What's wrong with my server?

I just installed Jitsi.
When I go to https://meet.MyDomain
I get Unable to connect

jitsi-videobridge2.service - Jitsi Videobridge
Loaded: loaded (/lib/systemd/system/jitsi-videobridge2.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-05-31 14:02:47 PDT; 52min ago
Process: 864 ExecStartPost=/bin/bash -c echo $MAINPID > /var/run/jitsi-videobridge/jitsi- videobridge.pid (code=exited, status=0/SUCCESS)
Main PID: 863 (java)
Tasks: 45 (limit: 65000)
Memory: 292.7M
CGroup: /system.slice/jitsi-videobridge2.service
└─863 java -Xmx3072m -XX:+UseConcMarkSweepGC -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Dnet.java.sip.communicator.SC_HOME_DIR_LOCAT>

May 31 14:02:45 DocfxitU systemd[1]: Starting Jitsi Videobridge…
May 31 14:02:47 DocfxitU systemd[1]: Started Jitsi Videobridge.

server_names_hash_bucket_size 64;

server {
listen 80;
listen [::]:80;
server_name meet.MyDomain;

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root         /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
   return 404;
}
location / {
   return 301 https://$host$request_uri;
}

}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name meet.MyDomain;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

add_header Strict-Transport-Security "max-age=31536000";

ssl_certificate /etc/ssl/meet.MyDomain.crt;
ssl_certificate_key /etc/ssl/meet.MyDomain.key;

root /usr/share/jitsi-meet;

# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;

index index.html index.htm;
error_page 404 /static/404.html;

gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;

location = /config.js {
    alias /etc/jitsi/meet/meet.MyDomain-config.js;
}

location = /external_api.js {
    alias /usr/share/jitsi-meet/libs/external_api.min.js;
}

#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
    add_header 'Access-Control-Allow-Origin' '*';
    alias /usr/share/jitsi-meet/$1/$2;
}

# BOSH
location = /http-bind {
    proxy_pass      http://localhost:5280/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}

# xmpp websockets
location = /xmpp-websocket {
    proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    tcp_nodelay on;
}

location ~ ^/([^/?&:'"]+)$ {
    try_files $uri @root_path;
}

location @root_path {
    rewrite ^/(.*)$ / break;
}

location ~ ^/([^/?&:'"]+)/config.js$
{
   set $subdomain "$1.";
   set $subdir "$1/";

   alias /etc/jitsi/meet/meet.MyDomain-config.js;
}

#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
    set $subdomain "$1.";
    set $subdir "$1/";
    rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}

# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
    set $subdomain "$1.";
    set $subdir "$1/";
    set $prefix "$1";

    rewrite ^/(.*)$ /http-bind;
}

# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
    set $subdomain "$1.";
    set $subdir "$1/";
    set $prefix "$1";

    rewrite ^/(.*)$ /xmpp-websocket;
}

}

My firewall is turned off.
I did a packet capture and everything is forwarding from my router to the correct PC.
I don’t see port 443 listening:
sudo ufw show listening

tcp:
128 * (sshd)
[ 1] allow 128/tcp

139 * (smbd)
[ 4] allow Samba
[ 6] allow 139,445/tcp

445 * (smbd)
[ 4] allow Samba
[ 6] allow 139,445/tcp
[ 7] allow 445

45219 * (anydesk)
5222 * (lua5.2)
5269 * (lua5.2)
5280 * (lua5.2)
7070 * (anydesk)
tcp6:
128 * (sshd)
139 * (smbd)
[14] allow Samba
[16] allow 139,445/tcp

445 * (smbd)
[14] allow Samba
[16] allow 139,445/tcp
[17] allow 445

5222 * (lua5.2)
5269 * (lua5.2)
5280 * (lua5.2)
8888 * (java)
udp:
137 192.168.168.255 (nmbd)
[ 3] allow Samba
[ 5] allow 137,138/udp

