MeshCentral2 behind a Firewall (pfSense) - Let's Encrypt Certification not working

[Anubis-XIII]

I'm currently testing MC2 in a cloud hosted environment where it has been installed on a Ubuntu 18.04 VM. The whole network infrastructure is protected by a pfSense firewall. Port 80, 443 and 4433 are routed trough via NAT. Internet is working fine. However, I cannot issue a Let's Encrypt Certificate for the Web Server.

vm-admin@meshcentral:~$ node node_modules/meshcentral --debug cert
Starting meshcentral syslog.
Starting meshcentral-json JSON syslog.
Starting meshcentral-auth auth syslog.
MeshCentral HTTP redirection server running on port 81.
CERT: LE: Getting certs from local store (Production)
CERT: LE: ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work.
ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work.
MeshCentral v0.5.25, Hybrid (LAN + WAN) mode.
ERR: ERROR: MeshCentral Intel(R) AMT server port 4433 is not available.
MeshCentral HTTPS server running on cm.mydomain.de:444.

DNS Entries are all working correctly and I can open the MC Web Console when accessing the URL in a Browser.

> le
{
     "configOk": true,
     "leDomains": [
         "cm.mydomain.de"
     ],
     "challenges": {},
     "production": true,
     "webServer": true,
     "certPath": "/home/vm-admin/meshcentral-data/letsencrypt-certs",
     "cert": "None"
}
> leevents
5/11/2020 10:08:39 AM - Getting certs from local store (Production) 
5/11/2020 10:08:39 AM - No certificate files found 
5/11/2020 10:08:44 AM - Got no certificates, asking for one now. 
5/11/2020 10:08:44 AM - Generating private key... 
5/11/2020 10:08:44 AM - Setting up ACME client... 
5/11/2020 10:08:44 AM - Creating certificate request... 
5/11/2020 10:08:44 AM - Requesting certificate from Let's Encrypt... 
5/11/2020 10:09:54 AM - Failed to obtain certificate: unable to verify the first certificate

Is it mandatory that MC2 runs on a WAN connected VM? If not, what could be the issue?

According to the installation Guide, I had to run the command: sudo setcap cap_net_bind_service=+ep /usr/bin/node Which I did. But it changed nothing.

node -v v12.16.3 npm -v 6.14.4

I'm pretty much out of ideas.

[Ylianst]

First, you should NEVER do testing of Let's Encrypt using "production":true, your going to get yourself banned from Let's Encrypt servers for a long time if that has not already happened. After that, your out of luck and you just have to wait. Start with "production":false until you get a certificate and you verify everything works.

Is it mandatory that MC2 runs on a WAN connected VM?

Yes, to get a Let's Encypt certificate, you need port 80 on the general internet to be routed to your server. You can't use any other port, cm.mydomain.de:80 must route to your MeshCentral server from the outside Internet. Use https://letsdebug.net/ to check that everything is ok.

Hope that helps, Ylian

[PathfinderNetworks]

I have my MeshCentral server running on a VM that is on my LAN and behind a firewall (Untangle). It doesn't have to sit directly on the WAN IP- but, like Ylian said, port 80 must be forwarded from the WAN directly to the LAN IP of your MeshCentral box. I believe you mentioned you are doing that- but make sure the rule is correct and that external requests for port 80 on that WAN IP are truly getting through to your MeshCentral box. I suspect it isn't.

[PathfinderNetworks]

Also make certain that HTTP traffic from your MeshCentral box is actually going out. If the incoming port 80 traffic is getting through but your firewall is not allowing responses from the webserver to get out then that will result in the same issue.

[Anubis-XIII]

Thanks for all the help. It was indeed a setting in the firewall that I missed. Let's Encrypt is working fine now.

Just in case somebody uses a similar setup, check the Netgate Documentation:

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

Pure NAT has to be enabled for this to work properly.