-
Notifications
You must be signed in to change notification settings - Fork 730
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let’s Encrypt certificates for TURNS are rejected #1533
Comments
I believe this is a security issue! |
Our friends over a Jitsi seem to have a similar problem. (issue, discussion) |
yeah, same here: unknown CA |
facing the same issue has anyone got a solution yet? |
i'm having the same problem. synapse and coturn are both set up to use turns. when i try to make a call from element android app to another android app on a different network the turnserver logs look like this:
when i switch the turn_uris to begin with turn: instead of turns: it works flawlessly from any device to any device (phone to app, app to phone, all over different networks). as soon as tls is used with the android app it does not work anymore. this seems to be a real problem as there are more than one discussions about it on github and other sites. coturn has access to the certs, which are let's encrypt certs, as many others described. this may be off topic, but there's also a problem with the android app where you cannot verify anything if your first login after account creation is made with the android app. had to use desktop/web app to do the first login, after that all works as expected. would be really great if somebody could solve this, or point to a solution or potential upcoming fix. thanks. edit: is it possible that this is the same problem we are seeing here? quote of the final post on that page:
|
It seems that what was mentioned in my previous post is correct. I switched to ZeroSSL certificates as replacements for Let's Encrypt certificates, and without any other change, Element Android was immediately able to connect voice and video calls using turns across different networks. So the problem is indeed that for some reason, maybe that webrtc library having an incomplete list of trusted CAs as mentioned above, Element Android does not accept Let's Encrypt certificates. The Jitsi devs have an open ticket where they stated that for now they will add Let's Encrypt to the webrtc-lib's trusted ca list. Maybe someone could do the same for Element Android? |
Can confirm using ZeroSSL certs with coturn is a workaround to avoid having to fallback to no SSL. Just make sure you combine your cert + ca bundle into a fullchain for coturn, though. |
thanks for confirming the workaround works asimons04. now is there anything we can do to make the devs aware of the problem and possible solution? i tried email contact but they couldn't help, from what i understand they do not give support for self hosting. |
fwiw the issue eventually comes down to this https://bugs.chromium.org/p/webrtc/issues/detail?id=11710 which is part of the webrtc dependency. |
Note that this issue affects matrix.org's TURN server too, which makes sense given that it uses a Let's Encrypt certificate. From my testing, this issue prevents calls to connect if all of the following conditions are met:
Under these conditions, not only did calls between users on my own homeserver fail (which uses a Let's Encrypt cert for its TURN server), but calls between matrix.org accounts failed to connect, as well. |
* Warn against using Let's Encrypt certs for encrypted TURN This helps to avoid client-side issues: * element-hq/element-android#1533 * element-hq/element-ios#2712 Signed-off-by: Andrew Ferrazzutti <[email protected]>
Nice catch, and a comment is suggesting that users of the library should not use their truststore at all: https://bugs.chromium.org/p/webrtc/issues/detail?id=11710#c11 |
An alternative to ZeroSSL is also the Namecheap PositiveSSL certificate - https://www.namecheap.com/security/ssl-certificates/comodo/positivessl/. Tried it out and it works. |
I just had a WebRTC call via matrix and by looking at the remote candidates (my buddy was using element android) it seems that letsencrypt certificates work. My own coturn server which offers TURNS, started to show up as a remote candidate with both IPv4 and IPv6 addresses. The call was built in the end with my Librewolf using my TURN server, that talked to directly his IPv6 address. Call quality was good. Can someone confirm? |
I can confirm. Just tried it and first one mobile could start calls, the other not, but after signing out (make sure you have a key backup) and logging in again it worked on that mobile, too. We tested with or without VPN and mobile data or WIFI:
|
Sounds good. Now the only question remains, what's the underlying cause of it suddenly working? Is something in LetsEncrypt's cross-signers changed or is this a security hole? |
Could just mean that google finally got around to fixing the WebRTC inbuilt certs. |
I can confirm the problem is still here for me. I self host synapse and coturn, and I use Letsencrypt certificate. I do not want to use another certificate provider. Thanks |
Hello, Tested between element web and element android with this following synapse config and it looks like working correctly turn_uris: [ "turns:matrix.domain.tld:<port>", "turns:matrix.domain.tld:<alt_port>" ] Checked with wireshark and I saw a DTLS negotiation so I think it's working with let's encrypt. So I think the issue is fixed. |
@Josue-T: |
can confirm im.vector.app works with turns tcp |
With |
I still have the problem with For people who managed to make it work, are you sure you are using TURNS with Let's Encrypt, behind a NAT ? |
I too think this issue is now resolved. This is what I have in my NixOS config: coturn = {
enable = true;
use-auth-secret = true;
static-auth-secret-file = config.age.secrets.coturnStaticAuthSecret.path;
realm = coturnRealm;
no-cli = true;
secure-stun = true;
cert = "${config.security.acme.certs."${coturnRealm}".directory}/fullchain.pem";
pkey = "${config.security.acme.certs."${coturnRealm}".directory}/key.pem";
};
matrix-synapse = {
enable = true;
extraConfigFiles = [ config.age.secrets.coturnStaticAuthSecretForSynapse.path ];
settings = {
// Bunch of other stuff.
turn_uris = [ "turns:${coturnRealm}?transport=udp" "turns:${coturnRealm}?transport=tcp" ];
turn_allow_guests = false;
};
}; I and spouse use Element for Android and iOS respectively, and we are able to call each other. |
I tried dev 0.23 build from https://buildkite.com/matrix-dot-org/riotx-android/builds/2964
It has the same TURNS error reported previously, here and here. The coturn is checked it with is 4.5.1.2.
The coturn config looks like so,
The text was updated successfully, but these errors were encountered: