Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Community Edition] JsonWebTokenError: invalid signature on room creation in CE vanilla deploy method #325

Open
kfarr opened this issue Dec 19, 2023 · 4 comments
Open

[Community Edition] JsonWebTokenError: invalid signature on room creation in CE vanilla deploy method #325

kfarr opened this issue Dec 19, 2023 · 4 comments

Comments

@kfarr
Copy link

kfarr commented Dec 19, 2023
edited
Loading

After deployment using vanilla deployment method, and when user attempts to create a room, there is an error:

Peer.js:333 Uncaught (in promise) Error: JsonWebTokenError: invalid signature
    at e.exports._handleResponse (Peer.js:333:18)
    at e.exports.<anonymous> (Peer.js:265:10)
    at a.emit (events.js:153:5)
    at e.exports.safeEmit (EnhancedEventEmitter.js:18:9)
    at _closed._ws.onmessage (WebSocketTransport.js:206:10)

Potential causes:

  1. newline issue - zsh / bash handle newlines differently
  • if you exec into your ret pod and cat config.toml you'll see the perms_keys in there look at the private key if you see \n instead of \\n it needs to be escaped
  • Incorrect example "-----BEGIN PRIVATE KEY-----\nMIIE" ... where MIIE are the first 4 characters of the key
  • Correct example "-----BEGIN PRIVATE KEY-----\\nMIIE"
  1. ports are blocked that are required by various hubs services

Potential solutions:
1A) Hardcode the key in your YAML;
1B) newline within docker method
2B) May involve create a k8s network policy YAML, and/or changing GCP specific settings for Service workers / applications behind the haproxy firewall
@kfarr
Copy link
Author

kfarr commented Dec 21, 2023

Solution 1A, hardcoding the key in your YAML, does seem to work. Please note that it requires re-logging in once you've applied hcce.yaml. I'm guessing the re-login is required to issue a new JWT that uses the new key. However that is not the correct long-term solution so let's keep this issue open.

@kfarr
Copy link
Author

kfarr commented Dec 22, 2023
edited
Loading

Solution 1B, using the docker method, also seems to work. See this Dockerfile file from @Doginal
https://github.com/mozilla/hubs-cloud/pull/324/commits
and then run something like this if my notes are correct

docker build . -t hubs-ce-builder:latest
chmod +x render_hcce.sh
sudo docker run --rm -it -v $(pwd):/app hubs-ce-builder:latest

@kfarr
Copy link
Author

kfarr commented Dec 22, 2023

For 2B, answer from @Doginal and chatgpt, validated by @kfarr as working.

We need each node worker (the hardware you provisioned for gke) on the gke cluster to have those ports open to the internet as coturn and dialog like to connect via ip not dns.

To convert these AWS CLI commands to their equivalent gcloud commands for use with Google Cloud Platform, you'll need to use the gcloud compute firewall-rules create command. This command is used to create firewall rules in Google Cloud, similar to how security group rules are managed in AWS.

Here are the equivalent gcloud commands for each of your AWS CLI commands:

For TCP port 4443:
gcloud compute firewall-rules create rule-name-1 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:4443 --source-ranges=0.0.0.0/0

For TCP port 5349:
gcloud compute firewall-rules create rule-name-2 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:5349 --source-ranges=0.0.0.0/0

For UDP ports 35000 to 60000:
gcloud compute firewall-rules create rule-name-3 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=udp:35000-60000 --source-ranges=0.0.0.0/0

@Doginal
Copy link
Contributor

Doginal commented Dec 23, 2023

For 2B, answer from @Doginal and chatgpt, validated by @kfarr as working.

We need each node worker (the hardware you provisioned for gke) on the gke cluster to have those ports open to the internet as coturn and dialog like to connect via ip not dns.

To convert these AWS CLI commands to their equivalent gcloud commands for use with Google Cloud Platform, you'll need to use the gcloud compute firewall-rules create command. This command is used to create firewall rules in Google Cloud, similar to how security group rules are managed in AWS.

Here are the equivalent gcloud commands for each of your AWS CLI commands:

For TCP port 4443: gcloud compute firewall-rules create rule-name-1 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:4443 --source-ranges=0.0.0.0/0

For TCP port 5349: gcloud compute firewall-rules create rule-name-2 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:5349 --source-ranges=0.0.0.0/0

For UDP ports 35000 to 60000: gcloud compute firewall-rules create rule-name-3 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=udp:35000-60000 --source-ranges=0.0.0.0/0

I can confirm running these gcloud commands immediately allowed my two browsers to have working audio.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kfarr @Doginal