search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.69k stars 510 forks source link

Let's Encrypt not working since port 80 is busy #2887

Closed Philippe687 closed 2 years ago

Philippe687 commented 2 years ago

Hi All, I'm trying to use Let's Encrypt certificat. I have an issue on my redirection port 80. I've set "redirPort": 80, in my config.json but when i launch the --debug comand i see "MeshCentral HTTP redirection server running on port 81.".

root@meshcentral1:~# sudo node node_modules/meshcentral/ --debug
DB: Connected to MongoDB database...
MAIN: Core module windows-amt is 361391 bytes.
MAIN: Core module linux-amt is 329918 bytes.
MAIN: Core module linux-noamt is 287627 bytes.
MAIN: Core module windows-recovery is 95430 bytes.
MAIN: Core module linux-recovery is 71814 bytes.
MAIN: Core module windows-agentrecovery is 29981 bytes.
MAIN: Core module linux-agentrecovery is 6365 bytes.
MAIN: Core module windows-tiny is 6305 bytes.
MAIN: Core module linux-tiny is 6305 bytes.
MeshCentral HTTP redirection server running on port 81.
CERT: LE: Getting certs from local store (Staging)
WARNING: Redirection web server must be active on port 80 for Let's Encrypt to work.
CERT: LE: WARNING: Redirection web server must be active on port 80 for Let's Encrypt to work.
CERT: loadCertificate() - Loading certificate from control.clicandpublish.com:443, Hostname: control.clicandpublish.com...
MeshCentral v0.7.99, WAN mode.
CERT: loadCertificate() - TLS connected, got certificate.
Loaded web certificate from "https://control.clicandpublish.com:443/", host: "control.clicandpublish.com"
  SHA384 cert hash: b346851bb0bc89fbc955ba2cde46355aacb5859011d65acbcecc45c9dd54e5021e624a141d57267f42557b58d6702de6
  SHA384 key hash: c31d5c5fb535df508a0cd109c1657cb7ab3f667ae3345c76bd534ae3f058f6820675be7cae85065c8e6dc348f1e9dd92
DISPATCH: AddEventDispatch [ '*' ]
DISPATCH: DispatchEvent [ '*' ]
MAIN: Server started
MAIN: Started watchdog timer.
ERR: ERROR: MeshCentral Intel(R) AMT server port 4433 is not available.
MeshCentral HTTPS server running on control.clicandpublish.com:444.

Do you know if i'm on the right way ?

Let's debug said all ok... image

Best regards,

Ylianst commented 2 years ago

By default, MeshCentral will use the next available port if a port is busy. So, because port 80 is busy, it's using 81. The Let's Encrypt service requires that the ownership test be conducted on port 80 and this can't be changed. There is likely a service using your port 80 and so this is causing the problem.

If you are using a reverse proxy and it redirecting the external port 80 to port 81 on MeshCentral, then you can add the following line in the settings section of the config.json:

"redirAliasPort": 80

That will tell MeshCentral that even if it's listening on port 81, to pretend that it's actually on port 80 since the reverse proxy is doing the redirection. Of course, this will not fix Let's Encrypt unless port 80 is truly redirected to port 81.

One more thing. Since it looks like you are using a reverse proxy, you may want to have the reverse proxy get the Let's Encrypt cert and not have MeshCentral do that work. From your output above, your having MeshCentral load the cert from the reverse proxy. In this case, you should have the reverse proxy get the Let's Encrypt cert and have MeshCentral not to any TLS at all.

Hope that makes sense.

Philippe687 commented 2 years ago

Hello Ylian, NODE is using PORT:80 image

Not sure to understand all in your previous message... Sorry (I'm a linux newbie); I think I need to read it again and again and investigate to know how to release port 80.

