. SNI will be required.
Oct 28 12:07:26 localhost:tls   info    Certificates loaded
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Add User", "http://jabber.org/protocol/admin#add-user"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Change User Password", "http://jabber.org/protocol/admin#change-user-password"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Reload configuration", "http://prosody.im/protocol/config#reload"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Delete User", "http://jabber.org/protocol/admin#delete-user"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "End User Session", "http://jabber.org/protocol/admin#end-user-session"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Get User Roster", "http://jabber.org/protocol/admin#get-user-roster"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Get User Statistics", "http://jabber.org/protocol/admin#user-stats"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Get List of Online Users", "http://jabber.org/protocol/admin#get-online-users-list"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "List S2S connections", "http://prosody.im/protocol/s2s#list"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "List loaded modules", "http://prosody.im/protocol/modules#list"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Load module", "http://prosody.im/protocol/modules#load"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Globally load module", "http://prosody.im/protocol/modules#global-load"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Reload modules", "http://prosody.im/protocol/modules#reload"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Globally reload module", "http://prosody.im/protocol/modules#global-reload"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Shut Down Service", "http://jabber.org/protocol/admin#shutdown"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Unload modules", "http://prosody.im/protocol/modules#unload"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Globally unload module", "http://prosody.im/protocol/modules#global-unload"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Activate host", "http://prosody.im/protocol/hosts#activate"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_admin_adhoc: "Deactivate host", "http://prosody.im/protocol/hosts#deactivate"
Oct 28 12:07:26 modulemanager   warn    Not loading module, due to conflicting features 'mod_bookmarks': /usr/local/lib/prosody-modules/mod_bookmarks.lua
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_uptime: "Get uptime", "uptime"
Oct 28 12:07:26 modulemanager   debug   pep is already loaded for localhost, so not loading again
Oct 28 12:07:26 localhost:csi   debug   moduleapi: ignoring status [prio 0 override false]: Loaded
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_invites_adhoc: "Create new contact invite", "urn:xmpp:invite#invite"
Oct 28 12:07:26 localhost:adhoc debug   Command added by mod_invites_adhoc: "Create new account invite", "urn:xmpp:invite#create-account"
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 breakout.my.domain.local:muc_domain_mapper      info    Loading mod_muc_domain_mapper for host localhost!
Oct 28 12:07:26 conference.my.domain.local:muc_domain_mapper    info    Loading mod_muc_domain_mapper for host localhost!
Oct 28 12:07:26 portmanager     debug   Gathering certificates for SNI for host localhost, default service
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host localhost
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host localhost
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for localhost...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for localhost
Oct 28 12:07:26 hostmanager     debug   Activated host: internal.auth.my.domain.local
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 internal.auth.my.domain.local:adhoc     debug   Command added by mod_muc: "Destroy Rooms", "http://prosody.im/protocol/muc#destroy"
Oct 28 12:07:26 internal.auth.my.domain.local:adhoc     debug   Command added by mod_muc: "Set affiliation in room", "http://prosody.im/protocol/muc#set-affiliation"
Oct 28 12:07:26 internal.auth.my.domain.local:tls       debug   Creating context for c2s
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host internal.auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 internal.auth.my.domain.local:tls       debug   Creating context for s2sout
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host internal.auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 internal.auth.my.domain.local:tls       debug   Creating context for s2sin
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host internal.auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 internal.auth.my.domain.local:tls       info    Certificates loaded
Oct 28 12:07:26 breakout.my.domain.local:muc_domain_mapper      info    Loading mod_muc_domain_mapper for host internal.auth.my.domain.local!
Oct 28 12:07:26 conference.my.domain.local:muc_domain_mapper    info    Loading mod_muc_domain_mapper for host internal.auth.my.domain.local!
Oct 28 12:07:26 portmanager     debug   Gathering certificates for SNI for host internal.auth.my.domain.local, default service
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host internal.auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host internal.auth.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/auth.my.domain.local.crt" from index for host "internal.auth.my.domain.local"
Oct 28 12:07:26 hostmanager     debug   Activated host: endconference.my.domain.local
Oct 28 12:07:26 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:26 endconference.my.domain.local:end_conference    info    Starting end_conference for conference.my.domain.local
Oct 28 12:07:26 endconference.my.domain.local:tls       debug   Creating context for c2s
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 endconference.my.domain.local:tls       debug   Creating context for s2sout
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 endconference.my.domain.local:tls       debug   Creating context for s2sin
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 endconference.my.domain.local:tls       info    Certificates loaded
Oct 28 12:07:26 breakout.my.domain.local:muc_domain_mapper      info    Loading mod_muc_domain_mapper for host endconference.my.domain.local!
Oct 28 12:07:26 conference.my.domain.local:muc_domain_mapper    info    Loading mod_muc_domain_mapper for host endconference.my.domain.local!
Oct 28 12:07:26 portmanager     debug   Gathering certificates for SNI for host endconference.my.domain.local, default service
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 certmanager     debug   Automatically locating certs for host endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Searching /usr/local/etc/prosody/certs for a key and certificate for endconference.my.domain.local...
Oct 28 12:07:26 certmanager     debug   No certificate/key found for endconference.my.domain.local
Oct 28 12:07:26 certmanager     debug   Using cert "/usr/local/etc/prosody/certs/my.domain.local.crt" from index for host "my.domain.local"
Oct 28 12:07:26 unbound debug   Setting up net.server event handling for ub_ctx: 0x8040df538
Oct 28 12:07:26 mod_posix       info    Prosody is about to detach from the console, disabling further console output
Oct 28 12:07:26 mod_posix       info    Successfully daemonized to PID 5573
Oct 28 12:07:45 connkwmiWzBOZbCR        debug   New connection FD 21 (127.0.0.1, 24195, 127.0.0.1, 5222) on server FD 7 (*, 5222)
Oct 28 12:07:45 connkwmiWzBOZbCR        debug   Connected (FD 21 (127.0.0.1, 24195, 127.0.0.1, 5222))
