Unable to login anymore

[marco-vogt]

Hey,

i know @Ylianst is in holidays right now but maybe anybody else can help me. Today i took my meshcentral server on Ubuntu and put it behind nginx. Everything worked out fine but i cant seem to login anymore. I put in my credentials on the login page, click login and i just get redirected to the login page again.

What i have already tried:

• reinstalled meshcentral
• reinstalled mongodb
• deleted my old database from mongodb
• disabled mongodb and use the other db engine

Nothing of the above seem to have any effect. Any ideas? Also, if i create a new account on the login page and restart the server, the server shows "Server has no users, next new account will be site administrator." while starting.

[jsastriawan]

There is a change in the way Meshcentral manage mongodb. Here is the way to make it work by converting old mongodb schema into new schema.

1. Modify mongodb uri by adding 'x' in front of it. It will use older mongodb modules.
2. Export your existing db into json using --dbexport flag
3. Change back to use new mongodb modules by removing prepended 'x'
4. Run meshcentral --dbimport with the backup db json as its parameter
5. Try running meshcentral normally

It works for me.

[Ylianst]

Wow @jsastriawan, that is exactly the solution I would have posted. Thank you.

I will add then if changing "mongodb" to "xmongodb" in the config.json works, you should probably keep this. I suspect the "x" is needed when running an older version of MongoDB. You may have to keep the "x" until updating to MongoDB 4.0 or better.

If "xmongodb" does not work, please look in "meshcentral-data" for a "mesherrors.txt" file. If there are any errors, please send them here.

[marco-vogt]

There is a change in the way Meshcentral manage mongodb. Here is the way to make it work by converting old mongodb schema into new schema.

1. Modify mongodb uri by adding 'x' in front of it. It will use older mongodb modules.

2. Export your existing db into json using --dbexport flag

3. Change back to use new mongodb modules by removing prepended 'x'

4. Run meshcentral --dbimport with the backup db json as its parameter

5. Try running meshcentral normally

It works for me.

Thanks for your help but it doesnt work. I tried it without and with step 3, no difference. Anyway, i think my problem is not related to mongodb, as i have the same with the other db engine?

Wow @jsastriawan, that is exactly the solution I would have posted. Thank you.

I will add then if changing "mongodb" to "xmongodb" in the config.json works, you should probably keep this. I suspect the "x" is needed when running an older version of MongoDB. You may have to keep the "x" until updating to MongoDB 4.0 or better.

If "xmongodb" does not work, please look in "meshcentral-data" for a "mesherrors.txt" file. If there are any errors, please send them here.

mesherrors.txt is empty except for: (node:24593) DeprecationWarning: current Server Discovery and Monitoring engine is deprecated, and will be removed in a future version. To use the new Server Discover and Monitoring engine, pass option { useUnifiedTopology:true } to MongoClient.connect. I think i will do a complete reinstall today and see if it helps.

Also, "Server has no users, next new account will be site administrator." is not shown anymore and i can see that several rows do get export when using --dbexport. So it seems that users are generated and saved in the db correctly but i still cant get past the login page

[marco-vogt]

Small update: I created a user called "admin". I cant log in directly with that but when i start the server with meshcentral --user admin, i get automatically logged in as that user when i go on the page.

I think this tells me that the database setup is correct? What other error could there be then?

[ghost]

@Ylianst @marco-vogt This issue is unrelated to your database of choice. MeshCentral doesn't work behind a reverse proxy out of the box; you need to add a few options to your config.json file first. You can find instructions for how to set up MeshCentral behind Nginx on pages 30-33 of the official user guide: http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide-0.2.4.pdf

[marco-vogt]

I followed the guide and installed MeshCentral behind a reverse proxy a couple of times already.

Another useful information might be: When i get generate a --logintokenkey and use that for embedding, everything works fine. Means, a login key generated from --logintokenkey does the job of logging me in.

So basically everything is working as it should, but i just cant get past the login page manually.

[ghost]

@marco-vogt Can you paste your config.json file and your Nginx config file here?

[Ylianst]

FYI. I just fixed a similar problem with #446. If your server "upgraded" to version 0.0.6 (which is a super old version) then, you will need to update it again and the server will start working. Look in /node_modules/meshcentral/package.json for the current version number. If it's 0.0.6, do a manual update:

mv node_modules node_modules_bad
npm install meshcentral

[marco-vogt]

FYI. I just fixed a similar problem with #446. If your server "upgraded" to version 0.0.6 (which is a super old version) then, you will need to update it again and the server will start working. Look in /node_modules/meshcentral/package.json for the current version number. If it's 0.0.6, do a manual update:

mv node_modules node_modules_bad
npm install meshcentral

Thanks for your information but my version was up to date.

@marco-vogt Can you paste your config.json file and your Nginx config file here?

Here is my nginx conf and config.json. Like i said, login with a login token works, normal login doesnt.

[Ylianst]

Just published MeshCentral v0.4.0-g with a lot of new tracing that may help with this problem. You can run:

node node_modules/meshcentral --debug web,request

It will give you all the HTTP requests made to the server an any problems. If you can do this and try to login and capture the log, that would be great. I am going to look at your config.json/nginx.conf now.

[Ylianst]

After removing all the comment lines, the config.json look like this to me. Doing some testing now.

