[Bug] Chat bot unable to authenticate when External XMPP clients allowed to connect

[dannekrose]

Describe the bug
Looking at the prosody logs after installing 8.0.0 and I see the following entries repeating.

Sep 26 20:18:16 c2s561d6ee4f7d0 warn All SASL mechanisms provided by authentication module 'peertubelivechat_bot' are forbidden on insecure connections (PLAIN)
Sep 26 20:18:16 c2s561d6ee4f7d0 info Client disconnected: no shared cipher
Sep 26 20:18:17 c2s561d6ee39310 info Client connected

To Reproduce
Steps to reproduce the behavior:

1. Install 8.0.0
2. Have "Enable connection to room using external XMPP accounts" option in livechat enabled.
3. Have "Enable client to server connections" enabled.
4. Enable bot
5. See error logs and bot never joins the rooms (existing Live rooms - destroying the rooms and recreating don't resolve the issue)

Expected behavior
The bot would be able to authenticate and show up in the rooms

Screenshots
Logs only.

Server (please complete the following information):

• OS version "Ubuntu 22.04.3 LTS"
• Peertube version: 5.2.0
• Peertube installation type Standard
• peertube-plugin-livechat version: 8.0.0
• Chat mode if relevant: Have enabled external XMPP client access

Plugin diagnostic:
If this is a server setup issue, please go to the plugin settings, click on «launch diagnostic», and copy/paste the result.

Desktop (please complete the following information):

• OS: Windows 10
• Browser Chrome
• Version 117.0.5938.92 (Official Build) (64-bit)
• Browser Vivaldi
• Version 6.2.3105.51 (Stable channel) (64-bit)

Additional context
I tested by disabling external XMPP client access and can verify that the chatbot authenticates and shows up correctly.

However, for my instance, we use external connections to do moderation and a few other features (stickers via Movim to show up in the Live Stream overlays).

[JohnXLivingston]

Hi,

Have you still some customization in your prosody.cfg file?

Can you copy/paste the full content of the diagnostic tool result?

In the meantime, if the bot still tries to connect, you can disable the feature by checking "Disable the advanced channel configuration and the chatbot" in the setting page.

[JohnXLivingston]

Another question: have you checked the setting "Use system Prosody"? If so, can you try uncheck it?

[ChanoSan]

I can confirm the same issue on my server, but with different settings. I do not have "Enable connection to room using external XMPP accounts" enabled, nor is "Enable client to server connections". I am fairly certain that I'm using the built-in Prosody (though the Diagnostic readout does confuse me with one element reading "Builtin Prosody and ConverseJS: KO". See Diagnostic output below).

Regardless of above, with Chat Bot enabled and set up, it never appears in my chatroom. Parsing prosody.log turns up the same error as OP:

Sep 27 09:07:01 c2s5569ad954af0	info	Client connected
Sep 27 09:07:01 c2s5569ad954af0	warn	All SASL mechanisms provided by authentication module 'peertubelivechat_bot' are forbidden on insecure connections (PLAIN)
Sep 27 09:07:01 c2s5569ad954af0	info	Client disconnected: no shared cipher

My server info is as follows:

• OS: "Ubuntu 20.04.6 LTS"
• PeerTube Version: 5.2.1
• Peertube installation type Standard
• peertube-plugin-livechat version: 8.0.1
• Chat mode if relevant: All default settings, should be using built-in AppImage (but see Diagnostic output below).

Also, here is the contents of my Diagnostic output:

Diagnostic

    Starting tests: OK
    Browser: OK
    Backend connection: OK
    Test debug mode: OK
        Debug mode is OFF
    Webchat activated on videos: OK
        Chat will open automatically
        Displaying «open in new window» button
        Chat is enabled for all lives.
    Builtin Prosody and ConverseJS: KO
        The working dir is: /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody
        Prosody will run on port '52800'
        Prosody will use http://localhost:9000/plugins/livechat/8.0.1/router/api/ as base uri from api calls
        Prosody path will be '/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosodyAppImage/squashfs-root/AppRun'
        Prosody will be using the '/var/www/peertube/storage/plugins/node_modules/peertube-plugin-livechat/dist/server/prosody/livechat-prosody-x86_64.AppImage' AppImage
        Prosody AppImage extract path will be '/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosodyAppImage'
        Prosody modules path will be '/var/www/peertube/storage/plugins/node_modules/peertube-plugin-livechat/dist/server/prosody-modules'
        Prosody rooms will be grouped by 'video'.
        By default, room content will not be archived.
        Room content will be saved for '1w'
        The prosody configuration file (/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua) exists
        Prosody configuration file content is correct.
        Pid file /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.pid found
        Prosodyctl status: Prosody is running with PID 858
        The prosody configuration file (/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua) exists
        Prosody configuration file content is correct.
        Missing self signed certificates.

Additional debugging information
Current prosody configuration
daemonize = false;
allow_registration = false;
admins = {
};
prosody_user = "peertube";
pidfile = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.pid";
plugin_paths = {
  "/var/www/peertube/storage/plugins/node_modules/peertube-plugin-livechat/dist/server/prosody-modules";
};
data_path = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data";
storage = "internal";
modules_enabled = {
  "roster";
  "saslauth";
  "carbons";
  "version";
  "uptime";
  "ping";
  "posix";
  "disco";
  "net_multiplex";
  "s2s";
  "tls";
  "s2s_peertubelivechat";
  "websocket_s2s_peertubelivechat";
};
modules_disabled = {
};
consider_bosh_secure = true;
consider_websocket_secure = true;
certificates = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data";
c2s_require_encryption = false;
interfaces = {
  "127.0.0.1";
  "::1";
};
c2s_ports = {
};
c2s_interfaces = {
  "127.0.0.1";
  "::1";
};
s2s_ports = {
};
s2s_interfaces = {
};
ports = {
  "52800";
};
http_ports = {
};
http_interfaces = {
  "127.0.0.1";
  "::1";
};
https_ports = {
};
https_interfaces = {
  "127.0.0.1";
  "::1";
};
trusted_proxies = {
  "127.0.0.1";
  "::1";
};
c2s_close_timeout = 29;
s2s_secure_auth = false;
peertubelivechat_server_infos_path = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/serverInfos";
peertubelivechat_instance_url = "https://peertube.anon-kenkai.com";
websocket_s2s_ping_interval = 55;
s2s_peertubelivechat_no_outgoing_directs2s_to_peertube = true;
log = {
  info = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.log";
  error = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.err";

};



VirtualHost "peertube.anon-kenkai.com"
  authentication = "http";
  modules_enabled = {
  "ping";
  "http";
  "bosh";
  "websocket";
  "dialback";
  "vcard_peertubelivechat";
};
  http_auth_url = "http://localhost:9000/plugins/livechat/8.0.1/router/api/user";
  allow_anonymous_s2s = false;
  http_host = "peertube.anon-kenkai.com";
  http_external_url = "http://peertube.anon-kenkai.com";
  peertubelivechat_vcard_peertube_url = "http://localhost:9000";


