These instructions need update.
You need to execute these commands:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst#L125
To generate certificate for your auth.domain that is used by jicofo, make sure it is used for that virtual host in your prosody config and install this certificate as a trusted one on the system running jicofo.

This is all done automatically when using the debian packages and the quick-install method.

@damencho Thank you for your answer! I removed the previous version and installed jitsi using the quick-install instruction and it all worked perfectly.

@damencho I got the same error when run jicofo.sh, and I follow your instruction, it does not work, what should I do, if I follow https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md ?
Thanks very much!

You need to make sure that the auth.jitsi.example.com domain in prosody is using a certificate with cn auth.jitsi.example.com and trusted on the jicofo machine.
This is done in the script the I had pasted earlier.

Here is the description in the readme https://github.com/jitsi/jicofo/blob/master/README.md#certificates

Still having trouble with this, used the quick install scripts on Ubuntu 17.10 and there still seems to be a problem with jicofo connecting to prosody with the same above errors. I've tried re-running the scripts and purging all configs and reinstalling. I've verified that the auth cert is being placed correctly and update-ca-certficates is running. Any ideas?

prosody log (debug level):

Jan 09 01:08:35 socket  debug   server.lua: accepted new client connection from 127.0.0.1:50216 to 5222
Jan 09 01:08:35 c2s55977e0e2c40 info    Client connected
Jan 09 01:08:35 c2s55977e0e2c40 debug   Client sent opening <stream:stream> to auth.xxxx.xxxx
Jan 09 01:08:35 c2s55977e0e2c40 debug   Sent reply <stream:stream> to client
Jan 09 01:08:35 c2s55977e0e2c40 debug   Received[c2s_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Jan 09 01:08:35 socket  debug   server.lua: we need to do tls, but delaying until send buffer empty
Jan 09 01:08:35 c2s55977e0e2c40 debug   TLS negotiation started for c2s_unauthed...
Jan 09 01:08:35 socket  debug   server.lua: attempting to start tls on tcp{client}: 0x55977e0df778
Jan 09 01:08:35 socket  debug   server.lua: ssl handshake error: sslv3 alert certificate unknown
Jan 09 01:08:35 c2s55977e0e2c40 info    Client disconnected: ssl handshake failed
Jan 09 01:08:35 c2s55977e0e2c40 debug   Destroying session for (unknown) ((unknown)@auth.xxxx.xxxx): ssl handshake failed
Jan 09 01:08:35 socket  debug   server.lua: closed client handler and removed socket from list

jicofo -

Jicofo SEVERE: [26] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1060)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:982)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:998)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:798)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:150)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1055)
    ... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 19 more
Jicofo WARNING: [28] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:798)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:150)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1055)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:982)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:998)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 19 more

So I've faced a similar problem. It was that if you create a certificate for auth.X and you run update-ca-certficates it is added correctly.
I think if you delete that cert and remove the links and you do again update-ca-certficates, I think it is not removed, but I'm not sure about that. I'm talking about the resulting certs that are used by java.
But if you generate new certificate that overrides the old one and you do update-ca-certficates it is still the old one in the java trusted certificates, I had found comments and a bug that was filed against their bug tracker.

The file that is used from java is /etc/ssl/certs/java/cacerts, you can try backup it somewhere and run again update-ca-certficates, it should regenerate it with the correct values, if everything is fine in /usr/local/share/ca-certificates/.

Purging all jitsi-meet packages and dependencies (java) won't help.
Any idea of what should be cleared to start over? :sweat_smile:

On a closer look,

By adding -Djavax.net.debug=SSL to JAVA_SYS_PROPS= on /etc/jitsi/jicofo/config

I got something like this:

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: [email protected], CN=auth.jitsi.domain.ltd, OU=host, O=isp.hostname
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
.....

So, the cert that is using is not issued by Let's Encrypt, but locally and was created on the (re-)install process.

Only the jitsi.domain.lts cert found at /etc/letsencrypt/live/ is valid, so using the
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh script won't create a valid SSL for auth.example.domain.ltd, is that the desired behavior?

I have tried to add the auth.example.domain.ltd cert to /etc/ssl/certs/java/cacerts (*buntu 16.04) having errors when updating.

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore. Is the password correct?
    at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
    at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
    at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
    at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.IOException: Invalid keystore format
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
    at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
    ... 3 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.

