Closed rfrederick closed 2 years ago
Same issue here on a slightly modified Jitsi Meet quick install on Ubuntu 20.04 devel.
The calls videocalls work fine on Firefox Android or Chrome Android using the Desktop user agent.
However, using the Android Jitsi app is a no-go, the TLS connection to the TURNs server cannot be established and the packets dump shows a TLS Fatal Alert with message "Unknown CA".
Same here with coturn 4.5.1.1-1.1build2 on Ubuntu 20.04 LTS. cert=
contains the full chain, including the RootCA (CN=T-TeleSec GlobalRoot Class 2).
Please see my comment in the related issue: https://github.com/jitsi/jitsi-meet/issues/6383#issuecomment-632659991
Should probably have posted it here instead, since this issue is more specific to LetsEncrypt but missed it in my search. Sorry for the confusion.
This issue isn't limited to the Android client, I am noticing the same behavior with the iOS client (Version 20.2.3 build 73 on iOS 13.5.0). Looking at Wireshark, the connection is closed with an "Unknown CA" alert message.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I wonder if this is all related to this issue in Chromium's libwebrtc stack - https://bugs.chromium.org/p/webrtc/issues/detail?id=11710 TLDR; a limited subset of Root CA's are supported (as required for Google services but not the world).
Right on the money.
FTR, we are going to replace the cert bundle that WebRTC ships with. Not a big deal, but it needs to be done.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Don't kill it, bot. It's Christmas! :) :christmas_tree:
(I copied my comment from https://github.com/coturn/coturn/issues/240 , in case you're interested.)
While we all wait for an official change/fix there is a sort-of workaround: Use ZeroSSL instead of LetsEncrypt.
ZeroSSL certificates are signed by a certificate which is also in the webkit CA store. The Element app on Android is now working properly with coturn and TLS on my private server. No more "Unknown CA" error in Wireshark. :) ZeroSSL is also supported by quiet a few acme clients, so the switch really isn't too hard.
Thank you for your comment, SirCypher. I experienced the same, and I couldn't figure out why turns wasn't working. Switching the certificate to a ZeroSSL one worked.
I have the same problem but with ZeroSSL certificate. Android app just keeps aborting connection :/
@equetzal you need to creat full chain our of your zerossl certificate as below:
cat zero/certificate.crt zero/ca_bundle.crt > fullchain.pem
in addition you need to be sure that your coturn certificate is the same as your Nginx certificate
Description
When the Jitsi Meet Android app attempts to connect via TURNS to a TURN server containing a Let's Encrypt certificate chain the app rejects the chain with a reason of "Unknown CA" in the Fatal TLS Alert packet. The same chain is accepted by Chrome and Firefox.
Current behavior
Android app rejects the chain of a Let's Encrypt server certificate and the "Let's Encrypt Authority X3" certificate (as generated by the "install-letsencrypt-cert.sh" script) when connecting to a TURN server via TURNS.
Expected Behavior
Android App would accept the Let's Encrypt certificate chain offered by the TURN server.
Possible Solution
Steps to reproduce
Environment details
New Jitsi Meet install using the quick install guide on an Ubuntu 18.04 system with a public IP address