Let's Encrypt not working

[pczolee]

Hello.

I using always the last version of meschentral. It is running in an Ubuntu 12.04 lts. I was using node 8.16.1 binary, without any problem. Let's Encrypt worked fine before. But now it stopped to work. In the terminal I saw: WARNING: Let's Encrypt support requires Node v10.12.0 or higher. MeshCentral HTTP redirection server running on port 80. MeshCentral v0.4.4-w, WAN mode.

So I should update the node (please update the documents regarding this!). I did it, now I have 10.17.0 . When I start it looks like ok: MeshCentral HTTP redirection server running on port 80. ACME Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory MeshCentral v0.4.4-w, WAN mode.

But the certificate is still missing.

What should I do to make it work? Let me know if you need any log, or anything to find the bug.

Thanks

[leleb]

For me on ubuntu 18.04 following commands updated node and solved problem: curl -sL https://deb.nodesource.com/setup_10.x sudo bash nodesource_setup.sh sudo apt-get install -y nodejs sudo setcap cap_net_bind_service=+ep /usr/bin/node

[Ylianst]

A few tips and tricks:

• Make sure your MeshCentral server's port 80 is accessible from outside, let's encrypt will use that port to validate your domain.
• Use https://letsdebug.net/ to test your domain first.
• You can run MeshCentral with "--debug cert" to see the full trace of what is going on.
• You can add "log":"cert" in the settings section of config.json and run the server, it will create a log.txt file in "meshcentral-data" with what is going on with Let's Encrypt.

[Ylianst]

Just published MeshCentral v0.4.5-a with new server warnings in the "My Server" tab when something is not right, like not having the right version of NodeJS and Let's Encrypt being configured. This should help a little.

[pczolee]

@leleb Thanks for the help, but as you see, the problem is not with the update.

@Ylianst Well, there was nothing changed in the server part, and this was working well before. Of course it is running in port 80, as you can see in the messages.

I ran it with the parameter above, here is the result:

MeshCentral HTTP redirection server running on port 80. CERT: Initializing Let's Encrypt support, using GreenLock v3.1.5 CERT: Getting certs from local store CERT: Checking staging certificate subdomain.mydomain.com... ACME Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory CERT: Notify: error: {"length":0} CERT: No staging certificate present MeshCentral v0.4.5-a, WAN mode. MeshCentral Intel(R) AMT server running on subdomain.mydomain.com:3389. Server customer1 has no users, next new account will be site administrator. Server info has no users, next new account will be site administrator. MeshCentral HTTPS server running on subdomain.mydomain.com:443. SMTP mail server mail.mydomain.com working as expected. CERT: Checking certificate for subdomain.mydomain.com (Staging) CERT: Notify: error: {"length":0} CERT: Unable to get a certificate (Staging, 1006ms): [{"site":{"subject":"subdomain.mydomain.com","altnames":["subdomain.mydomain.com"]},"error":{"0":"e","1":"r","2":"r","3":"o","4":"r","length":5}}]

[pczolee]

With the let's debug I've got the following:

_DNSLookupFailed Fatal A fatal issue occurred during the DNS lookup process for subdomain.mydomain.com/AAAA. DNS response for subdomain.mydomain.com/AAAA did not have an acceptable response code: SERVFAIL

DNSLookupFailed Fatal A fatal issue occurred during the DNS lookup process for subdomain.mydomain.com/CAA. DNS response for subdomain.mydomain.com/CAA did not have an acceptable response code: SERVFAIL_

What's wrong?

[Ylianst]

Looks like the DNS resolve is failing... are you actually trying to get a certificate for "subdomain.mydomain.com"? Do you really own "subdomain.mydomain.com"? Or did you replace your DNS name with that name? In the future, use "xxxxxxxxxxxxxx" to mask any data like DNS names, just so you know your masking it.

Obviously, you need to get a DNS name first and make it point to your server correctly. This is not something MeshCentral will do.

[Ylianst]

Going to close this one as I suspect there was an attempt to ask for a domain name that was not correct. Please re-open if needed.

[pczolee]

@Ylianst

Well, of course the domain name for the test was the real one. I just changed it to hide. Anyway, I think the problem is with my name server provider, so now I'm fighting with them. I hope if they solving the problem it will work as before.

Thanks for the helping.