My best guest is to delete the certs at /var/lib/prosody/ manually generate the auth certs and use a symlink from /etc/letsencrytp/live/ to /var/lib/prosody/

If it works, maybe that could be added to the LetsEncrypt script.
Wish me luck :smile:

No auth domain does not need LetsEncrypt certificate, it is the desired behavior. It just needs a certificate that is trusted on the machine where jicofo is running.

So you tried removing /etc/ssl/certs/java/cacerts and running again update-ca-certficates? Did that help?

Finally got it working by using keytool to import the self signed cert (removing it didn't help, nor update-ca-certificates).
So happy! :sob: Thanks for the guidance, I did try with LetsEncrypt and pages and pages of errors on the logs. xD

I wonder. Does all the subdomains have to point to the actual server? or are they just locally recognize.

• auth.yourjitsi
• conference.yourjitsi
• focus.yourjisti
• guest.yourjitsi
• jitsi-videobridge.yourjitsi

I wasn't sure about it, so I did. :sweat_smile:

Nope, those are internal to prosody, jicofo, jvb, and jitsi-meet. All you need is a trusted certificate to the domain you enter in the browser, and that domain to be publicly available.

All you need is executing update-ca-certificates -f, no file removal is needed.

Yeah, I thought that by deleting it will force the rebuild of the certs.
Thanks again.

@damencho @Ark74
I still have the same problem.
i follow the quickinstall.md,
my os : Ubuntu 16.04.2,
Could you tell me how to resolve it?

@Ark74 you said

Finally got it working by using keytool to import the self signed cert (removing it didn't help, nor
update-ca-certificates).

i want to know how you did it.

Thank you!!

Jicofo 2018-02-07 04:06:03.955 SEVERE: [23] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certifi cation path to requested target org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1060) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:982) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:998) at java.lang.Thread.run(Thread.java:748) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:798) at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:150) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1055) ... 3 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ... 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 19 more

Did you try running update-ca-certificates -f and restart jicofo, does this fix it?

If not, add your ssl cert to /etc/ssl/certs/java/cacerts using keytool.

That's how i solved.

What was the complete command you used? I have tried several ways to add the ssl cert using keytool and I can't get it to work.

This is taken from my history, please check they match your case;

keytool -noprompt -keystore /etc/ssl/certs/java/cacerts -storepass yourpassword -importcert -alias wisvch -file /var/lib/prosody/auth.example.jitsi.com.crt

Cheers!

@damencho on a second test it worked. Thanks!

Hi @Ark74 ,
i met a issue that was similar your case.
Could you tell me how resolve it.
My activity is below,
Thanks,

----------------------------prosody server-------------------------------
prosodyctl cert generate meet24.covavi.vn
prosodyctl cert generate auth.meet24.covavi.vn

ln -sf /var/lib/prosody/meet24.covavi.vn.crt /usr/local/share/ca-certificates/meet24.covavi.vn.crt

ln -sf /var/lib/prosody/auth.meet24.covavi.vn.crt /usr/local/share/ca-certificates/auth.meet24.covavi.vn.crt
update-ca-certificates -f

---------------------------prosody /etc/hosts-------------------
root@ip-172-31-40-185:/var/log/jitsi# more /etc/hosts
127.0.0.1 localhost jitsi-videobridge.meet24.covavi.vn prosody.meet24.covavi.vn meet24.covavi.vn
172.31.32.245 jicofo.meet24.covavi.vn focus.meet24.covavi.vn auth.meet24.covavi.vn

----------------------------jicofo hosts-------------------------------------------
root@ip-172-31-32-245:/var/log/jitsi# more /etc/hosts
127.0.0.1 localhost jicofo.meet24.covavi.vn
172.31.40.185 jitsi-videobridge.meet24.covavi.vn prosody.meet24.covavi.vn auth.meet24.covavi.vn meet24.covavi.vn
-----------------------------------------prosody log -----------------------------------
Oct 06 17:03:09 c2s1d09790 info Client connected
Oct 06 17:03:09 c2s1d09790 info Client disconnected: ssl handshake failed
Oct 06 17:03:10 c2s21742a0 info Client connected
Oct 06 17:03:10 c2s21742a0 info Client disconnected: ssl handshake failed

--------------------------------------------jicofo log-----------------------------------------------
Jicofo 2018-10-06 17:04:05.207 WARNING: [93] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1067)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:994)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1010)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 19 more

The part with moving the certs and make them trusted is for jicofo, if you are running both on different machines, you need to transfer the to the jocofo server and execute the update command there.
There is also a config to disable this cert checking in case you are running in a control environment and this is not important.

