Users can't see/hear each other, nothing listens on port 10000

Hello,

I have made a clean install on a lxc container. The guest is a debian 10. I followed the quickstart tutorial.
Users can’t see/hear each other, in 1-to-1 or 3+ sessions.
No process is listening on UDP 10000.
No process is listening on TCP 4443 (normal ?)
1 process is listening on TCP 5222

Port forwarding from host to guest are done and tested.
Advanced configuration is done also (added 2 lines and commented the other one) but I guess this is irrelevant since nothing listens on UDP:10000

nginx, jicofo and jvb services are green in systemctl status. Prosody is green too but with these lines red :
Nov 30 17:52:21 jitsi systemd[1]: Started Prosody XMPP Server.
Nov 30 17:52:21 jitsi systemd[8810]: ^[[0;1;39m^[[0;1;39mFailed to attach 8810 to compat systemd cgroup /system.slice/prosody.service: No such file or directory
Nov 30 17:52:21 jitsi prosody[8810]: ^[[0;1;39mportmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281
Nov 30 17:52:21 jitsi prosody[8810]: ^[[0;1;39mportmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

From what I have read in the forum, the port 5281 error is not important.

ls -l /usr/local/share/ca-certificates

lrwxrwxrwx 1 root root 46 Nov 30 11:41 auth.jitsi.thefreecat.org.crt -> /var/lib/prosody/auth.jitsi.thefreecat.org.crt

I have run update-ca-certificates -f (although I did not change that certificate).

/var/log/prosody/prosody.log keeps repeating this every 5 seconds :
Nov 30 18:08:32 conference.jitsi.thefreecat.org:muc_domain_mapper warn Session filters applied
Nov 30 18:08:32 c2s55b4a576e800 info Client connected
Nov 30 18:08:32 c2s55b4a576e800 info Client disconnected: ssl handshake error: sslv3 alert certificate unknown

/var/log/jitsi/jicofo.log says this :
Jicofo 2020-11-30 18:27:27.218 SEVERE: [613] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
… 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
… 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
… 22 more
Jicofo 2020-11-30 18:27:27.222 WARNING: [1075] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
… 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
… 22 more

Where can I look now ?

Thanks for your help.

Can someone help me please ?

maybe the forum could help you ?

Thanks for your answer.
I indeed searched the forum and tried the solution from issue 13448 (I said I re-executed update-ca-certificates -f) with no success.

Now trying the solution you suggested (although in my case p2p isn’t working either) :
cacerts is not in /etc/ssl/certs/java on my system. The only one I could find is this : /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre/lib/security
I moved it, reran update-ca-certificates, the file is not re-created.
I then restarted systemctl restart jicofo.service but the error is still there (not a surprise).

Can I post logs to help you understand where the problem lies ? (which one(s) ?)

strange, what gives dpkg -l | grep openjdk ?

dpkg -l | grep openjdk
ii  adoptopenjdk-8-hotspot          8u275-b01-3                  amd64        OpenJDK Development Kit 8 (JDK) with Hotspot by AdoptOpenJDK

And also :

dpkg -L adoptopenjdk-8-hotspot |grep cacert
/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre/lib/security/cacerts

the game is afoot! where did this package came from ? was it installed automatically by jitsi-meet setup ?

No, I used the one referenced by the quickstart guide

hum, jitsi devs are not actually using Debian much themselves, so such mishaps are difficult to avoid. Maybe fixing the so called Debian installer would be in order, since it seems that it’s not taking in account the specifics of the recommended package for Debian…
Oh well, if you are not running a million dollars system where you need a certified-by-the-editor configuration, you can drop this thing and install openjdk-11-jre. Jitsi-meet runs with java 11. I even run it with java 14. I think that meet.jit.si does NOT run with java 8 (that’s jibri that is more or less still tied to java 8)

Thanks a lot, I will try that and let you know how things go. But I guess I need to apt purge jitsi-meet first to have the certificates regenerated in the right place by the installer ?

maybe you could just try to install openjdk. Debian style OS have this alternatives system, so it could just work. OTOH uninstalling jitsi-meet and reinstalling can have some problems too.

Ok I purged everything, installed openjdk-11-jre, reinstalled everything and reconfigured the “Advanced configuration” and everything is working perfectly now, in 1on1 and 3+.
Thank you very much !

It could be interesting to specify a few things in the quickstart :

  • that openjdk-11-jre tweak for debian users
  • maybe add ports udp:3479 in the list of ports to be NATted (for turnserver to work, I’m not sure on this)
  • insist on the FQDN to be entered in the setup script. Default is localhost. At first, I did just put jitsi in there (instead of the FQDN) and this won’t work, obviously.
  • finally, give a little more explanations for certificates that need an intermediate certificate (you have to concatenate both certificates, the main one first)

Where should I make the suggestions ?

Anyway, many thanks again for your help !

you can try to add an issue on the github tracker for jitsi-meet - I’m afraid that your suggestions will be ignored though, not for being bad by themselves, but because developers are expecting users to do pull requests for documentation.

Ok, I see it here. I will try to do a PR.