search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.24k stars 568 forks source link

Question about Let's encrypt #2532

Closed miroslavjaros closed 3 years ago

miroslavjaros commented 3 years ago

I would like ask you about help. I found few days ago your great project MeshCentral2 I test it with our domain mesh.domain.cz and it is great for us.

I tried all configuration for let's encrypt but I can not push generate this one. I have for tested purpose in virtual machine with Windows 10Pro. Is there any log about answer from Let's encrypt ?

When I tried cerbot for windows I gave response

Domain: mesh.ithope.cz
   Type:   unauthorized
   Detail: Invalid response from
   http://mesh.domain.cz/.well-known/acme-challenge/pi-ZF3UpUcHu_XW1QvHcDIX-LPZnKS3HW-KeSagAi68
   [89.103.184.5]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta
   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
   GET /.well-known/"

I tried off firewall but didn't help.

{
  "settings": {
    "cert": "mesh.domain.cz",
    "WANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },
  "domains": {
    "": {
      "title": " domain",
      "_minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true
    }
  },
  "letsencrypt": {
    "email": "xxxxx@domain.cz",
    "names": "mesh.domain.cz",
    "production": false
  }
}

i tried your idea, folder letsencrypt-certs was created but certificate i don't see. I started server with this C:\meshcentral\node_modules>node meshcentral --cert mesh.domain.cz

Thanks for respond.

Ylianst commented 3 years ago

Hi. I did a few fixes to your post, hope it's ok.

Since you added this entry in the config.json:

"cert": "mesh.domain.cz",

You do not need to run MeshCentral with "--cert" anymore. So, you just need to run it normally. Also, you should always run MeshCentral from the C:\MeshCentral folder like this:

C:\meshcentral>node node_modules\meshcentral

You configuration file and other data will be in "C:\meshcentral\meshcentral-data".

If you run CertBot and get an error, make sure that HTTP port 80 is accessible from outside without any filters. Let's Encrypt servers will try to connect to your URL like this:

http://mesh.domain.cz/.well-known/acme-challenge/pi-ZF3UpUcHu_XW1QvHcDIX-LPZnKS3HW-KeSagAi68

Note that this is HTTP on port 80. If Let's Encrypt server can't access and load this file on your server, there is something not working right and the request will be rejected. It could be some firewall or service blocking the request.

Once you get CertBot working, you can go back to running MeshCentral. In the "My Server" / "Console" tab, you can try "le", "lecheck" and "leevents" to see the state of Let's Encrypt in the server.

image

Of course, if something is blocking Let's Encrypt to make requests on port 80 of your server, this is not something I can help with.

miroslavjaros commented 3 years ago

I have portforwarding 80 and 443 same rules via mikrotik firewall.

Server started C:\meshcentral>node node_modules\meshcentral MeshCentral HTTP redirection server running on port 80. MeshCentral v0.8.16, WAN mode. MeshCentral Intel(R) AMT server running on mesh.ithope.cz:4433. MeshCentral HTTPS server running on mesh.ithope.cz:443.

from console

 --  

le{ "configOk": true, "leDomains": [ "mesh.ithope.cz" ], "challenges": {}, "production": true, "webServer": true, "certPath": "C:\meshcentral\meshcentral-data\letsencrypt-certs", "cert": "None" }

I see port 80 working but Let's encrypt not working. I can try tomorow install ubuntu. I test port Success: I can see your service on 89.103.184.5 on port (80) Your ISP is not blocking port 80 So problem is with config or something ... Let's Encrypt servers will try to connect to your URL like this:

http://mesh.domain.cz/.well-known/acme-challenge/pi-ZF3UpUcHu_XW1QvHcDIX-LPZnKS3HW-KeSagAi68

Thanks for any idea

Ylianst commented 3 years ago

Make sure you always keep "production" to false until you get a staging certificate. If you put production to true and make too many requests, you will get banned from Let's Encrypt and will no longer be able to get a certificate to a while. The best recommendation is to get CertBot working first. Once that works, you can put the cert bot certificate in MeshCentral manually by replacing these two files in "meshcentral-data":

webserver-cert-public.crt
webserver-cert-private.key

They are both in PEM format, you can edit them with notepad. I will close this issue since this is not a MeshCentral issue, but do open a new issue if you have anything else related to MeshCentral.

miroslavjaros commented 3 years ago

Make sure you always keep "production" to false until you get a staging certificate. If you put production to true and make too many requests, you will get banned from Let's Encrypt and will no longer be able to get a certificate to a while. The best recommendation is to get CertBot working first. Once that works, you can put the cert bot certificate in MeshCentral manually by replacing these two files in "meshcentral-data":

webserver-cert-public.crt
webserver-cert-private.key

They are both in PEM format, you can edit them with notepad. I will close this issue since this is not a MeshCentral issue, but do open a new issue if you have anything else related to MeshCentral.

Hello Ylian, I tested my IP address with ubuntu 18.04 server with meshcentral and can not let's encrypt work, but when I install nginx and meshcentral was off I installed cerbot and it was few second and certificate is ok. So problems is not in configuration my network. The problems is with my configuration, can you provide minimal configuration for Meshcentral and Nginx working step by step for Ubuntu ? Or do you have any virtual image setup for this ? I would like test it but I am stuck whit this. I think , I missing something important. I configure nginx first time, so for me is very complicated.

Miroslav

darryl-h commented 3 years ago

Hello @miroslavjaros, I'm not sure if you have reviewed the documentation (I have not used Lets Encrypt for this, so I can't really be helpful here) however, the installation and configuration of MeshCentral in Ubuntu 18, the configuration for NGINX and Lets Encrypt can be found in the following locations:

Hopefully these get you pointed in the right direction, and if not, you may want to post the relevant configurations, and hopefully someone will be able to assist! (You may also want to consider filing a new report as this report is closed, and this one was started for windows, and it appears that you have migrated the server to Ubuntu now?)

Cheers!

miroslavjaros commented 3 years ago

Hello @miroslavjaros, I'm not sure if you have reviewed the documentation (I have not used Lets Encrypt for this, so I can't really be helpful here) however, the installation and configuration of MeshCentral in Ubuntu 18, the configuration for NGINX and Lets Encrypt can be found in the following locations:

Hopefully these get you pointed in the right direction, and if not, you may want to post the relevant configurations, and hopefully someone will be able to assist! (You may also want to consider filing a new report as this report is closed, and this one was started for windows, and it appears that you have migrated the server to Ubuntu now?)

Cheers!

Thanks Darryl it's solved.