Agent bad web cert hash using Nginx and CloudFlare with origin cert from CloudFlare

[UFOTyler]

Hello,

I am getting a "Agent bad web cert hash" while using Cloudflare as proxy forwarding to nginx on the local machine with a clouflare origin certificate. I can connect to the web UI with a good Cert but the agents will not. The "Certurl" is pointed to the FQDN so it should see the same Cert as the agents. This is on a cloud vps with Vultr, both nginx and mesh running on Ubuntu 20.04. If I use ""IgnoreAgentHashCheck" : true" the agents connect perfectly and I can use all remote features. Here is my config.json:

Here is my nginx.conf

Certhashes on server

If I cant get this running this way I can take nginx out of the mix and pull a letsencrypt cert with meshcentral and try that behind cloudflare. I like nginx for the tls offload and maybe some security aspects. I figured I would come here before I change direction though. Any help is appreciated.

[Ylianst]

I have been looking at this for a while and I don't see any flaws in your configuration. It looks perfect to me.

When you run MeshCentral manually like this:

node node_modules/meshcentral

It should show you the hash of the cert it loaded from mesh.mydomain.net. Then, when agents connect, it should show you what hash the agent got and what hash the server expected.

One trick you can do it save the public portion of the CloudFlair certificate as a .pem file (should have -----BEGIN CERTIFICATE----- within the file) and save that in your server. Then change:

"certurl": "https://mesh.mydomain.net"

to

"certurl": "file://C:\\temp\\cert.pem"

When you start MeshCentral, it should load the cert from the file and that should generate the same hash the agents are seeing.

I have not tried CloudFlare a lot, I can't imagine they use many different certificates with your DNS name? In that case, some agents would connect.

[UFOTyler]

Thanks for looking into this Ylian, I will try the above steps tonight. I hate to bring this issue up as I have seen other people having similar issues. Difference being they were pulling let's encrypt certs behind cloudflare proxy. I figured if anything pulling cloudflare certs would be easier. I'll update tonight or tomorrow with results.

[UFOTyler]

I ran the server manually with "node node_modules/meshcentral and here is the output (I changed necessary IP addresses to "x" and also FQDN):

Oddly enough the agents are pretty much seeing the same hash, but it isn't what the mesh server is seeing. I wonder if this is due to the fact that my server is hosted in another state? maybe the server challenge is a different cert than the agents are seeing.

Also I don't believe the .pem cert would work either as it would be the origin cert between CloudFlare and nginx, not the cert agents would see from cloudflare proxy.

Might just have to use Cloudflare DNS only instead of proxy, and use letsencrypt for the cert on nginx? I don't know if anyone on here is currently running Meshcentral on a cloud VPS using CloudFlare proxy service?

[UFOTyler]

UDPATE:

I just disabled nginx and used meshcentral self signed certs and still doesn't work with cloudflare proxy even with "trustedproxy": "CloudFlare". Still bad cert hash, the agents are seeing a different cert than what the server is. So not an nginx issue, maybe not necessarily and issue at all..might just be a limitation of the geographical edge certificates from cloudflare vs the cert on the server. I would bet if purchased a dedicated cert on cloudflare it would solve the problem.

So, for now I'm running just Meshcentral on port 443, CloudFlare just doing DNS duties, and I'll setup letsencrypt certs on meshcentral. Unless this is less secure than nginx and cloudflare proxy it may just stay this way. Ylian, if you agree with this we can close the Issue, but if you think there is a way around this I'm am willing to troubleshoot more. Thanks.