Android App Rejects Let's Encrypt Chain on TURNS Connection #5589
Comments
|
Same issue here on a slightly modified Jitsi Meet quick install on Ubuntu 20.04 devel. The calls videocalls work fine on Firefox Android or Chrome Android using the Desktop user agent. However, using the Android Jitsi app is a no-go, the TLS connection to the TURNs server cannot be established and the packets dump shows a TLS Fatal Alert with message "Unknown CA". |
|
Same here with coturn 4.5.1.1-1.1build2 on Ubuntu 20.04 LTS. |
|
Please see my comment in the related issue: #6383 (comment) Should probably have posted it here instead, since this issue is more specific to LetsEncrypt but missed it in my search. Sorry for the confusion. |
Echolon
added
mobile
|
This issue isn't limited to the Android client, I am noticing the same behavior with the iOS client (Version 20.2.3 build 73 on iOS 13.5.0). Looking at Wireshark, the connection is closed with an "Unknown CA" alert message. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I wonder if this is all related to this issue in Chromium's libwebrtc stack - https://bugs.chromium.org/p/webrtc/issues/detail?id=11710 |
|
Right on the money. |
|
FTR, we are going to replace the cert bundle that WebRTC ships with. Not a big deal, but it needs to be done. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Don't kill it, bot. It's Christmas! :) 🎄 |
|
(I copied my comment from coturn/coturn#240 , in case you're interested.) While we all wait for an official change/fix there is a sort-of workaround: ZeroSSL certificates are signed by a certificate which is also in the webkit CA store. The Element app on Android is now working properly with coturn and TLS on my private server. No more "Unknown CA" error in Wireshark. :) |
|
Thank you for your comment, SirCypher. I experienced the same, and I couldn't figure out why turns wasn't working. Switching the certificate to a ZeroSSL one worked. |
|
I have the same problem but with ZeroSSL certificate. Android app just keeps aborting connection :/ |
|
@equetzal you need to creat full chain our of your zerossl certificate as below:
in addition you need to be sure that your coturn certificate is the same as your Nginx certificate |
Connections from android to a turn server with letsencrypt certificates fail with error: TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA) This is the same issue than jitsi/jitsi-meet#5589 This remark will hopefully save some trouble to other people.
|
Please see #6383 (comment) |
Description
When the Jitsi Meet Android app attempts to connect via TURNS to a TURN server containing a Let's Encrypt certificate chain the app rejects the chain with a reason of "Unknown CA" in the Fatal TLS Alert packet. The same chain is accepted by Chrome and Firefox.
Current behavior
Android app rejects the chain of a Let's Encrypt server certificate and the "Let's Encrypt Authority X3" certificate (as generated by the "install-letsencrypt-cert.sh" script) when connecting to a TURN server via TURNS.
Expected Behavior
Android App would accept the Let's Encrypt certificate chain offered by the TURN server.
Possible Solution
Steps to reproduce
Environment details
New Jitsi Meet install using the quick install guide on an Ubuntu 18.04 system with a public IP address
The text was updated successfully, but these errors were encountered: