BigBlueButton endpoint and security key invalid - multiple servers affected

[lrit18]

Hello dear community,
it seems like a bigger problem to me. It seems that some administrators and BBB servers are affected. Since the end of last week I've been getting the message: "Server error on several BBB servers
BigBlueButton endpoint and security key invalid "
The domain name has already been reset with --setip. This had always helped with previous occurrences.
What is the cause of the error that many of my friends also have? Thanks for your help.

[lrit18]

Secret in the

root@localhost:~/greenlight# docker-compose config

file is the correct secret displayed by sudo bbb-conf --secret

[Tihomir Vlahovski]

Same here. Multiple servers (Ubuntu 18 LTS) out of the blue started to complains about that (when using GL). So checking the GL logs (~/greenlight/logs/production.log):

BigBlueButtonException: Connection error. Your URL is probably incorrect: "https://example.com/bigbluebutton/api". Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)

The server is using LE certificates and the certificate is valid. The BBB is working though (on all affected servers) via the API. The CA certificates are up to date as well:
update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.

So which certificate is the problematic in this case?

Cheers,

-Tiho

[manish katyan]

Hi,

Here is the solution which helped us to resolve the SSL issue for our BBB servers.

1. Uninstall old certbot: sudo apt-get remove certbot.
2. Install latest certbot

1. Here is how you can do in on a Ubuntu server
2. Install the snap if you do not have it already: sudo apt-get install snapd
3. Install certbot : sudo snap install --classic certbot

3. Renew the certificate: sudo certbot renew --force-renewal --cert-name --preferred-chain "ISRG Root X1"

Let me know if you are able to resolve the errors with the steps above.

- Manish

--
You received this message because you are subscribed to the Google Groups "bigbluebutton-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-users/a75d540e-6947-4179-9eb7-32b415566e2cn%40googlegroups.com.

[Tihomir Vlahovski]

Thanks Manish,

After reinstalling the certbot app, force to renew the certificate, restarting BBB (bbb-conf --restart), no GL is able to communicate properly and everything is working fine.

Cheers,

-Tiho

Free file transfer platform: http://filesend.io

Best regards,
Tihomir Vlahovski

--------------------------------------------------------------------------
This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information in this transmission may be confidential and/or privileged. If you received this transmission in an error, please notify the sender immediately and delete this transmission including any attachments.

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-users/CAEnJ5GKkomVMaj3gTF1qBdUseWaWcJedSspUDncU8ixf5GGtjg%40mail.gmail.com.

[lrit18]

Hello,

unfortunately it does not work.

"sudo apt-get install snapd" works but "sudo snap install --classic certbot" not.

Error message:

error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:

       /tmp/sanity-mountpoint-031394922: mount failed: Unknown error -1

I found out that you should restart the system and then run sudo snap install --classic certbot again. Unfortunately the error message persists.

Then I installed it with "sudo apt install certbot".

Is it OK?

But then "sudo certbot renew --force-renewal --cert-name --preferred-chain "ISRG Root X1"" does not work.

I got a error message again:

usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-name: expected one argument

[lrit18]

When I enter "sudo certbot renew" I see:

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/XXXXXX.de/fullchain.pem expires on 2021-11-18 (skipped)
No renewals were attempted.

Certificate from my server is valid until 11-2021.

So for what is "sudo certbot renew --force-renewal --cert-name --preferred-chain "ISRG Root X1"" exactly?

[Koen Roggemans]

I assume the background of this problem is https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

So it can be a client problem too.

Op woensdag 6 oktober 2021 om 19:13:10 UTC+2 schreef lrit18:

[lrit18]

I assume it also. They wrote on the website:

"What should you do? For most people, nothing at all! We’ve set up our certificate issuance so your web site will do the right thing in most cases, favoring broad compatibility. If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default."

Unfortunately it doesn't work out yet. I assume that I also have to take action. Unfortunately, Manish's commands did not work properly.

Is there a trick I can use to tell my BBB server to trust ISRG Root X1? That should solve the problem.

[IanG]

Based on: https://askubuntu.com/questions/1241781/system-does-not-fully-support-snapd-cannot-mount-squashfs-image-using-squashfs

I'd try:

sudo apt-get install snapd
sudo apt-get remove -y certbot


sudo apt install fuse squashfuse
sudo snap install certbot --classic
sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

Regards,

IanG

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-users/9c3f0d5e-64ec-42f3-84a2-18de27e265abn%40googlegroups.com.

[Waqar Younis]

it is working on firefox but on google chrome it is giving same issue

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-users/CANH54urhy2x-zf2AypRYm3qtnPTU10VopfJDc-0FcEtPmYJP%3DA%40mail.gmail.com.

[lrit18]

Hey IanG,

unfortunately there is still the error message when I post sudo snap install certbot --classic command.

root@localhost:~# sudo snap install certbot --classic

error: system does not fully support snapd: cannot mount squashfs image using

       "squashfs": mount: /tmp/sanity-mountpoint-214646375: mount failed:
       Unknown error -1

Any idea?

Thanks