search

Typhonragewind / meshcentral-docker

163 stars 46 forks source link

Can't renew Let'sEncrypt cert on the reverse proxy - agents lost #50

Open masscream opened 1 month ago

masscream commented 1 month ago

Hello, I've successfully migrated my MC instance from the system installed app to this docker version. I migrated also all the data, located in meshcentral-data folder (only updated some config params), Let's Encrypt cert from the old server, apache config etc, etc. All seemed to work as supposed till the time for a cert renewal had come. After that, all of my agents suddenly lost connection with the server. Or better to say, server ignores them because of some kind of certificate mismatch. I have been running MeshCentral for some time now, usually behind an Apache reverse proxy and I have never had any problems with certificate renewal, also MC author Ylianst describes in a lot of github threads and forums, that MeshCentral does count with this situation and until I modify or delete the main certificate (agentserver-cert), all the agent shall recognize the server and update its certificate according to it. It was working with the installed application directly on the server but not with this docker image. I temporarily run the app with the expired certificate but that's hassle since all the browsers are yelling at me, android do not work at all and I even can't add any new agents to the server because of it.... Is there something I overlooked? I tried also replacing certs (webserver-cert) in the mc-data folder manually with the new LetsEncrypt cert, but that did not work either. Also setting parameter "IgnoreAgentHashCheck" is doing nothing, the only thing which works for me is setting the old cert in the Apache reverse proxy back. Thanks for any tips.

MeshCentral config (not all)

    "MariaDB": {
      "host": "192.168.0.31",
      "port": 3306,
      "database": "meshcentral",
      "user": "meshcentral",
      "password": "password1"
    },
    "port": 4430,
    "_redirport": 81,
    "tlsOffload": "192.168.0.31",
    "cert": "mc.domain.com",
    "aliasPort": 443,
    "RelayDNS": [ "wr1.mc.domain.com" ],
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_AgentPing": 60,
    "AgentPong": 60,
    "_BrowserPing": 55,
    "_BrowserPong": 55,
    "_IgnoreAgentHashCheck": true
  },
  "domains": {
    "": {
      "title": "MeshCentral Server",
      "_title2": "Servername 2",
      "_minify": true,
      "newAccounts": false,
      "userNameIsEmail": false,
      "certUrl": "https://mc.domain.com",
      "deviceMeshRouterLinks": {
        "rdp": true,
        "ssh": true,
        "scp": true,
        "extralinks": [
          {
            "name": "HTTP",
            "protocol": "http",
            "port": 80
          },
          {
            "name": "HTTPS",
            "protocol": "https",
            "port": 443
          }

container config

docker run \
  -d \
  --net MyBr \
  --ip 10.0.10.5 \
  -p 4430:4430 \
  --name meshcentral \
  --restart always \
  -v /home/user/.local/share/docker/volumes/meshcentral_volume/_data/meshcentral-data:/opt/meshcentral/meshcentral-data \
  -v /home/user/.local/share/docker/volumes/meshcentral_volume/_data/meshcentral-files:/opt/meshcentral/meshcentral-files \
  -v /home/user/.local/share/docker/volumes/meshcentral_volume/_data/meshcentral-backups:/opt/meshcentral/meshcentral-backups \
typhonragewind/meshcentral:latest

Apache config

<VirtualHost *:443>
  ServerName mc.domain.com
  ServerAlias *.mc.domain.com

  SSLEngine on
  SSLCertificateFile    /usr/local/apache2/certs/domain.com/fullchain16.pem
  SSLCertificateKeyFile /usr/local/apache2/certs/domain.com/privkey16.pem

  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteCond %{HTTP:Connection} upgrade [NC]
  RewriteRule . "ws://192.168.0.31:4430%{REQUEST_URI}" [P]

  ProxyPass / http://192.168.0.31:4430/ connectiontimeout=86400 timeout=30
  ProxyPassReverse / http://192.168.0.31:4430/
  ProxyPreserveHost On
</VirtualHost>

