Certificate problem with Let's Encrypt and Jitsi

ReinerD · February 18, 2022, 6:08pm

I have a UCS installation version 5.
The portal is accessible from the Internet with ‘univention.myserver.org’.

Let’s Encrypt provides the certificate for ‘*.univention.myserver.org’.

Jitsi is installed as app, reachable from the internet with: ‘jitsi.univention.myserver.org’.

However, when Jitsi is called up, the certificate is not accepted by the Edge and Firefox browsers. Safari asks if the certificate should be trusted. After that, the Jitsi window opens successfully.

Error message in Edge: NET::ERR_CERT_INVALID
Error message in Firefox: Error code: SEC_ERROR_UNKNOWN_ISSUER

What can I do? Any advice?

wish · February 19, 2022, 3:57am

Make a subdomain for domain.com/jitsi or jitsi.domain.com (the latter will take a reverse proxy) Point the DNS toward your public IP in your DNS provider, and SSL the domain instead of trying to use UCS.

ReinerD · February 19, 2022, 4:07pm

Thanks!

I tried as recommended:

I created a subdomain: ‘jitsi.myserver.com’, pointing to my public IP.
In UCS; I ordered an additional certificate for ‘jitsi.myserver.org’ successfully (besides ‘univention.myserver.org’) using Let’s Encrypt.

Unfortunately it didn’t work. I can reach only the portal, but not Jitsi.

I tried again what I did before several times:

Ordering an additional certificate for ‘jitsi.univention.myserver.org’ (besides ‘univention.myserver.org’)

After that I cannot reach Jitsi via ‘jitsi.univention.myserver.org’ anymore; every time I get the portal again. Constantly looping around…

Then I got rid of the certificate ‘jitsi.univention.myserver.org’ again. Result: I can reach the Jitsi again. Crazy.

Any further advice?

lebernd · February 19, 2022, 6:38pm

Hi @ReinerD

can you post the output of:

ucr search --brief jitsi

I have it running with a separate apache vhost like:

<VirtualHost *:443>
        ServerName jitsi.myserver.org
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key

        ProxyPass / http://localhost:8888/ retry=0
        ProxyPassReverse / http://localhost:8888/
        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        RewriteEngine on
        RewriteCond %{HTTP:Connection} Upgrade [NC]
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteRule ^/?(.*) "ws://127.0.0.1:8888/$1" [P,L]

</VirtualHost>

The LE-Cert is from the LE-univention-app.

Best, Bernd

ReinerD · February 19, 2022, 7:00pm

Hi Bernd,
many thanks.

Here’s the output of ‘ucr search --brief jitsi’:

apache2/vhosts/jitsi.univention.myserver.org/443/aliases:

apache2/vhosts/jitsi.univention.myserver.org/443/enabled: true

apache2/vhosts/jitsi.univention.myserver.org/443/files: /var/lib/univention-appcenter/apps/jitsimeet/config/vhost.conf

apache2/vhosts/jitsi.univention.myserver.org/443/ssl/ca: /etc/univention/ssl/ucsCA/CAcert.pem

apache2/vhosts/jitsi.univention.myserver.org/443/ssl/certificate: /etc/univention/ssl/*.univention.myserver.org/cert.pem

apache2/vhosts/jitsi.univention.myserver.org/443/ssl/key: /etc/univention/ssl/*.univention.myserver.org/private.key

appcenter/apps/jitsimeet/container: 69428d8f34f8a68d405bda6c5a88f8d43c70aa711a2252c6217c297a7f3532ed

appcenter/apps/jitsimeet/hostdn: cn=jitsi-08555794,cn=memberserver,cn=computers,dc=myserver,dc=org

appcenter/apps/jitsimeet/image: docker.software-univention.de/jitsimeet-web:stable-6726-2

appcenter/apps/jitsimeet/ports/10000: 10000

appcenter/apps/jitsimeet/ports/4443: 4443

appcenter/apps/jitsimeet/status: installed

appcenter/apps/jitsimeet/ucs: 4.4

appcenter/apps/jitsimeet/version: stable-6726-2

jitsimeet/autostart: yes

jitsimeet/docker/host/address: 192.168.115.119

jitsimeet/enable/auth: false

jitsimeet/enable/guests: true

jitsimeet/ldap/filter: (&(uid=%u)(jitsimeetActivated=TRUE))

jitsimeet/public/url: https://jitsi.univention.myserver.org

security/packetfilter/package/jitsimeet/tcp/10000/all/en: for RTP media over UDP

security/packetfilter/package/jitsimeet/tcp/10000/all: ACCEPT

security/packetfilter/package/jitsimeet/tcp/4443/all/en: for RTP media over TCP

security/packetfilter/package/jitsimeet/tcp/4443/all: ACCEPT

security/packetfilter/package/jitsimeet/udp/10000/all/en: for RTP media over UDP

security/packetfilter/package/jitsimeet/udp/10000/all: ACCEPT

Any hint? I’m not an expert as you can imagine…

lebernd · February 19, 2022, 7:41pm

This should be the public url → so probably jitsi.myserver.org

Maybe, if you need you can set aliases too.

The rest looks similar with my settings.
I have jitsimeet/enable/auth: true
but this is a security topic and has nothing to do with the loop you are facing.

Best, Bernd

ReinerD · February 20, 2022, 6:17pm

Tanks again.

In case I forward ‘jitsi.myserver.org’ to the public IP of my UCS-installation, I only get the portal.
In case I forward ‘jitsi.myserver.org’ to ‘jitsi.univention.myserver.org’, I can reach Jitsi, but no web-browser accepts the LE certificate.

In case I install a certificate for ‘jitsi.univention.myserver.org’ using LE, I cannot reach Jitsi anymore, just the portal of UCS-installation.

No difference whether the FQN Domain is ‘univention.server.org’ nor ‘UCS-1234.myserver.intranet’.
No difference whether I install univention version 4 (latest release) or version 5 (latest release).

In the meantime I assume, there’s something wrong with the implementation of Jitsi in invention.

Yes, I know, you’re right. It doesn’t have to do anything with the problem of my topic.

Any hint or advice?