Let's consider installing a service for creating and managing virtual classes based on BigBlueButton software
BigBlueButton is an opportunity to create virtual rooms/classes, it is an opportunity to conduct meetings, training and other virtual meetings.
An excellent replacement for Zoom, Skype and other similar programs
In this article, the main goal is to deploy BigBlueButton within an organization’s network and organize a corporate service using its SSL certificates.
In all the articles that exist at the end of 2023, no one examined this issue and problems in detail, and free certificates from Let's Encrypt were most often used.
So, let's begin.
Let's decide that our server name will be bbb.domain.com.
First step - get certificates
How were you given the certificates? Did you create them yourself, or were they given by the system administrator? But you must have at least two files *.crt and *.key, or one *.pfx
In the second case, you need to get crt and key from it
This is done like this:
openssl pkcs12 -in file.pfx -clcerts -nokeys -out bbb.crt
openssl pkcs12 -in file.pfx -nocerts -out key-encrypted.key
openssl rsa -in key-encrypted.key -out bbb.key
Let's place these two files in /etc/ssl/private
Step two - basic installation
Open the link and check/fulfill the requirements https://docs.bigbluebutton.org/administration/install
Regarding the requirement of 16 GB of memory with swap enabled 8 CPU cores, with high single-thread performance
I want to say right away that the system will not start if the requirements of 16 GB of RAM and 4 CPU processors are not met.
During installation it will write "Your server needs to have (at least) 4 CPUs (8 recommended for production)." Therefore it will work on 4 processors.
Please note that developers are very good at “tying” their software to the release of the operating system, so if you decide that you can install BigBlueButton 2.7 on Ubuntu other than version 20.04 (focal), be prepared to fix the library dependencies that will arise.
Next, using the above link in the Pre-installation checks section , we check all other parameters and execute them.
Run the command in the OS terminal
wget -qO- https://raw.githubusercontent.com/bigbluebutton/bbb-install/v2.7.x-release/bbb-install.sh | bash -s -- -w -v focal-270 -s bbb.domain.com -d -g
Where
-s bbb.domain.com - host name. Type A record - must be present in your DNS server.
-d - means that we will use our SSL certificates
-g - install Greenlight. Web interface for working with BigBlueButton
After a short installation, we will receive a deployed package, which we can check with the command bbb-conf --checks
BigBlueButton Server 2.7.2 (492)
Kernel version: 5.4.0-166-generic
Distribution: Ubuntu 20.04.6 LTS (64-bit)
Memory: 16380 MB
CPU cores: 4
/etc/bigbluebutton/bbb-web.properties (override for bbb-web)
/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties (bbb-web)
bigbluebutton.web.serverURL: https://bbb.example.com
defaultGuestPolicy: ALWAYS_ACCEPT
defaultMeetingLayout: CUSTOM_LAYOUT
/etc/nginx/sites-available/bigbluebutton (nginx)
server_name: bbb.example.com
port: 80, [::]:80127.0.0.1:82 http2 proxy_protocol, [::1]:82 http2127.0.0.1:81 proxy_protocol, [::1]:81
/opt/freeswitch/etc/freeswitch/vars.xml (FreeSWITCH)
local_ip_v4: 172.11.88.148
external_rtp_ip: 172.11.88.148
external_sip_ip: 172.11.88.148
/opt/freeswitch/etc/freeswitch/sip_profiles/external.xml (FreeSWITCH)
ext-rtp-ip: $${local_ip_v4}
ext-sip-ip: $${local_ip_v4}
ws-binding: 172.11.88.148:5066
wss-binding: 172.11.88.148:7443
UDP port ranges
FreeSWITCH: 16384-24576
current: 24577-32768
bbb-webrtc-sfu: 24577-32768
bbb-webrtc-recorder: 24577-32768
/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml (record and playback)
playback_host: bbb.example.com
playback_protocol: https
ffmpeg: 4.2.7-0ubuntu0.1
/usr/share/bigbluebutton/nginx/sip.nginx (sip.nginx)