MC container log

MeshCentral HTTP server running on port 4430, alias port 443.
MeshCentral HTTP relay server running on wr1.mc.domain.com:4430, alias port 443.
Agent bad web cert hash (Agent:03f****804 != Server:966****4b5 or 966****4b5), holding connection (**.44.**.122:45430).
Agent reported web cert hash:03f**********36ab9a60f1825d4c98e219ace5104202bd2e64c45f5ec7cb1b0cb1f5efdb2de51c7745a6ad9cd8e0c4f.
Loaded web certificate from "https://mc.domain.com", host: "mc.domain.com"
  SHA384 cert hash: 03f**********36ab9a60f1825d4c98e219ace5104202bd2e64c45f5ec7cb1b0cb1f5efdb2de51c7745a6ad9cd8e0c4f
WARNING: Unable to find mysqldump, MySQL/MariaDB database auto-backup will not be performed.
MeshCentral HTTP redirection server running on port 81.
MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
MeshCentral Intel(R) AMT server running on mc.domain.com:4433.

MC Trace log (agent traffic)

12:49:31 PM - AGENT: New agent at **.44.**.122:37350
12:49:29 PM - AGENT: Agent disconnect fV$X**********ftSK2jG488FW70wCBKr7j0FzN7UOSA2vZjAJ@kQGEMrQaoglgw (192.168.0.90:49718) id=Unknown
12:49:27 PM - AGENT: Verified agent connection to Zljd**********B49x199KUwsS$PjswSI0zP@P6yqhr3NT87Roj2xJYbh@Rw$i96 (192.168.0.10:58044).
12:49:27 PM - AGENT: New agent at 192.168.0.10:58044
12:49:27 PM - AGENT: Verified agent connection to WaOX**********Zwzm5nm4z992IpWf6c$wQAYSfEcZRV8ocS0qwh2EjITpAoK0Qv (**.70.**.212:58036).
12:49:27 PM - AGENT: New agent at **.70.**.212:58036
12:49:22 PM - AGENT: Verified agent connection to UIUI**********7SepA@yHT1MlnGsU$ef@KUNE6rCDBWAuHHzJB28KRomHa4R01z (**.112.**.110:58026).
12:49:22 PM - AGENT: New agent at **.112.**.110:58026
12:49:20 PM - AGENT: Agent disconnect 0mLt**********NGOHb$0j9pk@verVNkjfFhrlbAZebkyVBCheYUDWrV$Ft88GhB (192.168.0.1:36084) id=Unknown
12:49:19 PM - AGENT: Agent disconnect hDTW**********St@Ksr16q38HJeSDmR9vTXOQrx3psna660y8D2GPiMIKrX3$tA (**.112.**.110:36072) id=Unknown
12:49:15 PM - AGENT: Agent disconnect hUvB**********smWvUaNj9lSSh2TRHv5U1LFeKuwtjbv8BBzdxQmJqRMUooAZ7z (**.44.**.122:36058) id=Unknown
12:49:15 PM - AGENT: Agent disconnect WaOX**********Zwzm5nm4z992IpWf6c$wQAYSfEcZRV8ocS0qwh2EjITpAoK0Qv (**.70.**.212:36056) id=Unknown
12:49:11 PM - AGENT: Agent disconnect Z*************B49x199KUwsS$PjswSI0zP@P6yqhr3NT87Roj2xJYbh@Rw$i96 (192.168.0.10:36054) id=Unknown
12:49:09 PM - AGENT: Agent disconnect U*************7SepA@yHT1MlnGsU$ef@KUNE6rCDBWAuHHzJB28KRomHa4R01z (**.112.**.110:48024) id=Unknown
12:49:09 PM - AGENT: Verified agent connection to tqKv**********GyxTh8dLcCVgxzvnKe$0pLP$R9PYvN6L9voO1WGR@V1HKWnwRC (**.44.**.122:38558).