silversword411
commented
1 year ago You probably don't have it configured correctly https://www.youtube.com/watch?v=YSmiLyKSX2I
Open KyleMaas opened 1 year ago
silversword411
commented
1 year ago You probably don't have it configured correctly https://www.youtube.com/watch?v=YSmiLyKSX2I
Ylianst
commented
1 year ago So, obviously the URL you provide to "CertURL" must be valid and working from MeshCentral's location in your network. You can try "wget" or "curl" to check that the URL works. If it does work and it's a MeshCentral specific issue, let us know, but i suspect that curl or wget would also fail.
One alternative you have is to save your cer to a file and put:
"certurl": "file://\tmp\cert.cer"
"certurl": "file://C:\cert\cert.cer"This way, MeshCentral will load your cert from a file. You must provide a full path after the file://. The problem with this is that each time you rotate your reverse proxy cert, it will cause MeshCentral to stop working until you file the file and restart MeshCentral... so it's best to provide a HTTPS URL if possible.
Hope that helps.
KyleMaas
commented
1 year ago @Ylianst
I am able to access it using both curl and wget on the command line of the machine running MeshCentral. I can even
su -s /bin/bash meshcentral...just to make sure it's the same for the meshcentral user, and then run both curl and wget and both of them work and are able to retrieve the login page just fine.
Using a file would only be a temporary workaround because the frontend reverse proxies' certificates are managed separately and this system wouldn't have access to them, so I'd have to just periodically pull them some other way. Having it access the certificate and use that instead would make that process maintenance-free.
KyleMaas
commented
1 year ago AFAICT, this line here is the culprit:
And I don't see anywhere in the documentation for the tls module where the connect() method accepts a proxy. So that might have to be retrieved another way.
si458
commented
1 year ago just curious, have u tried updating ur node to the latest LTS version (18) ?
also try running it in debug mode for cert like node node_modules/meshcentral --debug cert and see what output you get
also what is the proxy you are using for outbound filtering?
also agentNoProxy should be a boolean value When enabled, all newly installed MeshAgents will be instructed to no use a HTTP/HTTPS proxy even if one is configured on the remote system defaults to false
KyleMaas
commented
12 months ago To be honest, I couldn't afford to spend any more time trying things. So I built a script that just pulls the certificate through the proxy and installs it into MeshCentral. The problem's still there, but I had to get this thing into production.
@si458 Haven't tried the latest LTS version, nor did I try running in debug mode. The outbound proxy is Squid. But there's no point in my trying that because I can see in the code that it's not feeding the proxy to the tls module anywhere, nor does the tls module support it, so as far as I can tell the only way to fix this would be to switch to a different library that is capable of using a forward proxy.
Describe the bug My MeshCentral server is behind both a forward (for outbound requests) and reverse (for inbound requests) proxy. However, when I try to run the server and add an agent, I get the following error:
This seems to be because this is not going through the forward proxy so it's not able to retrieve the certificate from the reverse proxy servers.
To Reproduce Steps to reproduce the behavior:
Expected behavior I would expect that it would go through the forward proxy to retrieve the certificate it's supposed to be using
Screenshots Not applicable
Server Software (please complete the following information):
Client Device (please complete the following information):
Remote Device (please complete the following information):
Additional context Add any other context about the problem here.
Your config.json file