Strophe: error: Failed to construct 'RTCPeerConnection': Both username and credential are required when the URL scheme is "turn" or "turns"

Hi,

I’ve just upgraded one of my company’s Jitsi server to the latest version available:

jitsi-meet/stable,now 2.0.6726-1 all [installed]
jitsi-meet-prosody/stable,now 1.0.5675-1 all [installed,automatic]
jitsi-meet-tokens/stable,now 1.0.5675-1 all [installed]
jitsi-meet-turnserver/stable,now 1.0.5675-1 all [installed,automatic]
jitsi-meet-web/stable,now 1.0.5675-1 all [installed,automatic]
jitsi-meet-web-config/stable,now 1.0.5675-1 all [installed,automatic]
jitsi-videobridge2/stable,now 2.1-595-g3637fda4-1 all [installed,automatic]
prosody/unknown,now 0.11.11-1~bionic1 amd64 [installed,automatic]
coturn/bionic-updates,bionic-security,now 4.5.0.7-1ubuntu2.18.04.3 amd64 [installed,automatic]

In this installation we’re using JWT auth and the Turn server on the same machine, for which I’ve folowed the guide at Setting up TURN · Jitsi Meet Handbook

Since the upgrade (actually, a clean install when I manually reconfigured Jitsi) when a second user joins the open call, on the browser’s console the error:

Strophe: error: Failed to construct 'RTCPeerConnection': Both username and credential are required when the URL scheme is "turn" or "turns"

appears. Could you help me out finding where is the problem? I’ve already made sure that:

  • in prosody virtualhost config, under the section external_services I have { type = “turns”, host = “turn-my-jitsi.mydomain.it”, port = “443”, transport = “tcp” } and external_service_secret matches the one in /etc/turnserver.conf

  • created and configured the proper module under /etc/nginx/modules-enabled and modified the configuration for my virtualhost under /etc/nginx/sites-available to make it listen on port 4444 SSL

  • we’re using proper and valid SSL certificates for nginx, coturn and prosody

Thanks for the help

Ok seems that I had to fix the turns entry under the prosody virtualhost, by adding the parameters in bold:

{ type = “turns”, host = “turn-myjitsi.mydomain.it”, port = “443”, transport = “tcp”, secret = true, ttl = 86400, algorithm = “turn” }
};

Now the problem is that JWT is not working properly; even if restrict_room_creations is enabled, guests can create and become moderators of rooms.
What could be wrong?

here’s the actual config:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "myjitsi.mydomain.it";

external_service_secret = "***********";
external_services = {
     { type = "stun", host = "myjitsi.mydomain.it", port = 3478 },
     { type = "turn", host = "myjitsi.mydomain.it", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     -- { type = "turns", host = "myjitsi.mydomain.it", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
     { type = "turns", host = "turn-myjitsi.mydomain.it", port = "443", transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

unlimited_jids = {
    "focus@auth.myjitsi.mydomain.it",
    "jvb@auth.myjitsi.mydomain.it"
}

VirtualHost "myjitsi.mydomain.it"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="my-app-id"
    app_secret="*********************"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/myjitsi.mydomain.it.key";
        certificate = "/etc/prosody/certs/myjitsi.mydomain.it.crt";
    }
    av_moderation_component = "avmoderation.myjitsi.mydomain.it"
    speakerstats_component = "speakerstats.myjitsi.mydomain.it"
    conference_duration_component = "conferenceduration.myjitsi.mydomain.it"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.myjitsi.mydomain.it"
    breakout_rooms_muc = "breakout.myjitsi.mydomain.it"
    main_muc = "conference.myjitsi.mydomain.it"
    -- muc_lobby_whitelist = { "recorder.myjitsi.mydomain.it" } -- Here we can whitelist jibri to enter lobby enabled rooms
VirtualHost "guest.myjitsi.mydomain.it"
    authentication = "anonymous"
    c2s_require_encryption = false

Component "conference.myjitsi.mydomain.it" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        "token_verification";
        "muc_rate_limit";
    }
    admins = { "focus@auth.myjitsi.mydomain.it" }
    muc_room_locking = false
    muc_room_default_public_jids = true

Component "breakout.myjitsi.mydomain.it" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
        "muc_rate_limit";
    }
    admins = { "focus@auth.myjitsi.mydomain.it" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.myjitsi.mydomain.it" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.myjitsi.mydomain.it", "jvb@auth.myjitsi.mydomain.it" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.myjitsi.mydomain.it"
    ssl = {
        key = "/etc/prosody/certs/auth.myjitsi.mydomain.it.key";
        certificate = "/etc/prosody/certs/auth.myjitsi.mydomain.it.crt";
    }
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.myjitsi.mydomain.it" "client_proxy"
    target_address = "focus@auth.myjitsi.mydomain.it"

Component "speakerstats.myjitsi.mydomain.it" "speakerstats_component"
    muc_component = "conference.myjitsi.mydomain.it"

Component "conferenceduration.myjitsi.mydomain.it" "conference_duration_component"
    muc_component = "conference.myjitsi.mydomain.it"

Component "avmoderation.myjitsi.mydomain.it" "av_moderation_component"
    muc_component = "conference.myjitsi.mydomain.it"

Component "lobby.myjitsi.mydomain.it" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_rate_limit";
    }

That settings restricts only jicofo to be able to create rooms: mod_muc – Prosody IM
Every client invites jicofo to a room and jicofo creates it.

JWT and guest domain are not supposed to work together, if they did that was by chance and can break anytime.
To control that only jwt users are moderators you need a custom module. Maybe check jitsi-contrib.