Passing SSL certs to Meshcentral

[unsounddabbit]

Is your feature request related to a problem? Please describe. I love your conatiner and am new to Docker and Nginx. I'm tying to get Meshcentral to work with your image, but I seem to be hitting a wall. The issue is that nginx needs to pass the ssl cert to meshcentral. The documentation in the link below on page 32 describes a sample file of nginx.conf. I found this file in the container at /etc/nginx/nginx.conf, but yours is highly configured.

https://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide.pdf

Describe the solution you'd like I would like to be able to set the environmental veriables to get Nginx to pass SSL to Meshcentral

Describe alternatives you've considered If the nginx.conf file was imported in a way that made it easy to edit and import. Any assistance on this would be appreciated. I am a newbie to docker.

[apainter2]

I presume your running MeshCentral within a docker container.

You need to ensure that the meshcentral docker-compose environment variables are correct from the onset:

Example docker-compose.yml file:

version: '3'
services:
    meshcentral:
        restart: always
        container_name: meshcentral
        image: typhonragewind/meshcentral
        ports:
            - 8086:443  #MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
        environment:
            - HOSTNAME=meshcentral.home.sanjiyan.com     #your hostname
            - REVERSE_PROXY=192.168.1.9     #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy
            - REVERSE_PROXY_TLS_PORT=443
            - IFRAME=false    #set to true if you wish to enable iframe support
            - ALLOW_NEW_ACCOUNTS=false    #set to false if you want disable self-service creation of new accounts besides the first (admin)
            - WEBRTC=true  #set to true to enable WebRTC - per documentation it is not officially released with meshcentral, but is solid enough to work with. Use with caution
        volumes:
            - ./meshcentral/data:/opt/meshcentral/meshcentral-data    #config.json and other important files live here. A must for data persistence
            - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files    #where file uploads for users live

The important parts for this are the environment variables:

            - HOSTNAME=meshcentral.home.sanjiyan.com     #your hostname
            - REVERSE_PROXY=192.168.1.9     #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy
            - REVERSE_PROXY_TLS_PORT=443

Make sure that HOSTNAME points to your FQDN for meshcentral, the REVERSE_PROXYvariable should be the IP address of the server which you run NPM on, and the REVERSE_PROXY_TLS_PORT port number is 443. (the REVERSE_PROXY_TLS_PORT is the port for HTTPS on NPM, which should the 443).

That's the meshcentral configuration, now let us define the NPM configuration:

Within NPM, create a new Proxy Host:

Domain Names: this your FQDN for MeshCentral Scheme: https Forward Hostname/IP: IP address for MeshCentral (this should be the docker host IP address unless your running MeshCentral docker on a maclvan network Forward Port: 8086 (as per your meshcentral docker-compose.yml) Cache Assets: Enable Websockets Support: Enable, only if you set WEBRTC=true within the meshcentral docker-compose.yml file Block Common Exploits: Enable

As per image:

SSL Section: SSL Certificate: Set this to the relevant SSL certificate Force SSL: Enable HTTP/2 Support: Enable HSTS Enabled: Enable

As per image:

Thats it, meshcentral will now work as it should with NPM and SSL.

[unsounddabbit]

Thank you for that. I did as requested but I'm still getting a "Agent bad web cert hash" in MeshCentral. I can reach the console from the domain name, but the agent computers aren't giving the correct hash. Here is my docker-compose.yml file:

version: '3' services: meshcentral: restart: always container_name: meshcentral image: typhonragewind/meshcentral ports:

• 8086:443 #MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs environment:
• HOSTNAME=mesh.mydomain.com #your hostname
• REVERSE_PROXY=192.168.200.2 #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy
• REVERSE_PROXY_TLS_PORT=443
• IFRAME=false #set to true if you wish to enable iframe support
• ALLOW_NEW_ACCOUNTS=false #set to false if you want disable self-service creation of new accounts besides the first (admin)
• WEBRTC=true #set to true to enable WebRTC - per documentation it is not officially released with meshcentral, but is solid enough to work with. Use with caution volumes:
• /home/docker/meshcentral/data:/opt/meshcentral/meshcentral-data #config.json and other important files live here. A must for data persistence
• /home/docker/meshcentral/user_files:/opt/meshcentral/meshcentral-files #where file uploads for users live

[apainter2]

very odd, as it's working here.

Try this:

Setup NPM as I described - I have added additional info below, but for the meshcentral config.json try this:

{
 "settings": {
  "cert": "mesh.mydomain.com",
  "wanonly": true,
  "_minify": true,
  "clickonce": true,
  "selfupdate": true,
  "webrtc": true,
  "AgentPong": 30,
  "TlsOffload": "192.168.200.2"
 }
 "domains": {
  "": {
   "certurl": "https://192.168.200.2:443/",
   "newaccounts": false,
   "title": "whateveryourtitleis",
   "title2": "Remote Connect",
   "agentinvitecodes": true
 }
},

So...

settings > cert: this is the FQDN for your meshcentral URL domains > certurl: this is the schema (https), IP address and port of NPM which holds your certs domains > title: use whatever you have here already, its different for everyone

Now, back to NPM.

Select the proxy-host for meshcentral, and go to the advanced options:

location / {
 proxy_pass http://192.168.200.2:443/;
 proxy_http_version 1.1;

 # Inform MeshCentral about the real host, port and protocol
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
}

Restart the meshcentral container.

Let me know how it goes. Cheers!

[unsounddabbit]

Thank you for this. I did everything. There were some setting in my container that didn't comment out, but I did add the lines you suggested. That is below. Should I take out everything but that you told me to put in?

{ "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json", "settings": { "cert": "mesh.mydomain.com", "_WANonly": true, "_LANonly": true, "_sessionKey": "MyReallySecretPassword1", "port": 443, "_aliasPort": 443, "redirPort": 80, "_redirAliasPort": 80, "AgentPong": 30, "TLSOffload": false, "SelfUpdate": false, "AllowFraming": "false", "WebRTC": "true", "_minify": true, "clickonce": true, "selfupdate": true }, "domains": { "": { "_title": "Mesh", "_title2": "Remote Connect", "_minify": true, "NewAccounts": "false", "_userNameIsEmail": true, "certUrl": "https://192.168.200.2:443", "agentinvitecodes": true } }, "_letsencrypt": { "comment": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>", "_email": "myemail@mydomain.com", "_names": "myserver.mydomain.com", "production": false } }

When I went to NPM and added the customer config to the proxy host I'm getting a 400 bad request. HTTP request sent to https. If I change the setting below to https I get a 502 error.

location / { proxy_pass http://192.168.200.2:443/; proxy_http_version 1.1;

Inform MeshCentral about the real host, port and protocol

proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }

[feerlessleadr]

@unsounddabbit I was having the same problem and was able to figure this out.

In your config.json, if you comment out the TLSoffload, it should allow you to access the web interface using NPM. Here is my config.json

{
"$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
"settings": {
"cert": "mesh.mydomain.com",
"_WANonly": true,
"_LANonly": true,
"_sessionKey": "MyReallySecretPassword1",
"port": 443,
"_aliasPort": 443,
"redirPort": 80,
"_redirAliasPort": 80,
"AgentPong": 30,
"_TLsOffload": "192.168.1.17", <------added the underscore to comment this out
"AllowFraming": "false",
"WebRTC": "true",
"_minify": true,
"clickonce": true,
"selfupdate": true
},
"domains": {
"": {
"_title": "Mesh",
"_title2": "Remote Connect",
"_minify": true,
"NewAccounts": "false",
"_userNameIsEmail": true,
"certUrl": "https://192.168.1.17:443", <-------this is the address of my NPM server
"agentinvitecodes": true
}
},
"_letsencrypt": {
"comment": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
"_email": "myemail@mydomain.com",
"_names": "myserver.mydomain.com",
"production": false
}
}

I didn't need to put anything special into the advanced section of NPM to get this to work.

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: