SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

5,881 views
Skip to first unread message

Roger

unread,
Apr 5, 2016, 6:35:10 PM4/5/16
to BigBlueButton-dev
Presently, completed installing BBB on Ubuntu 14.04.  This is what the bbb-conf --check gives me:

rmoore@s166-62-22-114:~$ sudo bbb-conf --clean

# Warning: API URL IPs do not match host:

#

#                                IP from ifconfig: 166.62.22.114

#  /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp: String BigBlueButtonURL = "https:


Doing a restart of BigBlueButton and cleaning out all log files...

 * Stopping daemon monitor monit                                         [ OK ] 

 * Stopping Red5 Server red5                                             [ OK ] 

 * Stopping Tomcat servlet engine tomcat7                                [ OK ] 

Killing: 3533

 * Stopping bbb-record-core


Cleaning Log Files ...

 * nginx is not running

 * Red5 Server is not running.

 * Tomcat servlet engine is not running.


5066 Backgrounding.

Waiting for FreeSWITCH to start: ...............

 * Starting Red5 Server red5                                                     

                                                                         [ OK ]

 * Starting Tomcat servlet engine tomcat7                                [ OK ] 

 * Starting daemon monitor monit                                         [ OK ] 


Note: monit will automatically start bbb-record-core and LibreOffice within 60 seconds.


Waiting for BigBlueButton to finish starting up (this may take a minute): ...... done



** Potential problems described below **

# Warning: API URL IPs do not match host:

#

#                                IP from ifconfig: 166.62.22.114

#  /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp: String BigBlueButtonURL = "https:


# Warning: The API demos are installed and accessible from:

#

#    http://166.62.22.114/

#

# These API demos allow anyone to access your server without authentication

# to create/manage meetings and recordings. They are for testing purposes only.

# If you are running a production system, remove them by running:

#

#    sudo apt-get purge bbb-demo


# Warning: The client self check is installed and accessible from:

#

#    http://166.62.22.114/check

#


# Error: Unable to reach default URL for presentation:

#

#    https://166.62.22.114/default.pdf

#

# Check value for beans.presentationService.defaultUploadedPresentation in

#   /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties


When I attempt to run the basic demo, by going to:


http://166.62.22.114


Then I enter a username, and hit the "Join" button, I get the following exception:


java.lang.NullPointerException
at org.apache.jsp.demo1_jsp.getJoinURL(demo1_jsp.java:222)
at org.apache.jsp.demo1_jsp._jspService(demo1_jsp.java:1278)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

Attribute List
javax.servlet.forward.request_uri /demo/demo1.jsp
javax.servlet.forward.context_path /demo
javax.servlet.forward.servlet_path /demo1.jsp
javax.servlet.forward.query_string username=Roger&action=create
javax.servlet.jsp.jspException java.lang.NullPointerException
javax.servlet.error.status_code 500
javax.servlet.error.servlet_name jsp
javax.servlet.error.exception java.lang.NullPointerException
javax.servlet.error.request_uri /demo/demo1.jsp

When I check the debug command, this is what I get:

rmoore@s166-62-22-114:~$ sudo bbb-conf --debug
   -- Exceptions found in /var/lib/tomcat7/logs/ -- 
/var/lib/tomcat7/logs/catalina.out:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
/var/lib/tomcat7/logs/catalina.out: at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
/var/lib/tomcat7/logs/catalina.out:Caused by: java.security.cert.CertificateException: No subject alternative names present
/var/lib/tomcat7/logs/catalina.out:java.lang.NullPointerException


Does anyone have any suggestions?  TIA.

Mario Gasparoni Junior

unread,
Apr 5, 2016, 7:07:41 PM4/5/16
to bigblueb...@googlegroups.com
A few days ago i had a similar exception in bbb-web API, and i resolved it by adding my certificate to java keystore. Something like:
keytool -import -v -trustcacerts -alias <your.domain> -file /path/to/your/certificate/<your.domain>.crt -keystore <JAVA_HOME>/jre/lib/security/cacerts -keypass yourpass -storepass yourpass

if you followed BBB docs, <JAVA_HOME> should be /usr/lib/jvm/java-7-openjdk-amd64


--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.



--
Att. Mário Gasparoni.
Message has been deleted

Roger

unread,
Apr 5, 2016, 8:16:32 PM4/5/16
to BigBlueButton-dev
Thank you for the quick reply.  This is what I get when I use your command:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1226)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:789)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
... 5 more

Can I use development keys, or do they need to be legitimate SSL/TLS keys?  Right now the keys I'm using are development keys.  Also, I just created the domain yesterday, so perhaps would that explain why it didn't work?

