Client issue when login to JAMS

fabou · January 22, 2025, 12:51pm

Hello,

I am trying to test JAMS and Jami in order to have a private network, and try to understand in depth this solution.

I have installed JAMS in a Debian VM in a public cloudwith default JDK (17), behind a reverse proxy (caddy, that do letsencrypt natively). I have coturn installed on the same host. openDHT will later be installed, I keep jami.net DHT nodes at this time. I have completed the setup with a local database, created a blueprint, then a group, and a few users for testing.

The JAMS works great at this point.

When a client comes to connect to JAMS, it seems to connect (green dot on the account), but a few seconds after I got an arange dot, and a warning: “Aucune connexion au réseau n’est possible”

When a client (Windows desktop or android) come to login to my JAMS instance, I see the device calling https:///api/auth/device, with a positive response with certificate, and configuration for the client. Sounds good.

Then, the client calls https:///api/login with a strangly empty JSON payload : “{}”. JAMS respond with a HTTP 401 with {“error”:“Invalid credentials provided!”}.

Have you ever seem that behaviour ? How could I track it down to fix it ?

Thanks for your pointers and help

Jami · January 23, 2025, 4:24am

Hello,

Did you try to connect to JAMS without your reverse proxy ? If it works without the reverse proxy it means that the JAMS server itself works fine.

We never tested caddy as a reverse proxy for JAMS. We recommend using NGINX as a reverse proxy.

When we set up JAMS behind an NGINX reverse proxy that manages Let’s Encrypt, we must add these options to the NGINX configuration AFTER the initial setup of JAMS:

ssl_client_certificate /opt/jams/CA.pem;
ssl_verify_client optional;

Here /opt/jams/CA.pem is NOT the Let’s encrypt certificate but the Certificate Authority generated by JAMS during the initial setup.

fabou · January 23, 2025, 12:19pm

Hello,

Thanks for your reply.
Yes, I have tryed without the reverse proxy (direct connect to 8080, without HTTPS).
As far as I can see, I do not feel this is proxy issue. Caddy is really self managing the letsencrypt, and yes, the CA.pem (CA used for generating devices certs) was added after JAMS setup.

Just to note, here is my Caddy config file, if someone wish to use it :

myjams.mydomain.com {
    reverse_proxy /* http://localhost:8080
    tls mymail@mycorp.com
    log {
      output file /var/log/caddy/caddy.log
      level INFO
    }
    tls {
      client_auth {
        mode verify_if_given
        trusted_ca_cert_file /opt/jams/CA.pem
      }
    }
}

This is quite equivalent to to the proposed nginx config. Caddy generate and manage the letsencrypt certificates on its own without additions.
Since the client/server perform the call to /api/auth/device with what seem to be a valid response with certificates and configuration, I guess I have met more a client side issue, than a proxy issue or some bad configuration.

Jami · January 23, 2025, 3:12pm

If I got it right, the setup works without the caddy proxy?

fabou · January 23, 2025, 3:15pm

I have exactly the same issue with or without the reverse proxy.
The reverse proxy doesn’t change anything

Jami · January 24, 2025, 4:08am

When you start JAMS you should pass a certificate and the private key as arguments on the command line, for instance

/usr/bin/java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5002 -jar /opt/jams/jams-launcher.jar 443 server.pem server.key

In your setup which certificate & key files did you pass as arguments to JAMS ?

ovari · January 24, 2025, 10:33am

Do any of the following help:

fabou · January 27, 2025, 2:03pm

Hi,

Thanks again for your support and help.
Since I use a reverse-proxy in front of JAMS, it is started as a service, without server.pem server.key:

[Unit]
Description=JAMS Service
After=network.target

[Service]
ExecStart=/usr/bin/java -jar /opt/jams/jams-launcher.jar 8080
WorkingDirectory=/opt/jams
Restart=always
User=jams

[Install]
WantedBy=multi-user.target

are these SSL certificates mandatory ? From the code in jami-jams\jams-server\src\main\java\net\jami\jams\server\core\TomcatLauncher.java, and the documentation (Jams Documentation | Jami Store), I guessed no. Am I wrong ?

kind regards

Jami · January 28, 2025, 4:52am

Yes, certificates are mandatory. In the Jams documentation

"4. Navigate to the directory where you have extracted the JAMS package and execute the following command:

java -jar jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY

SSL_CERTIFICATE	The location of the PEM-formatted SSL Certificate file
SSL_CERTIFICATE_KEY	The location of the PEM-formatted key file which is used with the SSL Certificate file from above

"

fabou · January 31, 2025, 9:56am

Hi,
Thanks for your answers.
I now use certbot to generate the certificate and key :

certbot certonly --standalone  --agree-tos -d myjams.domain.com --register-unsafely-without-email -n

I then copied the certificate, and private key from /etc/letsencrypt/live/… to jams installation folder to make it available to the application. JAMS is started with the cert and key :

java -jar jams-launcher.jar 443 cert.pem privkey.pem

And the reverse proxy is removed: JAMS is directly exposed to internet on HTTPS.

When accessing JAMS from the web browser, it works fine, the HTTPS certificate is fully valid.

Now, when a client connect, I have a SSL issue (logs from Jami client side Jami.exe -d):

[1738316116.886|8116] [http:request:8] connect begin: X.X.X.X:443
[1738316116.888|8116] adding 63 decoded certs to X509 store
[1738316116.890|8116] [connection:8] start https session with system CA
[1738316116.938|8116] [connection:8] verify myjams.domain.com compliance to RFC 2818:
/CN=myjams.domain.com
[1738316116.939|8116] [http::connection:8] ssl verification error=20 false
[1738316116.941|8116] [connection:8] verify handshake error: 20
[1738316116.942|8116] [http:request:8] handshake error: certificate verify failed (SSL routines, tls_process_server_certificate)
[1738316116.942|8116] [http:request:8] end with error: Une requ�te d�envoi ou de r�ception de donn�es n�a pas �t� autoris�e car le socket n�est pas connect� et (lors de l�envoi sur un socket datagramme en utilisant un appel sendto) aucune adresse n�a �t� fournie.

Even if letsencrypt is a well known certificate and registered in my Windows certificate store, it seems that Jami do not find the CA.

Would the CA have to be added in a specific store? or is there a trick on the JAMS cert.pem that should contain the fullchain in a specific order ?

Also, regarding the documentation :
https://docs.jami.net/en_US/jams/admin.html#jams-and-nginx
Since JAMS require the HTTPS certificates, how to setup a reverse proxy in front of JAMS ?
The nginx conf example is calling JAMS on HTTP, not HTTPS.

Thanks

Jami · February 1, 2025, 4:53am

Obviously we’ll need to update the documentation with a nginx.conf + backend with https example.

It is better to symlink the “cert.pem” to the full chain certificate to avoid these JAMI client SSL errors.

# ls -l /opt/jams/server.pem 
lrwxrwxrwx 1 root root 70 Sep  9 02:05 /opt/jams/server.pem -> /etc/letsencrypt/archive/your.domain.name/fullchain1.pem

ovari · February 1, 2025, 5:54am

If someone visits https://jami.biz/jams-user-guide, can it please redirect to https://docs.jami.net/jams/?

Obviously we’ll need to update the documentation with a nginx.conf + backend with https example.

Can the documentation update please be done at https://docs.jami.net/jams/?

Thank you

fabou · February 5, 2025, 9:41am

Thanks for all your pointers ! my JAMS instance is running like a charm !

ovari · February 5, 2025, 10:01am

Are you able to download the source file format ODT at:

https://docs.jami.net/en_US/jams/index.html#download-jams-manual

Can you please update the document with the missing information using LibreOffice and upload the improvement here?

This can help future JAMS users also have their JAMS instances running like a charm!

Thank you