local bbb,local certificate

Анзор Автарханов

unread,

Aug 8, 2022, 7:26:40 AM8/8/22

to BigBlueButton-Setup

hello i really need help i installed bbb 2.4.9 using a self signed certificate issued by my local CA and using bbb in local environment i went through many forums and articles looking for solutions some problems i managed to solve since i install bbb for the first time i don't quite understand how and where does it check certificates, so I have 2 questions 1. Tell me which way and how bbb checks the intermediate and CA certificate 2. what other types of solutions can be for this problem ERROR: [c480030d-97d0-46ba-9efc-a6c1810076b4] [172.19.0.1] BigBlueButtonException: Connection error. Your URL is probably incorrect: "https://example.domain.com/bigbluebutton/api". Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate), messageKey: IncorrectUrlError

Анзор Автарханов

unread,

Aug 8, 2022, 7:32:06 AM8/8/22

to BigBlueButton-Setup

this is the output after

docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check

warning: parser/current is loading parser/ruby27, which recognizes2.7.6-compliant syntax, but you are running 2.7.5.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.

Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

other checks and logs do not show errors, or I don’t know where and where to check further (

понедельник, 8 августа 2022 г. в 17:26:40 UTC+6, Анзор Автарханов:

Jean Pluzo

unread,

Aug 8, 2022, 9:33:01 AM8/8/22

to BigBlueButton-Setup

Hi,

usually, if you use your own certificate (or in this case your local CA), there should be a "chain". The way it works is:

cert. for your server -> local CA -> perhaps another CA -> root CA

Can you see how many "BEGIN CERTIFICATE" and "END CERTIFICATE" rows are in your certificate file? This should be a .pem file and could contain from 1 to many "BEGIN..." and "END..." rows.

Also, do you know for sure if your local CA has another CA "up the ladder", like yet another CA?

And, just for info, could you post the exact parameters you put after the bbb-instal.sh script?

Regards

J.

Анзор Автарханов

unread,

Aug 9, 2022, 1:44:35 AM8/9/22

to BigBlueButton-Setup

I know how to build a certification chain and didn’t quite understand it. Could you first explain how bbb checks certificates and where my certificates are configured like

server_tokens off;

server {
listen 80;
listen [::]:80;
server_name example.domain.com;

return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS

}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.domain.com;

ssl_certificate /etc/nginx/ssl/example.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384$
ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;
ssl_trusted_certificate /etc/nginx/ssl/cert-ca.crt;
# HSTS (comment out to enable)
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

to install the CA certificate I used this article https://github.com/bigbluebutton/greenlight/issues/1305

my install

wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v bionic-240 -s example.domain.com -d -a -g

Or did I do something wrong .pem?

понедельник, 8 августа 2022 г. в 19:33:01 UTC+6, juanlope...@gmail.com:

Jean Pluzo

unread,

Aug 9, 2022, 7:01:07 AM8/9/22

to BigBlueButton-Setup

HI,

sorry, I don't understand you first sentence: " I know how to build a certification chain and didn’t quite understand it".

BBB checks if the certificate chain is configured correctly. First it checks your server cert (the one at the top in the example.crt file from your example). Afterwards it checks the following cert(s) to see if the "chain" (that is, the next root cert) can be completed and validated all the way to a so called root cert. This root cert should've been issued by the top most trusted CA.

Your certificates (server cert + needed chain cert(s)) should be bundled together in the example.crt file.

Furthermore, to decipher the certs you need a so called private key (example.key in your example). This should've been either generated by yourself when you made the cert signing request (csr) or perhaps it was automatically generated when you requested your cert.

And as a last step, you should have also generated the dhp-4096.pem file. Too long to explain here, but this file is also important.

So you have the cert file (server cert + chain cert(s)), the private key, and the dhp file. You should put these files in a directory of your choosing (in the example above /etc/nginx/ssl/) and set the right permissions (usually 744 or perhaps something more restrictive like 700).

Your bbb-install.sh script seems fine.

Are you trying to bind the cert to Greenlight?
Are you setting up BBB as a docker container?

Regards,

J.

Анзор Автарханов

unread,

Aug 10, 2022, 3:45:46 AM8/10/22

to BigBlueButton-Setup

Thanks for the answer 1.yes I install for 2.yes I use a docker container I solved the problem everything turned out to be easier than it seems I put the root certificate in /usr/local/share/ca-certificates/cert-ca.pem and bbb earned

вторник, 9 августа 2022 г. в 17:01:07 UTC+6, juanlope...@gmail.com:

Santosh Kumar

unread,

Aug 16, 2022, 3:11:29 AM8/16/22

to BigBlueButton-Setup

Hello i install the bigbluebutoon 2.5. but it is giving error during installation Please Help me to install

When i install Bigbluebutton 2.5 then i face this issue

bbb-config : Depends: bbb-htm15 but it is not installed && bbb-pads . Depends: bbb-web but it is not installed

OLDPWD=/home

_=/usr/bin/env

'universe' distribution component is already enabled for all sources.

Warning: apt-key output should not be parsed (stdout is not a terminal)

deb [ arch-amd64 ] https://repo, mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse Warning: apt-key output should not be parsed (stdout is not a terminal) /usr/bin/docker 11-jre-buster: Pulling from library/openjdk

Digest: sha256:569ba9252ddd693a29d39e8163123481f308eb6d529827a40c93710444e42160

Status: Image is up to date for openjdk:11-pre-buster

docker.io/library/openjdk:11-jre-buster

update-alternatives: error: no alternatives for jaoto

update-alternatives: error: no alternatives for jar

update-alternatives: error: no alternatives for jarsigner

update-alternatives: error: no alternatives for javac

update-alternatives: error: no alternatives for javadoc

update-alternatives: error: no alternatives for javap

update-alternatives: error: no alternatives for jcmd

update-alternatives: error: no alternatives for jconsole

update-alternatives: error: no alternatives for jdb