{
  "settings": {
    "Cert": "_mydomain_",
    "MongoDb": "mongodb://127.0.0.1:27017",
    "MongoDbName": "meshcentral",
    "WANonly": true,
    "Port": 4430,
    "RedirPort": 800,
    "AliasPort": 443,
    "AllowLoginToken": true,
    "AllowFraming": true,
    "WebRTC": true,
    "AgentPong": 300,
    "TlsOffload": "127.0.0.1"
  },
  "domains": {
    "": {
      "Title": "MyServer",
      "Title2": "Servername",
      "Footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>",
      "CertUrl": "https://_mydomain_:443/"
    }
  }
}

[Ylianst]

I just configured my dev server with the smaller config.json above, replacing "mydomain" with my local domain name (devbox.mesh.meshcentral.com). I then used your ngnix.conf with the only change to configure my TLS certificate and also replaced the domain name at the right spots. I am now running the server and it works perfectly for me. I am running "MeshCentral v0.4.0-g". It loaded the certificate from NGINX correctly.

If I run the server with "--debug web" and login using the Google Authenticator app, I get this:

Another test. This time with "--debug web,webrequest" and I used a FIDO2 USB key to authenticate.

So, I am still at a loss as to what the problem is. If you do the same test, maybe there difference will be obvious.

[Ylianst]

Well, I was just trying to use Apache as a reverse proxy and got the same problem described above. The login page keeps showing up with 2FA enabled. It seems to be caused by the reverse-proxy removing the "SetCookie" directives in the header when the server returns a 302 redirection. Now that I got it happening, I should be able to find a fix for it.

[marco-vogt]

Hi Ylian. Sorry for not coming back to you earlier but i was busy over the weekend. Do you want me to do the same steps you did in your earlier post and check the outcome? I guess this isnt needed anymore, right?

[Ylianst]

Just published MeshCentral v0.4.0-i with fixes for reverse proxies. The main problem seems to be that the session cookie what not being sent when TLSOffload was used, this is now fixed. I also make is to MeshCentral is quite usable even if cookies are discarded or disabled. I am pretty sure this will fix this issue, testing appreciated.

[marco-vogt]

Hi Ylian,

Thank you. Now when i login i get a "404 - this page doesnt exist" error and the titlebar it says "Meshcentral - Terms of use".

[johnczer]

This is still happening with version 0.4.0-o. After I updated from 0.4.0-k I was unable to log in to meshcentral anymore. I would enter the username and password and then 2FA and the page would just redirect back to the login page. I even turned off 2FA in config. When I ran this command: node ./node_modules/meshcentral --user username I was getting an error that said "meshcentral http redirection server running on port 81" but I am not using any redirects because I am not behind a proxy. When I rolled the install back to 0.4.0-k everything is working again. Just thought I would let you know, thanks!

[ghost]

@Ylianst I didn't experience this issue on any previous version, but now that I upgraded to 0.4.0-o, I do. Reverting back to 0.4.0-k allows me to log in again just like @johnczer said.

[Ylianst]

Oh dear!!!! Looking into it. It's possible the problem was introduced because of the added cookie security. Are you using a reverse-proxy when login with 2FA fails?

[Ylianst]

Published MeshCentral v0.4.0-r with a bunch of security things rolled back until I do more testing. If you can confirm this one works, would be appreciated.

[johnczer]

Will do! Thanks for all you’re doing with this great project!

[ghost]

@Ylianst I can confirm that I'm able to log in again and yeah, I'm using a reverse proxy (Caddy)

[johnczer]

I have updated to the latest -v and can log in now and use the 2FA auth however, when I run this command I get the SMTP error: c:\meshcentral>node node_modules/meshcentral MeshCentral HTTP redirection server running on port 80. MeshCentral v0.4.0-v, Hybrid (LAN + WAN) mode. MeshCentral Intel(R) AMT server running on support.rsa-systems.org:4433. Server _customer1 has no users, next new account will be site administrator. Server info has no users, next new account will be site administrator. MeshCentral HTTPS server running on support.rsa-systems.org:443. SMTP mail server mail.rsa-systems.org failed: {"code":"ESOCKET","command":"CONN" }

[Ylianst]

FYI. Going to work on the SMTP problem this morning, expect a fix soon.

[johnczer]

Thank you Ylianst!

[Ylianst]

Just published MeshCentral v0.4.0-w with two extra options on the "smtp" configuration in the config.json file.

  "smtp": {
    "host": "smtp.server.com",
    "port": 25,
    "from": "mymail@server.com",
    "tls": false,
    "tlscertcheck": false,
    "tlsstrict": false
  }

The two new options are "tlscertcheck" (default true) and "tlsstrict" (default false). If the SMTP server uses a self-signed or untrusted TLS certificate, set "tlscertcheck" to false to have MeshCentral connect to it anyway. Setting "tlsstrict" to true just disallows older SSLv2/SSLv3, etc.

Also note that setting "tls" to true will initiate TLS right away, but often SMTP servers start the connection without TLS and do a STARTTLS to switch to TLS. So setting "tls" to false is often correct and still secure.

I suggest trying with the following to start:

    "tls": false,
    "tlscertcheck": false,
    "tlsstrict": false

Let me know what happens.

[johnczer]

This works like a charm! I knew it had to do with the tlscertcheck and tried to add this to the config before your fix. But it didn't work and figured there was some other coding that had to be done and I wasn't sure where. Thanks for fixing this!

[Ylianst]

Oh good. Glad I am making some progress! I am going to close this issue since it's getting really long. Feel free to open a new one if needed.