Philippe687 commented 2 years ago

Hi Ylian, Port 80 is now free. My colleag tried to install reverse proxy to work with let's encrypt because she didn't have success with Meshcetral. My opinion is that it's look easier to let Meashcentral get the let's encrypt cert :). All the lights are green now : 

root@meshcentral1:~# node node_modules/meshcentral/ --debug
DB: Connected to MongoDB database...
MAIN: Core module windows-amt is 361391 bytes.
MAIN: Core module linux-amt is 329918 bytes.
MAIN: Core module linux-noamt is 287627 bytes.
MAIN: Core module windows-recovery is 95430 bytes.
MAIN: Core module linux-recovery is 71814 bytes.
MAIN: Core module windows-agentrecovery is 29981 bytes.
MAIN: Core module linux-agentrecovery is 6365 bytes.
MAIN: Core module windows-tiny is 6305 bytes.
MAIN: Core module linux-tiny is 6305 bytes.
MeshCentral HTTP redirection server running on port 81.
CERT: LE: Getting certs from local store (Staging)
CERT: LE: Reading certificate files
CERT: LE: Setting LE cert for default domain.
CERT: loadCertificate() - Loading certificate from control.clicandpublish.com:443, Hostname: control.clicandpublish.com...
MeshCentral v0.7.99, WAN mode.
CERT: loadCertificate() - TLS connected, got certificate.
Loaded web certificate from "https://control.clicandpublish.com:443/", host: "control.clicandpublish.com"
  SHA384 cert hash: b346851bb0bc89fbc955ba2cde46355aacb5859011d65acbcecc45c9dd54e5021e624a141d57267f42557b58d6702de6
  SHA384 key hash: c31d5c5fb535df508a0cd109c1657cb7ab3f667ae3345c76bd534ae3f058f6820675be7cae85065c8e6dc348f1e9dd92
DISPATCH: AddEventDispatch [ '*' ]
DISPATCH: DispatchEvent [ '*' ]
MAIN: Server started
MAIN: Started watchdog timer.
ERR: ERROR: MeshCentral Intel(R) AMT server port 4433 is not available.
MeshCentral HTTPS server running on control.clicandpublish.com:444.
CERT: LE: Certificate has 87 day(s) left.

I will continue to work around.

Anyway thank you for your help.

Ylianst commented 2 years ago

Looks like you did get a Let's Encrypt certificate, but are still configured to load the certificate from the reverse proxy that is in front of MeshCentral. That does not make sense. Ether MeshCentral does the TLS and has the trusted certificate, or your reverse proxy will do TLS and have the trusted cert. You can't have both.

Philippe687 commented 2 years ago

Hi Ylian, I didn't set any reverse proxy... And I don't know where I should look to cancel this setting; So I will Re install my server tomorrow from scratch; Anyway, I have to practice. Last question : I saw posts from you in the past in French ! So you speak french ?

Peut-être pouvous-nous échanger par mail en français si vous en etes d'accord. preaud@visualcom.nc

Bravo encore pour votre job !

Best Regards,

Ylianst commented 2 years ago

Merci. Ah oui, je parle français... mais le vieux français du Québec.

Philippe687 commented 2 years ago

C'est peut-être le plus "original" :). Vive le Québec ! Pour ma part, je suis dans le pacific sud... Nouvelle-Calédonie (entre l'Australie et la NZ).

Désolé de t'embeter encore avec mon certificat mais avant de tout ré installé j'ai insisté et du coup j'ai généré un certificat lets encrypt dans le repertoire /etc/letsencrypt/live/control.clicandpublish.com/ . Je suis tombé sur un post ou utilisateur avait lié les fichiers de certificat et avaient renommés les liens pour que MeshCentral les utilise. J'ai donc créé les liens dans le repertoire /root/meshcentral-data/letsencrypt-certs/ et j'ai supprimé les fichiers nommés "Staging" mais au redémarrage du serveur il me les a re créé... et continue de les utiliser.

y a t il un moyen pour dire à MeashCentral d'utiliser les certificats letsencrypts autogénérés ? image

Je ne penses pas être très loin de la solution... et encore merci pour ton aide :)

Philippe687 commented 2 years ago

Hello Ylian, c'est good !!! J'ai just ajouté le _ devant "letsenscrypt" et ça a marché !!! Excellent !!!

Bonne continuation et bravo encore pour le job !