Hi @damencho,
i copied .crt file from prosody server to jicofo server and run _update-ca-certificates -f_ on jicofo server.
But jicofo still fail. Pls review some information below include jicofo cert, jicofo config file, and jicofo log.
Thanks,
--------------------jicofo update ca cert result--------------------------
Adding debian:auth.meet24.covavi.vn.pem

Adding debian:focus.meet24.covavi.vn.pem

----------------------------my jicofo config---------------------------
root@ip-172-31-32-245:/etc/jitsi/jicofo# more config

Jitsi Conference Focus settings

sets the host name of the XMPP server

JICOFO_HOST=prosody.meet24.covavi.vn

sets the XMPP domain (default: none)

JICOFO_HOSTNAME=meet24.covavi.vn

sets the secret used to authenticate as an XMPP component

JICOFO_SECRET=ZBh@0QDk

sets the port to use for the XMPP component connection

JICOFO_PORT=5347

sets the XMPP domain name to use for XMPP user logins

JICOFO_AUTH_DOMAIN=auth.meet24.covavi.vn

sets the username to use for XMPP user logins

JICOFO_AUTH_USER=focus

sets the password to use for XMPP user logins

JICOFO_AUTH_PASSWORD=qa@r3mPt

JICOFO_AUTH_PASSWORD=QuyetNC

extra options to pass to the jicofo daemon

JICOFO_OPTS=""

adds java system props that are passed to jicofo (default are for home and logging config file)

JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_L
OCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
-------------------------------jicofo log---------------------------------
*Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 19 more
*

Having the same issue in an ubuntu 16.04.
I've seen that there was no /etc/ssl/certs/java/cacerts so I've installed

sudo apt-get install ca-certificates-java
sudo update-ca-certificates -f

Right now the /etc/ssl/certs/java/cacerts is there but error is still the same.

$ ll /var/lib/prosody/

-rw-r-----  1 prosody prosody  919 oct 24 23:37 auth.domain.cnf
-rw-r--r--  1 prosody prosody 1716 oct 24 23:37 auth.domain.crt
-r--------  1 prosody prosody 1679 oct 24 23:37 auth.domain.key
-rw-------  1 prosody prosody 1024 oct 24 23:37 .rnd
-rw-r-----  1 prosody prosody 1751 oct 25 21:59 domain.cnf
-rw-r-----  1 prosody prosody 2468 oct 25 21:59 domain.crt
-r--------  1 prosody prosody 1675 oct 25 21:59 domain.key

$ ll /usr/local/share/ca-certificates/

lrwxrwxrwx 1 root root   49 oct 24 23:37 auth.domain.crt -> /var/lib/prosody/auth.domain.crt
lrwxrwxrwx 1 root root   44 oct 25 23:36 domain.crt -> /var/lib/prosody/domain.crt

$ ll /etc/ssl/certs/ | grep domain

lrwxrwxrwx 1 root root     32 oct 25 23:49 3e24c727.0 -> auth.domain.pem
lrwxrwxrwx 1 root root     32 oct 25 23:49 95b29656.0 -> auth.domain.pem
lrwxrwxrwx 1 root root     65 oct 25 23:49 auth.domain.pem -> /usr/local/share/ca-certificates/auth.domain.crt
lrwxrwxrwx 1 root root     27 oct 25 23:49 bc3edbc1.0 -> domain.pem
lrwxrwxrwx 1 root root     27 oct 25 23:49 d4b59934.0 -> domain.pem
lrwxrwxrwx 1 root root     60 oct 25 23:49 domain.pem -> /usr/local/share/ca-certificates/domain.crt

Jicofo 2019-10-25 23:46:04.128 SEVERE: [16] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.doConnect().309 Failed to connect/login: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
    ... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 19 more
Jicofo 2019-10-25 23:46:04.146 WARNING: [18] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 19 more

Found solution here: https://github.com/jitsi/jitsi-meet/issues/2676#issuecomment-377039435