Oct 28 12:07:45 c2s80412f1c0    info    Client connected
Oct 28 12:07:45 runner0dJ1WeRWkmgy      debug   creating new coroutine
Oct 28 12:07:45 c2s80412f1c0    debug   Client sent opening <stream:stream> to auth.my.domain.local
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unauthed]: <?xml version='1.0'?>
Oct 28 12:07:45 c2s80412f1c0    debug   Sent reply <stream:stream> to client
Oct 28 12:07:45 c2s80412f1c0    debug   Not offering authentication on insecure connection
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unauthed]: <stream:features>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Oct 28 12:07:45 connkwmiWzBOZbCR        debug   Start TLS after write
Oct 28 12:07:45 c2s80412f1c0    debug   TLS negotiation started for c2s_unauthed...
Oct 28 12:07:45 connkwmiWzBOZbCR        debug   Prepared to start TLS
Oct 28 12:07:45 connkwmiWzBOZbCR        debug   Starting TLS now
Oct 28 12:07:45 connkwmiWzBOZbCR        debug   TLS handshake complete (TLSv1.3 with TLS_AES_256_GCM_SHA384)
Oct 28 12:07:45 c2s80412f1c0    debug   Client sent opening <stream:stream> to auth.my.domain.local
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unauthed]: <?xml version='1.0'?>
Oct 28 12:07:45 c2s80412f1c0    debug   Sent reply <stream:stream> to client
Oct 28 12:07:45 c2s80412f1c0    info    Stream encrypted (TLSv1.3 with TLS_AES_256_GCM_SHA384)
Oct 28 12:07:45 c2s80412f1c0    debug   Channel binding 'tls-unique' undefined in context of TLS 1.3
Oct 28 12:07:45 c2s80412f1c0    debug   SASL mechanisms supported by handler: PLAIN, SCRAM-SHA-1
Oct 28 12:07:45 c2s80412f1c0    debug   Offering usable mechanisms: PLAIN, SCRAM-SHA-1
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unauthed]: <stream:features>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s_unauthed]: <auth mechanism='SCRAM-SHA-1' xmlns='urn:ietf:params:xml:ns:xmpp-sasl' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unauthed]: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s_unauthed]: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    info    Authenticated as focus@auth.my.domain.local
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unbound]: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Oct 28 12:07:45 c2s80412f1c0    debug   Client sent opening <stream:stream> to auth.my.domain.local
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unbound]: <?xml version='1.0'?>
Oct 28 12:07:45 c2s80412f1c0    debug   Sent reply <stream:stream> to client
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s_unbound]: <stream:features>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s_unbound]: <iq type='set' id='FLK4W-1' xml:lang='en'>
Oct 28 12:07:45 rostermanager   debug   load_roster: asked for: focus@auth.my.domain.local
Oct 28 12:07:45 rostermanager   debug   load_roster: loading for new user: focus@auth.my.domain.local
Oct 28 12:07:45 auth.my.domain.local:pep        debug   Creating pubsub service for user "focus"
Oct 28 12:07:45 auth.my.domain.local:bookmarks  debug   No existing legacy bookmarks for focus@auth.my.domain.local, migration already done: (nil)
Oct 28 12:07:45 auth.my.domain.local:bookmarks  debug   Additionally, no bookmarks 2 were existing for focus@auth.my.domain.local, assuming empty.
Oct 28 12:07:45 c2s80412f1c0    debug   No legacy vCard to migrate or already migrated
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' id='FLK4W-1'>
Oct 28 12:07:45 c2s80412f1c0    debug   Resource bound: focus@auth.my.domain.local/focus
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='get' id='FLK4W-3' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' to='focus@auth.my.domain.local/focus' id='FLK4W-3'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='get' id='Z44CP-1' to='localhost' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' from='localhost' to='focus@auth.my.domain.local/focus' id='Z44CP-1'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='get' id='Z44CP-2' to='localhost' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' from='localhost' to='focus@auth.my.domain.local/focus' id='Z44CP-2'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='get' id='Z44CP-4' to='internal.auth.my.domain.local' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' from='internal.auth.my.domain.local' to='focus@auth.my.domain.local/focus' id='Z44CP-4'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <presence id='Z44CP-3' to='jvbbrewery@internal.auth.my.domain.local/focus' xml:lang='en'>
Oct 28 12:07:45 internal.auth.my.domain.local:muc       debug   Refreshing reserved nicks...
Oct 28 12:07:45 internal.auth.my.domain.local:muc       debug   Refreshed for focus@auth.my.domain.local: (nil)
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <presence id='Z44CP-3' from='jvbbrewery@internal.auth.my.domain.local/focus' to='focus@auth.my.domain.local/focus' xml:lang='en'>
Oct 28 12:07:45 auth.my.domain.local:carbons    debug   Not copying stanza: <message type='groupchat' from='jvbbrewery@internal.auth.my.domain.local' to='focus@auth.my.domain.local/focus'> (default)
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <message type='groupchat' from='jvbbrewery@internal.auth.my.domain.local' to='focus@auth.my.domain.local/focus'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='get' id='FLK4W-5' to='jvbbrewery@internal.auth.my.domain.local' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' from='jvbbrewery@internal.auth.my.domain.local' to='focus@auth.my.domain.local/focus' id='FLK4W-5'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='set' id='FLK4W-7' to='jvbbrewery@internal.auth.my.domain.local' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='result' from='jvbbrewery@internal.auth.my.domain.local' to='focus@auth.my.domain.local/focus' id='FLK4W-7'>
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <presence id='Z44CP-5' xml:lang='en'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <iq type='get' from='focus@auth.my.domain.local' to='focus@auth.my.domain.local/focus' id='disco'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <presence from='focus@auth.my.domain.local/focus' xml:lang='en' id='Z44CP-5'>
Oct 28 12:07:45 c2s80412f1c0    debug   Sending[c2s]: <presence type='subscribe' from='focus.my.domain.local' to='focus@auth.my.domain.local'>
Oct 28 12:07:45 c2s80412f1c0    debug   Broadcasting offline messages
Oct 28 12:07:45 datamanager     debug   Removing empty offline datastore for user focus@auth.my.domain.local
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <presence type='unsubscribed' id='Z44CP-6' to='focus.my.domain.local' xml:lang='en'>
Oct 28 12:07:45 auth.my.domain.local:presence   debug   outbound presence unsubscribed from focus@auth.my.domain.local for focus.my.domain.local
Oct 28 12:07:45 rostermanager   debug   load_roster: asked for: focus@auth.my.domain.local
Oct 28 12:07:45 rostermanager   debug   load_roster: asked for: focus@auth.my.domain.local
Oct 28 12:07:45 rostermanager   debug   save_roster: saving roster for focus@auth.my.domain.local, (focus.my.domain.local)
Oct 28 12:07:45 storagemanager  debug   map storage driver unavailable, using shim on top of keyval store.
Oct 28 12:07:45 focus.my.domain.local:client_proxy      debug   received stanza from c2s session
Oct 28 12:07:45 focus.my.domain.local:client_proxy      debug   received presence from destination: unsubscribed
Oct 28 12:07:45 c2s80412f1c0    debug   Received[c2s]: <iq type='result' id='disco' to='focus@auth.my.domain.local' xml:lang='en'>
Oct 28 12:07:45 stanzarouter    debug   Discarding iq from c2s of type: result

I have tried different ways to create certificates now. Both using prosodyctl cert generate and then importing to truststore.jks and also tried a certificate trusted by our local domain root certificate (which is trusted on all machines here). Not much different though, except that there seems to be some differences in whether prosody finds certificates for the subdomains, such as endconference.my.domain.local for some reason.

Yeah that is from May, latest is from Oct Index of /stable/

Where did you get that? This is total under config you don’t want to get into that.

Ignore the certificates by adding that config I pointed out above in /etc/jitsi/jicofo/jicofo.conf. Are you running with that and you still see the problem?

Yeah that is from May, latest is from Oct Index of /stable/

1.0.6155 seems to be the latest in FreeBSD ports tree and it seems to me now that it is a bit too old to work correctly together with other components that have been updated since. I’ll reach out to the package maintainers instead!

Where did you get that? This is total under config you don’t want to get into that.

I got it from the Github repo, just tried to see if it was possible to get things running based on that config. But then I tried to copy generated config files from an Ubuntu setup instead and just changed what was needed about domains etc. And yes, I will continue with something like that instead to make it more reasonable to maintain over time.

Ignore the certificates by adding that config I pointed out above in /etc/jitsi/jicofo/jicofo.conf. Are you running with that and you still see the problem?

Yes, either that or fixing the truststore.jks file fixed the problems in jicofo. But there are still lots of tls related errors in prosody. Depending on which config I tried, I either got errors about that no services offered to insecure connections, or errors about missing certificates for each subdomain.

But I’ll try to see if it would be possible to build a newer version from source or if someone could update ports packages in FreeBSD and go from there instead. It will probably be a better idea since anything I can come up with here otherwise would anyway probably just help until next updates and I would much more like to get it easier to maintain over time. Thanks for all your kind help!