137 192.168.168.58 (nmbd)
[ 3] allow Samba
[ 5] allow 137,138/udp

137 * (nmbd)
[ 3] allow Samba
[ 5] allow 137,138/udp

138 192.168.168.255 (nmbd)
[ 3] allow Samba
[ 5] allow 137,138/udp

138 192.168.168.58 (nmbd)
[ 3] allow Samba
[ 5] allow 137,138/udp

138 * (nmbd)
[ 3] allow Samba
[ 5] allow 137,138/udp

37326 * (avahi-daemon)
5000 * (java)
[12] allow 5000,10000/udp

50001 * (anydesk)
5353 * (avahi-daemon)
631 * (cups-browsed)
udp6:
10000 ::ffff:192.168.168.58 (java)
[22] allow 5000,10000/udp

45978 * (java)
5000 * (java)
[22] allow 5000,10000/udp

50015 * (avahi-daemon)
5353 * (avahi-daemon)

Does anyone know what could be wrong?

Thanks,

Jitsi by itself does not include any web server, default installation just add by dependence an external web server that happens to be most of the time Nginx; nginx is what listens on port 443 and if you get a connect error on port 443 nginx is not listening (either it’s not running or it’s listening but the packets your browser is sending are not making their way to nginx).
In any case such problem is a web server problem and has as such nothing to do with jitsi by itself. You have to know how to run a Linux internet server to operate Jitsi.

I have stopped nginx .
I can’t find anything running on port 443.
I have started nginx .
I get the error:
[emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
I can’t find anything running on port 443.
I run this command:
sudo grep -rnwi “listen” /etc/nginx
I can’t find any duplicates
I can’t figure out what is causing the problem

Thanks,

what gives
sudo ss -tapnu | grep 443

Thanks for the reply…

I get nothing.

it’s strange that if you run immediately after
sudo systemctl start nginx
you get a message like bind() to 0.0.0.0:443 failed (98: Address already in use).

I’d try to run nginx manually
/usr/sbin/nginx
and if it displays still this strange error message I’d try to run it under strace

grep 443 /etc/nginx/ -R

There are duplicated listen

Thanks for catching that…
Which ones should I comment out?

When I check my server for port 443 I get an error saying:
Handshake failed, we haven’t received any certificates from the requested server.

What can I do to resolve this?

ssl_certificate /etc/ssl/meet.MyDomain.crt;
ssl_certificate_key /etc/ssl/meet.MyDomain.key;

Do you have theese files?

yes.

Did you check with IP address or with host address?
Nginx doesn’t listen 443 for IP

sudo ss -tapnu | grep 443
tcp LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:((“nginx”,pid=61269,fd=6),(“nginx”,pid=61268,fd=6),(“nginx”,pid=61267,fd=6),(“nginx”,pid=61266,fd=6),(“nginx”,pid=61265,fd=6),(“nginx”,pid=61264,fd=6),(“nginx”,pid=61263,fd=6),(“nginx”,pid=61262,fd=6),(“nginx”,pid=61261,fd=6))

I mean the host address in nginx conf (for example “server_name meet.MyDomain;”) should match the address used to access to the site

The config file in /etc/nginx/sites-enabled/ directory

I don’t quite understand what you did. Normally if you install jitsi with coturn the jitsi-meet-turnserver package installs the 60-jitsi-meet.conf file and in the postinst script setups nginx to listen on port 4444. So your install does not seem coherent, suggesting that something did go wrong.

It did set it up for port 4444. Because I created a CRT the port sounded wrong so I changed it to 443.

Well now you know why it failed :slight_smile:
the idea of coturn is to filter the packets before TLS connexion either they go to nginx port 4444 or they go to coturn server as seen in the 60-jitsi-meet.conf file.

So the 4444 port is very much intended.

If you don’t like coturn and want to have nginx listen directly to port 443 you could have installed jitsi with -no-install-recommended and jitsi-meet-turnserver would not have been installed (and nginx would have kept its default listening port)

Thank you for catching that…
I am in no way wanting to change the default behavior or setup. I’m sure the developers know a lot more than I do.
Which files do I need to change the port from 443 back to 4444?