VirtualHost "anon.peertube.anon-kenkai.com"
  authentication = "anonymous";
  modules_enabled = {
  "ping";
  "http";
  "bosh";
  "websocket";
  "random_vcard_peertubelivechat";
};
  allow_anonymous_s2s = false;
  http_host = "peertube.anon-kenkai.com";
  http_external_url = "http://peertube.anon-kenkai.com";
  peertubelivechat_random_vcard_avatars_path = "/var/www/peertube/storage/plugins/node_modules/peertube-plugin-livechat/dist/server/avatars";
  peertubelivechat_random_vcard_avatars_files = {
  "1.jpg";
  "10.jpg";
  "100.jpg";
  "101.jpg";
  "102.jpg";
  "103.jpg";
  "104.jpg";
  "105.jpg";
  "106.jpg";
  "107.jpg";
  "108.jpg";
  "109.jpg";
  "11.jpg";
  "110.jpg";
  "111.jpg";
  "112.jpg";
  "113.jpg";
  "114.jpg";
  "115.jpg";
  "116.jpg";
  "117.jpg";
  "118.jpg";
  "119.jpg";
  "12.jpg";
  "120.jpg";
  "121.jpg";
  "122.jpg";
  "123.jpg";
  "124.jpg";
  "125.jpg";
  "126.jpg";
  "127.jpg";
  "128.jpg";
  "129.jpg";
  "13.jpg";
  "130.jpg";
  "14.jpg";
  "15.jpg";
  "16.jpg";
  "17.jpg";
  "18.jpg";
  "19.jpg";
  "2.jpg";
  "20.jpg";
  "21.jpg";
  "22.jpg";
  "23.jpg";
  "24.jpg";
  "25.jpg";
  "26.jpg";
  "27.jpg";
  "28.jpg";
  "29.jpg";
  "3.jpg";
  "30.jpg";
  "31.jpg";
  "32.jpg";
  "33.jpg";
  "34.jpg";
  "35.jpg";
  "36.jpg";
  "37.jpg";
  "38.jpg";
  "39.jpg";
  "4.jpg";
  "40.jpg";
  "41.jpg";
  "42.jpg";
  "43.jpg";
  "44.jpg";
  "45.jpg";
  "46.jpg";
  "47.jpg";
  "48.jpg";
  "49.jpg";
  "5.jpg";
  "50.jpg";
  "51.jpg";
  "52.jpg";
  "53.jpg";
  "54.jpg";
  "55.jpg";
  "56.jpg";
  "57.jpg";
  "58.jpg";
  "59.jpg";
  "6.jpg";
  "60.jpg";
  "61.jpg";
  "62.jpg";
  "63.jpg";
  "64.jpg";
  "65.jpg";
  "66.jpg";
  "67.jpg";
  "68.jpg";
  "69.jpg";
  "7.jpg";
  "70.jpg";
  "71.jpg";
  "72.jpg";
  "73.jpg";
  "74.jpg";
  "75.jpg";
  "76.jpg";
  "77.jpg";
  "78.jpg";
  "79.jpg";
  "8.jpg";
  "80.jpg";
  "81.jpg";
  "82.jpg";
  "83.jpg";
  "84.jpg";
  "85.jpg";
  "86.jpg";
  "87.jpg";
  "88.jpg";
  "89.jpg";
  "9.jpg";
  "90.jpg";
  "91.jpg";
  "92.jpg";
  "93.jpg";
  "94.jpg";
  "95.jpg";
  "96.jpg";
  "97.jpg";
  "98.jpg";
  "99.jpg";
};


VirtualHost "bot.peertube.anon-kenkai.com"
  modules_enabled = {
  "ping";
  "random_vcard_peertubelivechat";
};
  authentication = "peertubelivechat_bot";
  peertubelivechat_random_vcard_avatars_path = "/var/www/peertube/storage/plugins/node_modules/peertube-plugin-livechat/dist/server/bot_avatars";
  peertubelivechat_random_vcard_avatars_files = {
  "1.jpg";
};
  livechat_bot_conf_folder = "/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/bot/room.peertube.anon-kenkai.com";


Component "room.peertube.anon-kenkai.com" "muc"
  admins = {
  "[email protected]";
};
  muc_room_locking = false;
  muc_tombstones = false;
  muc_room_default_language = "en";
  muc_room_default_public = false;
  muc_room_default_persistent = true;
  muc_room_default_members_only = false;
  muc_room_default_moderated = false;
  muc_room_default_public_jids = false;
  muc_room_default_change_subject = false;
  muc_room_default_history_length = 20;
  restrict_room_creation = false;
  http_host = "peertube.anon-kenkai.com";
  http_external_url = "http://peertube.anon-kenkai.com";
  modules_enabled = {
  "muc_http_defaults";
  "websocket_s2s_peertubelivechat";
  "dialback";
  "muc_mam";
  "muc_moderation";
  "http_peertubelivechat_list_rooms";
  "http_peertubelivechat_test";
};
  muc_create_api_url = {
  "http://localhost:9000/plugins/livechat/8.0.1/router/api/room?apikey=***APIKey***&jid={room.jid|jid_node}";
};
  muc_log_by_default = false;
  muc_log_presences = true;
  log_all_rooms = false;
  muc_log_expires_after = "1w";
  muc_log_cleanup_interval = 14400;
  peertubelivechat_list_rooms_apikey = "***APIKey***";
  peertubelivechat_test_apikey = "***APIKey***";
  peertubelivechat_test_peertube_api_url = "http://localhost:9000/plugins/livechat/8.0.1/router/api/test?apikey=***APIKey***";


Prosody version
Prosody 0.12.3

# Prosody directories
Data directory:     /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data
Config directory:   /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody
Source directory:   /usr/lib/prosody
Plugin directories:
  /var/lib/prosody/custom_plugins - not a directory!
  /var/www/peertube/storage/plugins/node_modules/peertube-plugin-livechat/dist/server/prosody-modules
  /usr/lib/prosody/modules/
  

# Operating system
Linux 5.15.0-56-generic	

# Lua environment
Lua version:             	Lua 5.2

Lua module search paths:
  /usr/lib/prosody/?.lua
  /usr/local/share/lua/5.2/?.lua
  /usr/local/share/lua/5.2/?/init.lua
  /usr/local/lib/lua/5.2/?.lua
  /usr/local/lib/lua/5.2/?/init.lua
  /usr/share/lua/5.2/?.lua
  /usr/share/lua/5.2/?/init.lua
  /var/lib/prosody/custom_plugins/share/lua/5.2/?.lua
  /var/lib/prosody/custom_plugins/share/lua/5.2/?/init.lua

Lua C module search paths:
  /usr/lib/prosody/?.so
  /usr/local/lib/lua/5.2/?.so
  /usr/lib/x86_64-linux-gnu/lua/5.2/?.so
  /usr/lib/lua/5.2/?.so
  /usr/local/lib/lua/5.2/loadall.so

LuaRocks:        	Not installed

# Network

Backend: epoll

# Lua module versions
LuaExpat:     	1.3.0
LuaFileSystem:	1.8.0
LuaSec:       	1.0
LuaSocket:    	3.0-rc1
luaunbound:   	0.5 (?)
readline:     	2.7

# library versions
libcrypto:    	OpenSSL 1.1.1n  15 Mar 2022
libunbound:   	1.13.1

[ChanoSan]

Could be related to Ubuntu. What is your NodeJS version?

v20.3.1

[JohnXLivingston]

Maybe related to Ubuntu.
The "Missing self signed certificates." should not happen, and could explain.
Let me check, i'll come back in a minute.

(i think i already had a user that had issue generating certificates on ubuntu)

[JohnXLivingston]

Could you check your Peertube's log: is there any log beginning with Spawned command cert?

[JohnXLivingston]

Could you check your Peertube's log: is there any log beginning with Spawned command cert?

You can also check if these files exists:

/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.crt
/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.key

If not, you can try to generate them using (and respond "y" to all questions):

sudo -u peertube /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosodyAppImage/squashfs-root/AppRun prosodyctl \
  --config /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua \
  cert generate peertube.anon-kenkai.com

If this display any error, let me now.

[ChanoSan]

No instances of "Spawned command cert" in PeerTube logs when I looked. Neither the .crt nor the .key file were present in the .../prosody/data/ directory.

Here's the output from the command:

Choose key size (2048): 2048
There was a problem, see OpenSSL output
/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.cnf exists, do you want to replace it? [y/n] y

/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.cnf backed up to /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.cnf.bkp~2023-09-27T09:01:14
Please provide details to include in the certificate config file.
Leave the field empty to use the default value or '.' to exclude the field.
countryName (GB): .
localityName (The Internet): 
organizationName (Your Organisation): 
organizationalUnitName (XMPP Department): 
commonName (peertube.anon-kenkai.com): 
emailAddress ([email protected]): 

Config written to /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.cnf
There was a problem, see OpenSSL output

I assume OpenSSL error log might have more details, I'll try to find where those are.

[JohnXLivingston]

I assume OpenSSL error log might have more details, I'll try to find where those are.

Yes. I'm suprised that there are not printed in the console.

[JohnXLivingston]

@ChanoSan , is openssl installed on your server? (as required by Peertube: https://docs.joinpeertube.org/support/doc/dependencies#debian-ubuntu-and-derivatives , point "6. Install common dependencies")

[ChanoSan]

I have all dependencies installed. OpenSSL is quite definitely installed on the server.
As for "see OpenSSL output", I honestly have no idea where I should be looking at this point...

[JohnXLivingston]

I have all dependencies installed. OpenSSL is quite definitely installed on the server. As for "see OpenSSL output", I honestly have no idea where I should be looking at this point...

You can try this:

cd /tmp && sudo -u peertube openssl req -new -x509 -newkey rsa:2048 -nodes -keyout test.key -days 365 -sha256 -out test.crt -utf8 -subj /CN=peertube.anon-kenkai.com

This should create 2 certificates files: /tmp/test.key and /tmp/test.crt

If this works, i will update the plugin to use it when prosodyctl fails.

[ChanoSan]

I can confirm this worked:

Generating a RSA private key
...............+++++
..............................................................................................................+++++
writing new private key to 'test.key'
-----

Both "test.key" and "test.crt" are in the /tmp folder

[JohnXLivingston]

Both "test.key" and "test.crt" are in the /tmp folder

Ok good news.
You can try the following procedure. If it works, i will update the plugin to do the same:

mv /tmp/test.key /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.key
mv /tmp/test.crt /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/data/peertube.anon-kenkai.com.crt

Then restart Peertube.
If you don't want to restart Peertube, you can also try uninstall and re-install the plugin (nothing will be lost)

[ChanoSan]

Confirmed for fixed. Moving the files as directed and restarting peertube resulted in expected behavior. Peertube chat plugin diagnostic confirms certs are okay. Errors no longer appearing in PeerTube logs, and the bot is present in the chatroom.

Thanks very much, and hopefully OP can benefit from the fix when updated.

[JohnXLivingston]

Confirmed for fixed. Moving the files as directed and restarting peertube resulted in expected behavior. Peertube chat plugin diagnostic confirms certs are okay. Errors no longer appearing in PeerTube logs, and the bot is present in the chatroom.

Thanks very much, and hopefully OP can benefit from the fix when updated.

Good news. I will release a v8.0.2, and wait for @dannekrose to confirm it fixes the original issue.

[JohnXLivingston]

Fix done. Plugin v8.0.2 released.

If you don't want to wait this version to be indexed by Peertube, you can do this:

sudo -u peertube psql peertube_prod

update "plugin" set "latestVersion" = '8.0.2' where "plugin"."name" = 'livechat';

Then go in the admin web interface, to update the plugin.

@dannekrose , if this does not fix your issue, you can reopen the issue.

Thanks @ChanoSan for the debugging, it helped a lot.

[JohnXLivingston]

@dannekrose , can you confirm it fixes your issues?

[dannekrose]

Thank you for the fix! Yes, it did, but I had to disable the externally generated certs that I was using and instead clear the "certs" path from the settings. After I cleared those, it works as expected even with external clients!

Thank you so much!