This is the actual command I used:

keytool -import -v -trustcacerts -alias tuberedu.ca -file /etc/nginx/ssl/cert.pem -keystore /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts -keypass mypassword -storepass mypassword

Mario Gasparoni Junior

unread,
Apr 5, 2016, 8:48:11 PM4/5/16
to bigblueb...@googlegroups.com
Forgive me, for some reason when i took note of it i changed the default cacerts password, which is changeit.

The command actually should be:

keytool -import -v -trustcacerts -alias <your.domain> -file /path/to/your/certificate/<your.domain>.crt -keystore <JAVA_HOME>/jre/lib/security/cacerts -keypass changeit -storepass changeit

Hope this helps.

Roger

unread,
Apr 5, 2016, 10:26:21 PM4/5/16
to BigBlueButton-dev
Thank you so much.  The keytool command worked; here is some of the output:                                                                                 

rmoore@s166-62-22-114:~$ sudo keytool -import -v -trustcacerts -alias tuberedu.ca -file /etc/nginx/ssl/cert.pem -keystore /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts -keypass changeit -storepass changeit
...                                                                                 
Signature algorithm name: SHA256withRSA
Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts]                                                                                 

Unfortunately, when I try to open the base URL,


And click on the "Join" button after entering my name, I still get these errors:
                                                                                 
Status Code 500
Exception Type null
Message null
Exception
Header List
Name Value
x-forwarded-for 23.17.146.67
connection close
accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests 1
user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
accept-encoding gzip, deflate, sdch
accept-language en-US,en;q=0.8
cookie JSESSIONID=16FF8D32BF18FAA8346193003DA5E9B4
Attribute List
javax.servlet.forward.request_uri /demo/demo1.jsp
javax.servlet.forward.context_path /demo
javax.servlet.forward.servlet_path /demo1.jsp
javax.servlet.forward.query_string username=Bill&action=create
javax.servlet.jsp.jspException java.lang.NullPointerException
javax.servlet.error.status_code 500
javax.servlet.error.servlet_name jsp
javax.servlet.error.exception java.lang.NullPointerException
javax.servlet.error.request_uri /demo/demo1.jsp

This is the output from debug:                                                                                 
                                                                                 
moore@s166-62-22-114:~$ sudo bbb-conf --debug
   -- Exceptions found in /var/lib/tomcat7/logs/ -- 
/var/lib/tomcat7/logs/catalina.out:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
/var/lib/tomcat7/logs/catalina.out: at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
/var/lib/tomcat7/logs/catalina.out:Caused by: java.security.cert.CertificateException: No subject alternative names present
/var/lib/tomcat7/logs/catalina.out:java.lang.NullPointerException

Should I be using my server IP address instead of the tuberedu.ca domain?

Mario Gasparoni Junior

unread,
Apr 6, 2016, 6:14:33 AM4/6/16
to bigblueb...@googlegroups.com

Should I be using my server IP address instead of the tuberedu.ca domain?

Use your domain name

Take a look at:
http://docs.bigbluebutton.org/install/install.html#configure-bigbluebutton-to-use-a-domain-name

Sent from mobile

Roger

unread,
Apr 6, 2016, 12:55:58 PM4/6/16
to BigBlueButton-dev
Thank you so much.  Now I have set up the domain name, so that when I go to the following URL, it brings up the demo page as expected:


Again, when I enter a username and click the "Join" button, it looks like I am getting the same error:

An Error has occured:
Root Cause
Header List
Name Value
x-forwarded-for 23.17.146.67
connection close
accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests 1
user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
accept-encoding gzip, deflate, sdch
accept-language en-US,en;q=0.8
cookie JSESSIONID=B9203B23BEBE9EBA146CA22EE79521E4
Attribute List
javax.servlet.forward.request_uri /demo/demo1.jsp
javax.servlet.forward.context_path /demo
javax.servlet.forward.servlet_path /demo1.jsp
javax.servlet.forward.query_string username=Biff&action=create
javax.servlet.jsp.jspException java.lang.NullPointerException
javax.servlet.error.status_code 500
javax.servlet.error.servlet_name jsp
javax.servlet.error.exception java.lang.NullPointerException
javax.servlet.error.request_uri

Here is the output from clean, check and debug:

rmoore@s166-62-22-114:~/Workspace/TutorApplication$ sudo bbb-conf --clean

# IP does not match:

#                           IP from ifconfig: 166.62.22.114

#   /etc/nginx/sites-available/bigbluebutton: tuberedu.ca

# Warning: API URL IPs do not match host:

#

#                                IP from ifconfig: 166.62.22.114

#  /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp: String BigBlueButtonURL = "https:


Doing a restart of BigBlueButton and cleaning out all log files...

 * Stopping daemon monitor monit                                         [ OK ] 

 * Stopping Red5 Server red5                                             [ OK ] 

 * Stopping Tomcat servlet engine tomcat7                                [ OK ] 

Killing: 20576

 * Stopping bbb-record-core


Cleaning Log Files ...

 * nginx is not running

 * Red5 Server is not running.

 * Tomcat servlet engine is not running.


22658 Backgrounding.

Waiting for FreeSWITCH to start: ...............

 * Starting Red5 Server red5                                                     

                                                                         [ OK ]

 * Starting Tomcat servlet engine tomcat7                                [ OK ] 

 * Starting daemon monitor monit                                         [ OK ] 


Note: monit will automatically start bbb-record-core and LibreOffice within 60 seconds.


Waiting for BigBlueButton to finish starting up (this may take a minute): ....... done



** Potential problems described below **

# IP does not match:

#                           IP from ifconfig: 166.62.22.114

#   /etc/nginx/sites-available/bigbluebutton: tuberedu.ca

# Warning: API URL IPs do not match host:

#

#                                IP from ifconfig: 166.62.22.114

#  /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp: String BigBlueButtonURL = "https:


# Warning: The API demos are installed and accessible from:

#

#

# These API demos allow anyone to access your server without authentication

# to create/manage meetings and recordings. They are for testing purposes only.

# If you are running a production system, remove them by running:

#

#    sudo apt-get purge bbb-demo


# Warning: The client self check is installed and accessible from:

#

#    http://tuberedu.ca/check

#


rmoore@s166-62-22-114:~/Workspace/TutorApplication$ 

rmoore@s166-62-22-114:~/Workspace/TutorApplication$ sudo bbb-conf --check


BigBlueButton Server 0.9.1 (402)

                    Kernel version: 3.13.0-042stab092.2

                      Distribution: Ubuntu 14.04.4 LTS (64-bit)

                            Memory: 8192 MB


/var/www/bigbluebutton/client/conf/config.xml (bbb-client)

  Port test (tunnel): tuberedu.ca

                              Red5: tuberedu.ca

              useWebrtcIfAvailable: true


/opt/freeswitch/conf/sip_profiles/external.xml (FreeSWITCH)

                    websocket port: 5066

                    WebRTC enabled: true


/etc/nginx/sites-available/bigbluebutton (nginx)

                       server name: tuberedu.ca

                              port: 80

443 ssl

                    bbb-client dir: /var/www/bigbluebutton


/var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties (bbb-web)

                      bbb-web host: tuberedu.ca


/var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp (API demos)

                           api url: String BigBlueButtonURL = "https:


/var/www/bigbluebutton/check/conf/config.xml (client check)

                      client check: tuberedu.ca


/usr/share/red5/webapps/bigbluebutton/WEB-INF/red5-web.xml (red5)

                  voice conference: FreeSWITCH

                     capture video: true

                   capture desktop: true


/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml (record and playback)

                     playback host: tuberedu.ca



** Potential problems described below **

# IP does not match:

#                           IP from ifconfig: 166.62.22.114

#   /etc/nginx/sites-available/bigbluebutton: tuberedu.ca

# Warning: API URL IPs do not match host:

#

#                                IP from ifconfig: 166.62.22.114

#  /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp: String BigBlueButtonURL = "https:


# Warning: The API demos are installed and accessible from:

#

#

# These API demos allow anyone to access your server without authentication

# to create/manage meetings and recordings. They are for testing purposes only.

# If you are running a production system, remove them by running:

#

#    sudo apt-get purge bbb-demo


# Warning: The client self check is installed and accessible from:

#

#    http://tuberedu.ca/check

#


rmoore@s166-62-22-114:~/Workspace/TutorApplication$ sudo bbb-conf --debug

   -- Exceptions found in /var/lib/tomcat7/logs/ -- 

/var/lib/tomcat7/logs/catalina.out:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 166.62.22.114 found

/var/lib/tomcat7/logs/catalina.out: at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

/var/lib/tomcat7/logs/catalina.out:Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 166.62.22.114 found

/var/lib/tomcat7/logs/catalina.out:java.lang.NullPointerException


rmoore@s166-62-22-114:~/Workspace/TutorApplication$ 


Do you have any suggestions?  TIA.

Chad Pilkey

unread,
Apr 6, 2016, 2:15:16 PM4/6/16
to BigBlueButton-dev
I Googled the SSLHandshakeException error message and it looks like the problem occurs when you create an SSL certificate for one domain and try and access your server from a different domain. For instance the certificate is for test.com and you try to go to https://mysever.com (assuming they both resolve to the same IP address).

Also, if you are using a self-signed certificate you will run into other issue because tomcat won't accept it. You can use a service like LetsEncrypt to generate a legitimate certificate.
...

Roger

unread,
Apr 6, 2016, 3:06:52 PM4/6/16
to BigBlueButton-dev
Thank you for the feedback, Chad.  Just a couple hours ago I setup the certificate I purchased for my domain, so it should no longer be using the self-signed certificate.  I opened the 443 port using:

sudo ufw allow 443/tcp



tuberedu.ca resolves to 166.62.22.114

 

Server Type: nginx/1.4.6 (Ubuntu)

 

The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

 

The certificate was issued by GoDaddy.Write review of GoDaddy

 

The certificate will expire in 364 days.Remind me

 

The hostname (tuberedu.ca) is correctly listed in the certificate.

When I use this command:

sudo openssl s_client -showcerts -connect 166.62.22.114:443


Here is the output:


CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=tuberedu.ca
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgIIW1shzCzqaP4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
...
qFYuWxLPFRNELaqJO3E2Ig91XvK5rOlKRQTeUjPiHmQ=
-----END CERTIFICATE-----
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
...
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
...
rw==
-----END CERTIFICATE-----
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
...
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=tuberedu.ca
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5429 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7A98293CD4F8C9F11FF6AE4AC9DB83E86B11F58D5CA2B2BBF3AABED2F1C1881D
    Session-ID-ctx: 
    Master-Key: 4B40DDCBFC08336DD9E384D167B65F369DF8F42BCE636EC34DF641A4656E22041F3B4040F2E27A03E65BAE0C637B114E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - d2 29 d0 36 60 af 3b 60-5a 88 0b f1 0d f6 cd 8c   .).6`.;`Z.......
...
    00a0 - bf 2b 3c 7c 6b 5b 40 4d-0d 15 df 83 6b cf 37 76   .+<|k[@M....k.7v

    Start Time: 1459968766
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

read:errno=0
rmoore@s166-62-

So it looks like somehow it is still trying to use the self-signed certificate, though it is also picking up the correct certificate.  The installation guide at http://docs.bigbluebutton.org/install/install.html says that I need to put the certificate and key in:

/etc/nginx/ssl/


But do I also need to copy the certificate and key to the default Ubuntu location here?

/etc/ssl/certs/


Do you have any suggestions?  TIA.

...

Roger

unread,
Apr 6, 2016, 3:09:49 PM4/6/16
to BigBlueButton-dev
Also, when I got the certificate from GoDaddy, I got two files, so I put both of them into my certificate file:

-rw-rw-r-- 1 rmoore rmoore  4795 Apr  6 08:22 gd_bundle-g2-g1.crt
-rw-rw-r-- 1 rmoore rmoore  1854 Apr  6 08:22 5b5b21cc2cea68fe.crt

Is this what I am supposed to do?

Chad Pilkey

unread,
Apr 6, 2016, 3:32:46 PM4/6/16
to BigBlueButton-dev
I'm not 100%, but it might be using your old self-signed certificate because you added it with keytool. I've never used keytool myself though so I'm not sure what effect it actually has on your installation. My hypothesis is that the self-signed certificate is higher in priority so tomcat is trying to use that to validate.

I also noticed that your config.xml has your IP in it instead of your domain name. I think you will need to go into /var/www/bigbluebutton/client/conf/config.xml and replace all of the "166.62.100.114" with "tuberedu.ca". It's not a problem now, but it will be once you can actually get to the client loading part.
...

Roger

unread,
Apr 6, 2016, 4:18:01 PM4/6/16
to BigBlueButton-dev
Thank you so much.  I had missed changing the IP address to my domain name in these files, so after updating it started working:

config.xml
bbb_api_conf.jsp
...

Rodji Swell

unread,
Mar 13, 2017, 11:40:02 AM3/13/17
to BigBlueButton-dev
Had similar issue. Added intermediate certificates in .crt file of nginx. Just 

 cat subdomain.crt intermediate1.crt intermediate2.cer > /etc/nginx/ssl/subdomain.domain.crt

See bbb installation step "Configure nginx to use HTTPSAnchor ": http://docs.bigbluebutton.org/install/install.html#configure-nginx-to-use-https
You don't need to add your domain certificate to Java key store. 

To check list of root certificates in Java key store use next command (default password 'changeit'):
 keytool -list -keystore /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts -storepass changeit

To check chain from your certificate to root certificate I recommend add all certificates (domain and intermediate certs) to XCA tool and check thumbprint of root is exists in java keystore.

среда, 6 апреля 2016 г., 2:07:41 UTC+3 пользователь Mario Gasparoni Junior написал:
Reply all
Reply to author
Forward
0 new messages