proxy_pass: 172.11.88.148
protocol: http
/usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml (bbb-webrtc-sfu)
/etc/bigbluebutton/bbb-webrtc-sfu/production.yml (bbb-webrtc-sfu - override)
mediasoup.webrtc.*.announcedIp: 172.11.88.148
mediasoup.plainRtp.*.announcedIp: 172.11.88.148
current.ip: 172.11.88.148
current.url: ws://127.0.0.1:8888/current
freeswitch.sip_ip: 172.11.88.148
recordingAdapter : Current
recordScreenSharing: true
recordWebcams: true
codec_video_main: VP8
codec_video_content: VP8
/etc/bbb-webrtc-recorder/bbb-webrtc-recorder.yml (bbb-webrtc-recorder)
/etc/bigbluebutton/bbb-webrtc-recorder.yml (bbb-webrtc-recorder - override)
debug: false
recorder.directory: /var/lib/bbb-webrtc-recorder
/usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml (HTML5 client)
/etc/bigbluebutton/bbb-html5.yml (HTML5 client config override)
build: 201
kurentoUrl: wss://bbb.example.com/bbb-webrtc-sfu
defaultFullAudioBridge: fullaudio
defaultListenOnlyBridge: fullaudio
sipjsHackViaWs: true
# Potential problems described below
If there are no potential problems, then our first and main part is complete. You can open the site https://bbb.domain.com and receive a system login prompt.
By the way, if the command was used when running the script
wget -qO- https://raw.githubusercontent.com/bigbluebutton/bbb-install/v2.7.x-release/bbb-install.sh | bash -s -- -w -v focal-270 -s bbb.domain.com -e This email address is being protected from spambots. You need JavaScript enabled to view it. -g
using Let's Encrypt certificates, then our article would end there, since you would already have a fully functional BigBlueButton installed
But we have our own certificates. Note that the bbb-conf --check command does not give errors, we try to open the site https://bbb.domain.com
If the site opens, we export the chain of root certificates to the server. Each certificate has one or more certification authorities, and it is their certificates that we need.
We upload/export them all from the browser to the server with the *.crt extension
We place the root certificates in two folders /etc/ssl/certs and /usr/local/share/ca-certificates
Run update-ca-certificates and add root certificates to the list of trusted ones
Let's see what is in the /etc/haproxy/certbundle.pem file, where our certificates should be located.
Restart BigBlueButton bbb-conf --restart
Let's create an administrator user
docker exec greenlight-v3 bundle exec rake admin:create
User account was created successfully!
Name: Administrator
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Password: Administrator1!
Role: Administrator
Now we can register and create virtual rooms. And everything seems to be fine, but...
Step three. How to enter a created room
After creating a room, for some reason I can’t get inside.
The entry "The action can't be completed error" appears at the bottom.
And an error like this appears in the site console
main-7418853bb06c5bbc3addb59ce7bec97fe4ac85263776128f089ffa055ec709b6.js:10 POST https://bbb.domain.com/api/v1/meetings/1i7-7tn-ooa-ndj/start.json 400
main-7418853bb06c5bbc3addb59ce7bec97fe4ac85263776128f089ffa055ec709b6.js:12 Error: Request failed with status code 400
The problem is that Greenlight does not know our root certificates and the SSL handshake does not work.
Moreover, BlueBigButton does not report errors using the bbb-conf --debug command , and only in the haproxy logs /var/log/haproxy.log you will see many errors when trying to enter the room
Nov 13 17:44:57 bbb haproxy[935]: 172.1.7.11:51226 [13/Nov/2023:17:44:57.790] nginx_or_turn/1: SSL handshake failure
Adding our corporate root certificates goes like this:
- When we installed BigBlueButton, the greenlight-v3 folder was created in the user’s folder
- Open it and create the mycerts folder
- Copy our certificates that we exported from the browser (with the crt extension) to this folder.
- edit the docker-compose.yml file and add the lines marked in red
version: '3'
services:
postgres:
image: postgres:14.6-alpine3.17
container_name: postgres
restart: unless-stopped
volumes:
- ./data/postgres/14/database_data:/var/lib/postgresql/data
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=bf7c5fc72f9786be04d669f79b8d6d7b5f9fd6888b8c27ac
redis:
image: redis:6.2-alpine3.17
container_name: redis
restart: unless-stopped
volumes:
- ./data/redis/database_data:/data
greenlight-v3:
entrypoint: [bin/start]
image: bigbluebutton/greenlight:v3
container_name: greenlight-v3
restart: unless-stopped
env_file: .env
ports:
- 127.0.0.1:5050:3000
logging:
driver: journald
volumes:
- ./data/greenlight-v3/storage:/usr/src/app/storage
- ./mycerts:/usr/local/share/ca-certificates
depends_on:
- postgres
- redis
Please note that you need to make changes in the greenlight-v3 container and not in redis
- save and run the installation again
wget -qO- https://raw.githubusercontent.com/bigbluebutton/bbb-install/v2.7.x-release/bbb-install.sh | bash -s -- -w -v focal-270 -s bbb.domain.com -d -g
Yes Yes! Again... This is currently the only easy way to add root certificates to Greenlight
When installing again, the docker-compose.yml file does not change and all our changes are applied in the newly created image.
- activate our certificates
docker exec greenlight-v3 update-ca-certificates
- restart the bbb-conf service --restart
- enjoy the resulting effect.
We were able to enter a virtual room and can chat, invite friends, screencast, and so on.
Step four. Showing presentations.
After the initial joy, we will see that there is one problem.
Presentations are not shown. Neither default.pdf nor any other. How then should training be carried out?
You can, of course, broadcast the screen, but it’s probably worth fixing our problem.
Note that when we load our presentations into the room, in the logs /var/log/haproxy.log we again see SSL handshake failure
This means that something else is not seeing our root certificates.
To do this, we need to dive into reading syslog logs
Nov 13 11:17:35 bbb systemd_start.sh[24362]: 2023-11-13T08:17:35.364Z backend-2 [#033[31merror#033[39m] : No file found. Error: self signed certificate in certificate chain
Nov 13 11:17:35 bbb systemd_start.sh[24362]: 2023-11-13T08:17:35.371Z backend-2 [#033[31merror#033[39m] : No file found. Error: self signed certificate in certificate chain
Nov 13 11:17:35 bbb systemd_start.sh[24362]: 2023-11-13T08:17:35.382Z backend-2 [#033[31merror#033[39m] : Error parsing image size. Error: self signed certificate in certificate chain.
SSL root certificates are not seen by NODE.JS , so we can do this:
1. Edit /usr/share/meteor/bundle/main.js by adding process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0 at the beginning ;
2. bbb-conf --restart
This way we ignore SSL errors. Unfortunately, I couldn’t get meteor to read my root certificates, so here’s the way.
Now our system uses our SSL certificates, allows you to create and enter rooms, upload presentations and much more. But that is not all....
Step four. Recording webinars.
Everything is fine with our system, but when recording webinars, they do not appear in the lists, although they are created.
when executing the bbb-record --republish command, we see in the logs /var/log/bigbluebutton/post_process.log
[2023-11-14T16:56:30.044255 #13674] INFO -- : SSL_connect SYSCALL returned=5 errno=0 state=error: certificate verify failed
Solution - you need to fix the file /usr/local/bigbluebutton/core/scripts/post_publish/post_publish_recording_ready_callback.rb
Add the line highlighted in red
uri = URI.parse(callback_url)
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = (uri.scheme == 'https')
http.verify_mode = OpenSSL::SSL::VERIFY_NONEBigBlueButton.logger.info("Sending request to #{uri.scheme}://#{uri.host}#{uri.request_uri}")
request = Net::HTTP::Post.new(uri.request_uri)
request.set_form_data({ signed_parameters: payload_encoded })response = http.request(request)
Here we also had to disable SSL verification.
And now that's it! We have a working full-fledged BigBlueButton system with our own certificates.
Additional Information
reading logs from docker images
docker logs -f greenlight-v3 (follows the logs)