BigBlueButton is an opportunity to create virtual rooms/classes, it is an opportunity to conduct meetings, training and other virtual meetings.

An excellent replacement for Zoom, Skype and other similar programs

In this article, the main goal is to deploy BigBlueButton within an organization’s network and organize a corporate service using its SSL certificates.

In all the articles that exist at the end of 2023, no one examined this issue and problems in detail, and free certificates from Let's Encrypt were most often used.

So, let's begin.

Let's decide that our server name will be

First step - get certificates

How were you given the certificates? Did you create them yourself, or were they given by the system administrator? But you must have at least two files *.crt and *.key, or one *.pfx

In the second case, you need to get crt and key from it

This is done like this:

openssl pkcs12 -in file.pfx -clcerts -nokeys -out bbb.crt

openssl pkcs12 -in file.pfx -nocerts -out key-encrypted.key

openssl rsa -in key-encrypted.key -out bbb.key

Let's place these two files in /etc/ssl/private

Step two - basic installation

Open the link and check/fulfill the requirements

Regarding the requirement of 16 GB of memory with swap enabled 8 CPU cores, with high single-thread performance

I want to say right away that the system will not start if the requirements of 16 GB of RAM and 4 CPU processors are not met.

During installation it will write "Your server needs to have (at least) 4 CPUs (8 recommended for production)."  Therefore it will work on 4 processors.

Please note that developers are very good at “tying” their software to the release of the operating system, so if you decide that you can install BigBlueButton 2.7 on Ubuntu other than version 20.04 (focal), be prepared to fix the library dependencies that will arise. 

Next, using the above link in the Pre-installation checks section , we check all other parameters and execute them.

Run the command in the OS terminal

wget -qO- | bash -s -- -w -v focal-270 -s -d -g


-s - host name. Type A record - must be present in your DNS server.

-d - means that we will use our SSL certificates

-g - install Greenlight. Web interface for working with BigBlueButton

After a short installation, we will receive a deployed package, which we can check with the command bbb-conf --checks

BigBlueButton Server 2.7.2 (492)

Kernel version: 5.4.0-166-generic

Distribution: Ubuntu 20.04.6 LTS (64-bit)

Memory: 16380 MB

CPU cores: 4


/etc/bigbluebutton/ (override for bbb-web)

/usr/share/bbb-web/WEB-INF/classes/ (bbb-web)


defaultGuestPolicy: ALWAYS_ACCEPT

defaultMeetingLayout: CUSTOM_LAYOUT


/etc/nginx/sites-available/bigbluebutton (nginx)


port: 80, [::]:80127.0.0.1:82 http2 proxy_protocol, [::1]:82 http2127.0.0.1:81 proxy_protocol, [::1]:81


/opt/freeswitch/etc/freeswitch/vars.xml (FreeSWITCH)





/opt/freeswitch/etc/freeswitch/sip_profiles/external.xml (FreeSWITCH)

ext-rtp-ip: $${local_ip_v4}

ext-sip-ip: $${local_ip_v4}




UDP port ranges


FreeSWITCH: 16384-24576

current: 24577-32768

bbb-webrtc-sfu: 24577-32768

bbb-webrtc-recorder: 24577-32768


/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml (record and playback)


playback_protocol: https

ffmpeg: 4.2.7-0ubuntu0.1


/usr/share/bigbluebutton/nginx/sip.nginx (sip.nginx)


protocol: http


/usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml (bbb-webrtc-sfu)

/etc/bigbluebutton/bbb-webrtc-sfu/production.yml (bbb-webrtc-sfu - override)




current.url: ws://


recordingAdapter : Current

recordScreenSharing: true

recordWebcams: true

codec_video_main: VP8

codec_video_content: VP8


/etc/bbb-webrtc-recorder/bbb-webrtc-recorder.yml (bbb-webrtc-recorder)

/etc/bigbluebutton/bbb-webrtc-recorder.yml (bbb-webrtc-recorder - override)

debug: false /var/lib/bbb-webrtc-recorder


/usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml (HTML5 client)

/etc/bigbluebutton/bbb-html5.yml (HTML5 client config override)

build: 201

kurentoUrl: wss://

defaultFullAudioBridge: fullaudio

defaultListenOnlyBridge: fullaudio

sipjsHackViaWs: true



# Potential problems described below

If there are no potential problems, then our first and main part is complete. You can open the site  and receive a system login prompt.

By the way, if the command was used when running the script

wget -qO- | bash -s -- -w -v focal-270 -s -e This email address is being protected from spambots. You need JavaScript enabled to view it. -g

using Let's Encrypt certificates, then our article would end there, since you would already have a fully functional BigBlueButton installed

But we have our own certificates. Note that the bbb-conf --check command does not give errors, we try to open the site 

If the site opens, we export the chain of root certificates to the server. Each certificate has one or more certification authorities, and it is their certificates that we need.

We upload/export them all from the browser to the server with the *.crt extension 

We place the root certificates in two folders /etc/ssl/certs and /usr/local/share/ca-certificates

Run update-ca-certificates and add root certificates to the list of trusted ones 

Let's see what is in the /etc/haproxy/certbundle.pem file, where our certificates should be located.

Restart BigBlueButton bbb-conf --restart 

Let's create an administrator user

docker exec greenlight-v3 bundle exec rake admin:create

User account was created successfully!

Name: Administrator

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Password: Administrator1!

Role: Administrator

Now we can register and create virtual rooms. And everything seems to be fine, but...

Step three. How to enter a created room

After creating a room, for some reason I can’t get inside.

The entry "The action can't be completed error" appears at the bottom.

And an error like this appears in the site console

main-7418853bb06c5bbc3addb59ce7bec97fe4ac85263776128f089ffa055ec709b6.js:10 POST 400

main-7418853bb06c5bbc3addb59ce7bec97fe4ac85263776128f089ffa055ec709b6.js:12 Error: Request failed with status code 400

The problem is that Greenlight does not know our root certificates and the SSL handshake does not work.

Moreover, BlueBigButton does not report errors using the bbb-conf --debug command , and only in the haproxy logs /var/log/haproxy.log you will see many errors when trying to enter the room

Nov 13 17:44:57 bbb haproxy[935]: [13/Nov/2023:17:44:57.790] nginx_or_turn/1: SSL handshake failure

Adding our corporate root certificates goes like this:

- When we installed BigBlueButton, the greenlight-v3 folder was created in the user’s folder

- Open it and create the mycerts folder

- Copy our certificates that we exported from the browser (with the crt extension) to this folder.

- edit the docker-compose.yml file and add the lines marked in red


version: '3'




image: postgres:14.6-alpine3.17

container_name: postgres

restart: unless-stopped


- ./data/postgres/14/database_data:/var/lib/postgresql/data


- POSTGRES_USER=postgres

- POSTGRES_PASSWORD=bf7c5fc72f9786be04d669f79b8d6d7b5f9fd6888b8c27ac



image: redis:6.2-alpine3.17

container_name: redis

restart: unless-stopped


- ./data/redis/database_data:/data


entrypoint: [bin/start]

image: bigbluebutton/greenlight:v3

container_name: greenlight-v3

restart: unless-stopped

env_file: .env




driver: journald


- ./data/greenlight-v3/storage:/usr/src/app/storage

- ./mycerts:/usr/local/share/ca-certificates


- postgres

- redis

Please note that you need to make changes in the  greenlight-v3 container and not in redis 

- save and run the installation again

wget -qO- | bash -s -- -w -v focal-270 -s -d -g

Yes Yes! Again... This is currently the only easy way to add root certificates to Greenlight

When installing again, the docker-compose.yml file does not change and all our changes are applied in the newly created image.

- activate our certificates

docker exec greenlight-v3 update-ca-certificates

- restart the bbb-conf service --restart

- enjoy the resulting effect.

We were able to enter a virtual room and can chat, invite friends, screencast, and so on.

Step four. Showing presentations.

After the initial joy, we will see that there is one problem.

Presentations are not shown. Neither default.pdf nor any other. How then should training be carried out?

You can, of course, broadcast the screen, but it’s probably worth fixing our problem.

Note that when we load our presentations into the room, in the logs /var/log/haproxy.log we again see SSL handshake failure

This means that something else is not seeing our root certificates.

To do this, we need to dive into reading syslog logs

Nov 13 11:17:35 bbb[24362]: 2023-11-13T08:17:35.364Z backend-2 [#033[31merror#033[39m] : No file found. Error: self signed certificate in certificate chain

Nov 13 11:17:35 bbb[24362]: 2023-11-13T08:17:35.371Z backend-2 [#033[31merror#033[39m] : No file found. Error: self signed certificate in certificate chain

Nov 13 11:17:35 bbb[24362]: 2023-11-13T08:17:35.382Z backend-2 [#033[31merror#033[39m] : Error parsing image size. Error: self signed certificate in certificate chain.

SSL root certificates are not seen by NODE.JS , so we can do this:

1. Edit /usr/share/meteor/bundle/main.js by adding process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0 at the beginning ;

2. bbb-conf --restart

This way we ignore SSL errors. Unfortunately, I couldn’t get meteor to read my root certificates, so here’s the way.

Now our system uses our SSL certificates, allows you to create and enter rooms, upload presentations and much more. But that is not all....

Step four. Recording webinars. 

Everything is fine with our system, but when recording webinars, they do not appear in the lists, although they are created.

when executing the  bbb-record --republish  command, we see in the logs  /var/log/bigbluebutton/post_process.log

[2023-11-14T16:56:30.044255 #13674] INFO -- : SSL_connect SYSCALL returned=5 errno=0 state=error: certificate verify failed

Solution - you need to fix the file  /usr/local/bigbluebutton/core/scripts/post_publish/post_publish_recording_ready_callback.rb

Add   the line highlighted in red

uri = URI.parse(callback_url)
http =, uri.port)
http.use_ssl = (uri.scheme == 'https')

http.verify_mode = OpenSSL::SSL::VERIFY_NONE"Sending request to #{uri.scheme}://#{}#{uri.request_uri}")
request =
request.set_form_data({ signed_parameters: payload_encoded })

response = http.request(request)


Here we also had to disable SSL verification.

And now that's it! We have a working full-fledged BigBlueButton system with our own certificates.

Additional Information

reading logs from docker images

docker logs -f greenlight-v3 (follows the logs)

Copyright © 2023 AbakBot-online calculators. All Right Reserved. Author by Dmitry Varlamov