Rocket Chat part 3: Installing Jitsi with JWT for secure video conferencing

Image for post
Image for post
Photo by John Baker on Unsplash

In part 2, I talked about how to setup Rocket Chat on Digital Ocean. Now we want to setup Jitsi so we have an integrated video conferencing solution within Rocket Chat.

Some background first. Jitsi is a secured, open-sourced video conferencing solution. It is currently owned by 8x8. Jitsi uses standard Web-RTC which means no software is required with any modern web browsers.

You can use their free offering at meet.jit.si right within Rocket Chat without any set up. However, I do things the hard way so we want to set up Jitsi to run on our own server.

Before we start, you need to have a domain or subdomain that you plan to host Jitsi on. You need to have DNS access to the name and the corresponding SSL certificate.

First, go ahead and setup a basic Ubuntu server on your favorite cloud provider. You can follow my 3-part series on how to setup a basic server with a proper firewall.

Next, we need to set up a DNS A record and download our SSL certificate from the domain provider.

For example, if we want to host jitsi at https://jitsi.companya.com, go to the DNS settings for companya.com

Add an A record to the DNS Setting:

Image for post
Image for post

Replace 1.2.3.4 with the IP address for your droplet. While at the domain configuration, download the SSL certificate (with any intermediate certificate) and the private key.

ssh into the server. We need to add one more rule to the firewall. (I am assuming you followed my 3-part tutorial so the basics are set.)

sudo ufw allow in 10000:20000/udp

Before installing Jitsi, we need to install the latest Prosody

echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
sudo apt-get update
sudo apt-get install prosody

It takes a few minutes. Once Prosody is installed, we need to copy our SSL certificate to the right location before installing jitsi-meet.

You should have at least 2 files for your SSL certificate. One or more for certificates and one for the private key.

Open the files in a text editor and you should see the following:

-----BEGIN CERTIFICATE-----
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwMzIxMDAwMDAwWhcNMjEwMzIxMTIwMDAwWjAX
...
aWNlcnQuY29tL0NQUzAIBgZngQwBAgEwgYAGCCsGAQUFBwEBBHQwcjAkBggrBgEF
-----END CERTIFICATE-----

Your Private key should look like this:

-----BEGIN RSA PRIVATE KEY-----
WhYsY/KdAc4Jm+F2ejNOsP6+AoEh2cIIl44WciKDJiuWmNfn4Br7oKIFeWiqzXNh
...
OcSOb3aexMXMYsNms+6ohDBw8HwamOSMwIyzLzZcvhl98kcUz8ivKv4JvUcFuY8L
-----END RSA PRIVATE KEY-----

If you have an intermediate certificate, you need to combine the two certificates into a single file.

<Main Cert>
<Intermediate Cert>

So your file should look something like:

-----BEGIN CERTIFICATE-----
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwMzIxMDAwMDAwWhcNMjEwMzIxMTIwMDAwWjAX
...
aWNlcnQuY29tL0NQUzAIBgZngQwBAgEwgYAGCCsGAQUFBwEBBHQwcjAkBggrBgEF
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
sl7m9scOygAAAXD+2f60AAAEAwBHMEUCIQDAIUHE/pXQReb3xIhzRV1jaTNbPxop
...
kyMIvB024DelLwIgWfXdLg/PA8VNss4ZSBSknzDc9LsLOoX6s5xNqsjYObYwDQYJ
KoZIhvcNAQELBQADggEBAAfutg6yFPla9BZBZoNAlu8kE00T00n8ckfKk7gPKRZ6
-----END CERTIFICATE-----

Save the file as [domain name].crt and [domain name].key. These two files need to make their way to the server. Since this is a text file, one simple way is to just copy-n-paste the content. Copy them into the following path:

/etc/ssl/jitsi.companya.com.crt
/etc/ssl/jitsi.companya.com.key

Now continue to install jitsi-meet


wget https://download.jitsi.org/jitsi-key.gpg.key
apt-key add jitsi-key.gpg.key
echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list
sudo apt-get update
sudo apt-get -y install jitsi-meet

The install script should ask for your SSL certificate location. The default location should match what we have setup above.

At this point, Jitsi is done. You can test is on https://jitsi.companya.com

You can start using it. However, your server is not protected so anyone can start meetings on your server. We will lock it down with JWT next.

Before we continue, make sure your jitsi server is currently running fine. Make sure you can start a call with another party. Next, decide your APP_ID and APP_SECRET. You can use the following to generate some random string.

hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/urandom

APP_ID does not have to be secured, I will just pick the first 5 characters from the random string.

Generate a second one for your app secret.

Keep them handy. You will need to copy them during the next installation.

The jitsi-meet-tokens package is supposed to install everything. However, there is some version conflict that makes the installation tricky. The following is what I found to be the “Cleanest” way to install. Cleanest is in quotes because it is still not clean. Leave me a comment if you find a better way to install it.

sudo apt-get install luarocks libssl1.0-dev liblua5.2-dev
sudo luarocks install luacrypto
sudo apt-get install jitsi-meet-tokens
sudo apt-get purge jitsi-meet-tokens

Yes, you will purge jitsi-meet-tokens right after you install it. We will install again. This time you will see it install more packages.

sudo apt-get install jitsi-meet-tokens

We are still not done. There is currently a version conflict for lua-cjson. We need to downgrade the package.

luarocks remove --force lua-cjson
luarocks install lua-cjson 2.0.0-1 #Ignore warning

Now we are done.

Let’s go through some troubleshooting to make sure the installation did what it supposed to do.

cd /etc/prosody/conf.avail

You should see a lua file called [your domain name].cfg.lua

Look inside that file. You should see something like the following:

VirtualHost "jitsi.companya.com"
-- enabled = false -- Remove this line to enable this hos
authentication = "token"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
app_id="<your app id>"
app_secret="<your app secret>"

Down in the component section, you should see the “token_verification” line not commented out.

Component "conference.jitis.companys.com" "muc"
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"token_verification";
}

Next, take a look at

/var/log/prosody/prosody.log

Make sure you don’t see a big block of Java exceptions. If you see Java exceptions, you need to fix the packages based on what exceptions you got.

If all is good, let’s test out JWT connection.

At this point, if you go to https://jitsi.companya.com, the front page will still be there. However, a username/password box should appear if you try to start a meeting.

Image for post
Image for post

We have never setup any username and password so there is no way to login. That is exactly what we want. Our server should only allow JWT authentication.

Let’s hop over to jwt.io and generate a JWT token.

The minimum token should look like the following:

{
"alg": "HS256",
"typ": "JWT"
}
{
"aud": "jitsi",
"iss": "<your app id>",
"sub": "jitsi.companya.com",
"room": "*"
}

Make sure you use the correct App ID and paste the App Secret in the Verify Signature section.

Image for post
Image for post

Copy the generated JWT token on the left.

Now go back to your jitsi page: https://jitsi.companya.com and start a new meeting. You will again see a login box.

At the address bar, after the meeting name, add:

?jwt=<the jwt token>
Image for post
Image for post

Make sure you paste in the entire token. Hit enter, and your meeting should start.

If you receive an Authentication Error, go back to the last section and look at the prosody log file. /var/log/prosody.log

Now Jitsi is done and secured. The final step is to integrate it into Rocket Chat.

Go to your Rocket Chat Administrative console. Click on Video Conference

Image for post
Image for post

Put in your

Image for post
Image for post

Save and that should be it. Now you can start video calls with anyone within Rocket Chat.

Written by

Angel investor. Tech CEO. Startup Coach. CEO@Zerion Software, Coach@HK-PCC and Tech Educator@Berthold Academy. More @ www.szewong.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store