Unable to find valid certification path

The symptom is that a room of three or more users have their mic and cam shown as disabled, though the users themselves have mic and camera active.

There’s some problem with security certificates, it seems, judging by jicofo.log and jvb.log which both have the same message in. Java cannot find the path to the certs.

I’ve looked at other topics in this forum, searching for the solution, but it seems I already have the recommended set-up. My jitsi-meet instance is running on Debian 10, using
Java 11 (openjdk11.0.9.1, openJDK Runtime environment 11.0.9.1, openJDK 64-bit server VM11.0.9.1). ca-certificates-java is already the latest version, and /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts is a symlink to /etc/ssl/certs/cacerts.

Can anyone give advice on where this is going wrong?

jicofo.log
Jicofo 2021-02-09 14:34:44.920 WARNING: [69940] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:350)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:293)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:288)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1356)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
… 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 23 more

prosody.err
Feb 07 14:46:12 portmanager|error|Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

Feb 07 14:46:12 portmanager|error|Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

prosody.log
Feb 09 14:48:50 c2s556d79096d00 info Client connected
Feb 09 14:48:50 c2s556d79096d00 info Client disconnected: ssl handshake error: closed
Feb 09 14:48:54 c2s556d78974a50 info Client connected
Feb 09 14:48:54 c2s556d78974a50 info Client disconnected: ssl handshake error: closed
Feb 09 14:48:55 c2s556d799bd170 info Client connected
Feb 09 14:48:56 c2s556d799bd170 info Client disconnected: ssl handshake error: closed

If you do sudo update-ca-certificates -f and restart jicofo does that fixes it for you?
We have seen in the past that it can go into such broken state after uninstalling and installing again several times, was that your case?

I have done sudo update-ca-certificates several times, but always followed with (sudo systemctl) daemon-reload and restart jitsi-videobridge2. Never knew I could restart jicofo.

restart jicofo has changed the log messages:
jicofo.log
Jicofo 2021-02-09 16:00:20.444 SEVERE: [80] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: SASLError using SCRAM-SHA-1: not-authorized
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized
at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:292)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1100)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
Jicofo 2021-02-09 16:00:25.574 SEVERE: [53] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: SASLError using SCRAM-SHA-1: not-authorized
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized
at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:292)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1100)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)

This usually suggests a password mismatch.

I don’t think it’s a password mismatch here, though.

The log message comes from …XmppProtocolProvider.log().

The XMPP server is prosody, and the prosody error log is still saying “Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281”

This can be ignored.

This is the xmpp provider connecting jicofo to the xmpp server and the error indeed points to a wrong password used from jicofo, to connect.

That password is autogenerated and created when you install jitsi-meet, so doing several reinstalls can also lead to situations like this. If you are removing everything and prosody is not used for anything else, you better purge and prosody.

Thanks to both of you @Freddie and @damencho for identifying the password fail. I did a fresh install of jitsi-meet on a clean server.

There are no more complaints of xmpp auth fail in the logs. That’s great, but I still have the same trouble that I had before.

A room of three or more users have their mic and cam shown as disabled, though the users themselves have mic and camera active. No-one can hear or be heard.

I would be grateful to know where I should look for my next clue.

The jicofo.log has a lot to say but I don’t understand the significance of it. Here’s a sample of the log with three participants connected but otherwise not very active. The log is not from the beginning or the end of the meeting.

Jicofo 2021-02-09 22:30:16.439 INFO: [318] org.jitsi.jicofo.AbstractChannelAllocator.log() Using jvbbrewery@internal.auth.meet.buddhismwithoutboundaries.com/6ad7dd32-29f1-4fa4-b53d-b442003a75df to allocate channels for: Participant[online@conference.meet.buddhismwithoutboundaries.com/5b9355a1]@918251269
Jicofo 2021-02-09 22:30:16.529 INFO: [318] org.jitsi.jicofo.ParticipantChannelAllocator.log() Sending session-initiate to: online@conference.meet.buddhismwithoutboundaries.com/5b9355a1
Jicofo 2021-02-09 22:30:17.658 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Got session-accept from: online@conference.meet.buddhismwithoutboundaries.com/5b9355a1
Jicofo 2021-02-09 22:30:17.659 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Received session-accept from online@conference.meet.buddhismwithoutboundaries.com/5b9355a1 with accepted sources:Sources{ video: [ssrc=1599411248 ssrc=3446102619 ssrc=2755669718 ssrc=351262192 ssrc=3848419388 ssrc=3425511160 ] audio: [ssrc=548984678 ] }@792675010
Jicofo 2021-02-09 22:30:24.314 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Received session-terminate from Participant[online@conference.meet.buddhismwithoutboundaries.com/7c310aef]@1011027061, session: BridgeSession[id=28668_ec31ab, bridge=Bridge[jid=jvbbrewery@internal.auth.meet.buddhismwithoutboundaries.com/6ad7dd32-29f1-4fa4-b53d-b442003a75df, relayId=null, region=null, stress=0.02]]@39716955, restart: true
Jicofo 2021-02-09 22:30:24.314 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Terminating Participant[online@conference.meet.buddhismwithoutboundaries.com/7c310aef]@1011027061, reason: null, send st: false
Jicofo 2021-02-09 22:30:24.314 INFO: [54] org.jitsi.protocol.xmpp.AbstractOperationSetJingle.log() Terminate session: online@conference.meet.buddhismwithoutboundaries.com/7c310aef, reason: null, send terminate: false
Jicofo 2021-02-09 22:30:24.315 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Removing online@conference.meet.buddhismwithoutboundaries.com/7c310aef sources Sources{ audio: [ssrc=1204653977 ] }@480778321
Jicofo 2021-02-09 22:30:24.316 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Removed participant: true, online@conference.meet.buddhismwithoutboundaries.com/7c310aef
Jicofo 2021-02-09 22:30:24.317 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Region info, conference=28668: [[null, null, null]]
Jicofo 2021-02-09 22:30:24.318 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Expiring channels for: online@conference.meet.buddhismwithoutboundaries.com/7c310aef on: Bridge[jid=jvbbrewery@internal.auth.meet.buddhismwithoutboundaries.com/6ad7dd32-29f1-4fa4-b53d-b442003a75df, relayId=null, region=null, stress=0.02]
Jicofo 2021-02-09 22:30:24.318 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Added participant jid= online@conference.meet.buddhismwithoutboundaries.com/7c310aef, bridge=jvbbrewery@internal.auth.meet.buddhismwithoutboundaries.com/6ad7dd32-29f1-4fa4-b53d-b442003a75df
Jicofo 2021-02-09 22:30:24.318 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Region info, conference=28668: [[null, null, null, null]]
Jicofo 2021-02-09 22:30:24.318 INFO: [318] org.jitsi.jicofo.discovery.DiscoveryUtil.log() Doing feature discovery for online@conference.meet.buddhismwithoutboundaries.com/7c310aef
Jicofo 2021-02-09 22:30:24.318 INFO: [318] org.jitsi.jicofo.discovery.DiscoveryUtil.log() Successfully discovered features for online@conference.meet.buddhismwithoutboundaries.com/7c310aef in 0
Jicofo 2021-02-09 22:30:24.319 INFO: [318] org.jitsi.jicofo.AbstractChannelAllocator.log() Using jvbbrewery@internal.auth.meet.buddhismwithoutboundaries.com/6ad7dd32-29f1-4fa4-b53d-b442003a75df to allocate channels for: Participant[online@conference.meet.buddhismwithoutboundaries.com/7c310aef]@1011027061
Jicofo 2021-02-09 22:30:24.381 INFO: [318] org.jitsi.jicofo.ParticipantChannelAllocator.log() Sending session-initiate to: online@conference.meet.buddhismwithoutboundaries.com/7c310aef
Jicofo 2021-02-09 22:30:24.955 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Got session-accept from: online@conference.meet.buddhismwithoutboundaries.com/7c310aef
Jicofo 2021-02-09 22:30:24.956 INFO: [54] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Received session-accept from online@conference.meet.buddhismwithoutboundaries.com/7c310aef with accepted sources:Sources{ audio: [ssrc=3685009004 ] }@2071646269

Are you sure UDP/10000 is accessible for everyone?

This installer may help to catch the cause of the problem

You got it @emrah . Although port 10000/udp is open in my iptables, I’m using a Google Cloud server and there’s a whole lot of steps I must take before 10000 is opened up to the world.

I’m going to reinstall on a simpler VPS nearer home, where the ports are under my direct control.

Thanks for your post.

1 Like