PKIX path building failed when I run jicofo.sh #2117
Comments
|
These instructions need update. |
|
This is all done automatically when using the debian packages and the quick-install method. |
|
@damencho Thank you for your answer! I removed the previous version and installed jitsi using the quick-install instruction and it all worked perfectly. |
|
@damencho I got the same error when run jicofo.sh, and I follow your instruction, it does not work, what should I do, if I follow https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md ? |
|
You need to make sure that the auth.jitsi.example.com domain in prosody is using a certificate with cn auth.jitsi.example.com and trusted on the jicofo machine. |
|
Here is the description in the readme https://github.com/jitsi/jicofo/blob/master/README.md#certificates |
|
Still having trouble with this, used the quick install scripts on Ubuntu 17.10 and there still seems to be a problem with jicofo connecting to prosody with the same above errors. I've tried re-running the scripts and purging all configs and reinstalling. I've verified that the auth cert is being placed correctly and update-ca-certficates is running. Any ideas? prosody log (debug level): jicofo - |
|
So I've faced a similar problem. It was that if you create a certificate for auth.X and you run update-ca-certficates it is added correctly. The file that is used from java is /etc/ssl/certs/java/cacerts, you can try backup it somewhere and run again update-ca-certficates, it should regenerate it with the correct values, if everything is fine in /usr/local/share/ca-certificates/. |
|
Purging all jitsi-meet packages and dependencies (java) won't help. |
|
On a closer look, By adding I got something like this: So, the cert that is using is not issued by Let's Encrypt, but locally and was created on the (re-)install process. Only the jitsi.domain.lts cert found at I have tried to add the auth.example.domain.ltd cert to My best guest is to delete the certs at /var/lib/prosody/ manually generate the auth certs and use a symlink from /etc/letsencrytp/live/ to /var/lib/prosody/ If it works, maybe that could be added to the LetsEncrypt script. |
|
No auth domain does not need LetsEncrypt certificate, it is the desired behavior. It just needs a certificate that is trusted on the machine where jicofo is running. |
|
So you tried removing /etc/ssl/certs/java/cacerts and running again update-ca-certficates? Did that help? |
|
Finally got it working by using keytool to import the self signed cert (removing it didn't help, nor update-ca-certificates). I wonder. Does all the subdomains have to point to the actual server? or are they just locally recognize.
I wasn't sure about it, so I did. 😅 |
|
Nope, those are internal to prosody, jicofo, jvb, and jitsi-meet. All you need is a trusted certificate to the domain you enter in the browser, and that domain to be publicly available. |
|
All you need is executing update-ca-certificates -f, no file removal is needed. |
|
Yeah, I thought that by deleting it will force the rebuild of the certs. |
|
@damencho @Ark74 @Ark74 you said
i want to know how you did it. Thank you!!
|
|
Did you try running update-ca-certificates -f and restart jicofo, does this fix it? |
|
If not, add your ssl cert to /etc/ssl/certs/java/cacerts using keytool. That's how i solved. |
|
What was the complete command you used? I have tried several ways to add the ssl cert using keytool and I can't get it to work. |
|
This is taken from my history, please check they match your case;
Cheers! |
|
@damencho on a second test it worked. Thanks! |
|
Hi @Ark74 , ----------------------------prosody server------------------------------- ln -sf /var/lib/prosody/meet24.covavi.vn.crt /usr/local/share/ca-certificates/meet24.covavi.vn.crt ln -sf /var/lib/prosody/auth.meet24.covavi.vn.crt /usr/local/share/ca-certificates/auth.meet24.covavi.vn.crt ---------------------------prosody /etc/hosts------------------- ----------------------------jicofo hosts------------------------------------------- --------------------------------------------jicofo log----------------------------------------------- |
|
The part with moving the certs and make them trusted is for jicofo, if you are running both on different machines, you need to transfer the to the jocofo server and execute the update command there. |
Hi @damencho,
|
|
Having the same issue in an ubuntu 16.04. sudo apt-get install ca-certificates-java
sudo update-ca-certificates -fRight now the $ ll /var/lib/prosody/
-rw-r----- 1 prosody prosody 919 oct 24 23:37 auth.domain.cnf
-rw-r--r-- 1 prosody prosody 1716 oct 24 23:37 auth.domain.crt
-r-------- 1 prosody prosody 1679 oct 24 23:37 auth.domain.key
-rw------- 1 prosody prosody 1024 oct 24 23:37 .rnd
-rw-r----- 1 prosody prosody 1751 oct 25 21:59 domain.cnf
-rw-r----- 1 prosody prosody 2468 oct 25 21:59 domain.crt
-r-------- 1 prosody prosody 1675 oct 25 21:59 domain.key
$ ll /usr/local/share/ca-certificates/
lrwxrwxrwx 1 root root 49 oct 24 23:37 auth.domain.crt -> /var/lib/prosody/auth.domain.crt
lrwxrwxrwx 1 root root 44 oct 25 23:36 domain.crt -> /var/lib/prosody/domain.crt
$ ll /etc/ssl/certs/ | grep domain
lrwxrwxrwx 1 root root 32 oct 25 23:49 3e24c727.0 -> auth.domain.pem
lrwxrwxrwx 1 root root 32 oct 25 23:49 95b29656.0 -> auth.domain.pem
lrwxrwxrwx 1 root root 65 oct 25 23:49 auth.domain.pem -> /usr/local/share/ca-certificates/auth.domain.crt
lrwxrwxrwx 1 root root 27 oct 25 23:49 bc3edbc1.0 -> domain.pem
lrwxrwxrwx 1 root root 27 oct 25 23:49 d4b59934.0 -> domain.pem
lrwxrwxrwx 1 root root 60 oct 25 23:49 domain.pem -> /usr/local/share/ca-certificates/domain.crt |
|
Found solution here: #2676 (comment) |
After that, rebooting the system or restarting the service will solve the problem. My OS: ubuntu 20.04 LTS |
When I follow this step from the Server Installation for Jitsi Meet:
Run jicofo:
Then I get this error:
Please help me to fix it.
The text was updated successfully, but these errors were encountered: