Trouble with SSL cert installation

I’m trying to automatically install Jitsi as part of a larger project (SkotOS/linode_stackscript.sh at e802649808c2790113a8bc5b978522e3f3e4fbdc · noahgibbs/SkotOS · GitHub) and I’m having trouble with setting up a secure domain, as described at Secure Domain setup · Jitsi Meet Handbook

Initially I tried to use a self-signed certificate and then switch to LetsEncrypt, but that wasn’t working - if I go to the Jitsi URL and join a meeting, it instantly disconnects, gives an error, and tries to reconnect every few seconds forever. So now I’m trying to do LetsEncrypt before installing Jitsi to avoid any stale certs and that’s not working either.

I’m worried about stale/bad certificates because my error logs are full of cert-related connection errors (copied below.)

Anybody have any obvious advice? Are the Debian packages unusuably out of date? Should I be installing and then changing certicates in a specific order?

From /var/log/prosody/prosody.log:

Apr 28 13:16:06 portmanager     info    Activated service 'http' on [*]:5280, [::]:5280
Apr 28 13:16:06 portmanager     error   Error binding encrypted port for https: No certificate present in SSL/TLS configuration fo
r https port 5281
Apr 28 13:16:06 portmanager     error   Error binding encrypted port for https: No certificate present in SSL/TLS configuration fo
r https port 5281
Apr 28 13:16:06 portmanager     info    Activated service 'https' on no ports
Apr 28 13:16:06 conference.meet.testing-10.madrubyscience.com:muc_domain_mapper info    Loading mod_muc_domain_mapper for host mee
t.testing-10.madrubyscience.com!
Apr 28 13:16:08 c2s5599fc7b2250 info    Client connected
Apr 28 13:16:09 c2s5599fc7b2250 info    Client disconnected: ssl handshake error: sslv3 alert certificate unknown
Apr 28 13:16:09 c2s5599fc5a37d0 info    Client connected
Apr 28 13:16:09 c2s5599fc5a37d0 info    Client disconnected: ssl handshake error: sslv3 alert certificate unknown
Apr 28 13:16:09 c2s5599fc5f7580 info    Client connected
Apr 28 13:16:10 c2s5599fc5f7580 info    Client disconnected: ssl handshake error: sslv3 alert certificate unknown
Apr 28 13:16:14 c2s5599fc351580 info    Client connected
Apr 28 13:16:14 c2s5599fc351580 info    Client disconnected: ssl handshake error: sslv3 alert certificate unknown

And from /var/log/jitsi/jicofo.log:

Jicofo 2021-04-28 14:03:20.701 SEVERE: [523] [xmpp_connection=client] XmppProviderImpl.doConnect#225: Failed to connect/login: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hi @noahgibbs did you solved this problem? Got same error

Yes! I found the problem. There was an older recommended JVM (from the install instructions for Jitsi) that I had installed, and it wasn’t working properly with system certificates. When I switched to the current recommended JVM, the problem went away.

Presumably you could fix the problem on that JVM too if you knew more about how it sets up SSL certificates than I do.