Unable to get LetsEncrypt certificate with port aliasing active

[sebtombs]

I've upgraded to 0.4.9-k which has stopped the problem I was having with MeshCentral saying it isn't bound to port 80. MeshCentral is working fine but the browser is still (rightly) complaining that I am using an invalid certificate. LetsDebug says all is OK, and curl shows redirection of port 80 to port 443.

However, on running with --debug cert, I get

CERT: Notify: error: {"errno":"ECONNREFUSED","code":"ECONNREFUSED","syscall":"connect","address":"{IP address}","port":80,"context":"cert_issue","subject":"{url}","altnames":["{url}"]}

where {IP address} was the server IP address and {url} the url.

Redirection: "Port": 8443, "AliasPort": 443, "RedirPort": 8080, "RedirAliasPort": 80,

"production" is false in LetsEncrypt section. I'm using GreenLock v3.1.5.

I'm considering the firewall port forwarding must be working for port 80 to 8080 or otherwise curl wouldn't report the redirect correctly. Is MeshCentral perhaps accidentally redirecting the challenge request too and this fails because the certificate is invalid for https? This wouldn't be evident on renewing an existing certificate.

[sebtombs]

Has anyone else actually tried MeshCentral LetsEncrypt using GreenLock with aliased ports? It appears from the GreenLock documentation that it must bind to 80 and 443.

[sebtombs]

Looking at letsEncrypt.js, it would appear that the redirserver.port config value is checked but not passed to GreenLock. Hence, GreenLock doesn't know we are using a different port so will try to bind to port 80, but it can't because this is forwarded by the firewall.

[petervanv]

hey sebtombs,

im running at this config: "Port": 444, "RedirPort": 80, and "production": true

at first i had trouble's with "production": false

look out for any spaces in the email name (after the test@example.com)

did you try to temp shutdown the firewall ?

about the high ports did you run: sudo setcap 'cap_net_bind_service=+ep' which node to enable other ports ?

[Ylianst]

Arg. I am on vacation until mid next week and must run out the door. I will try to thinks of a few things to try and post later. As long as you set the "RedirAliasPort" to 80 and the external port 80 is routed to the "RedirPort" of MeshCenral, you should be good...

[sebtombs]

petervanv - I shouldn't need the setcap if I'm using alias surely? That's to allow non-root users to use ports <1024 which the whole point of the alias is to avoid. I don't think LetsEncrypt cares what "Port" is set to - its "RedirPort" which matters so yours will work because it is the expected value. I've already fallen over and fixed the space on the end of the e-mail address. Ylian's code catches that nicely and tells you the e-mail address is invalid.

[sebtombs]

Ylian - no big rush. It's taken me a month to get back to the LetsEncrypt side of things so you deserve a few days off without worrying about this! Hope you enjoy your vacation.

[sebtombs]

I've revisited this issue with 0.7.49 and it is still failing to get a LetsEncrypt certificate. I can't understand it, as the redirect must be working as curl http://example.com/.well-known/acme-challenge/fred yields the text "Not found" rather than an HTML body, and systemctl status meshcentral logs the attempt.

Whether the following is informative, I don't know:

Jan 21 10:13:52 sebtombs-sup2 node[18141]: CERT: LE: Got no certificates, asking for one now. Jan 21 10:13:52 sebtombs-sup2 node[18141]: CERT: LE: Generating private key... Jan 21 10:13:53 sebtombs-sup2 node[18141]: CERT: LE: Setting up ACME client... Jan 21 10:13:53 sebtombs-sup2 node[18141]: CERT: LE: Creating certificate request... Jan 21 10:13:53 sebtombs-sup2 node[18141]: CERT: LE: Requesting certificate from Let's Encrypt... Jan 21 10:14:59 sebtombs-sup2 node[18141]: CERT: LE: Failed to obtain certificate: connect ECONNREFUSED w.x.y.z:80 Jan 21 10:19:44 sebtombs-sup2 node[18141]: CERT: LE: Failed to respond to challenge, token: fred, table: {}.

[AkioUnity]

I am getting same issue.

"version": "1.0.85"

"settings": { "MongoDb": "mongodb://127.0.0.1:27017/meshcentral", "cert": "xx.yy.com", "WANonly": true, "_sessionKey": "MyReallySecretPassword1", "port": 443, "_aliasPort": 443, "redirPort": 80, "redirAliasPort": 80 }, "letsencrypt": { "email": "xxx@gmail.com", "names": "xx.yy.com,xx.zz.com", "production": false }

leevents 9/21/2022 3:05:16 PM - Getting certs from local store (Staging) 9/21/2022 3:05:16 PM - No certificate files found 9/21/2022 3:05:22 PM - Got no certificates, asking for one now. 9/21/2022 3:05:22 PM - Generating private key... 9/21/2022 3:05:22 PM - Setting up ACME client... 9/21/2022 3:05:22 PM - Creating certificate request... 9/21/2022 3:05:22 PM - Requesting certificate from Let's Encrypt... 9/21/2022 3:05:23 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:08:16 PM - Request for certificate is in process. 9/21/2022 3:08:59 PM - Failed to obtain certificate: connect ECONNREFUSED xxxx:80

Please help this issue

[silversword411]

"production": false

That needs to be true at a minimum.

I'm guessing you've replaced the real email and other places with fake for this post.

[AkioUnity]

Still same issue.

MeshCentral HTTP redirection server running on port 80. CERT: LE: Getting certs from local store (Production) CERT: LE: No certificate files found MeshCentral v1.0.85, WAN mode. MeshCentral Intel(R) AMT server running on assets.xxx.com:4433. MeshCentral HTTPS server running on assets.xxx.com:443. CERT: LE: Got no certificates, asking for one now. CERT: LE: Generating private key... CERT: LE: Setting up ACME client... CERT: LE: Creating certificate request... CERT: LE: Requesting certificate from Let's Encrypt... CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Failed to obtain certificate: connect ECONNREFUSED 198.24.x.x:80

[dinger1986]

Did you try the troubleshooting? https://git.meshcentral.com/meshcentral/SSLnletsencrypt/

Is port 80 open?

[AkioUnity]

@dinger1986
yes. port 80 is open. I already checked it. because I got the error (connect ECONNREFUSED 198.24.x.x:80) in node.js

[petervanv]

"redirPort": 80, "redirAliasPort": 80

possible to turn 1 off, so like this "redirPort": 80, "_redirAliasPort": 80

maybe that helps

[dinger1986]

I was just thinking that myself but wanted to check it against my config

[AkioUnity]

"redirPort": 80, "redirAliasPort": 80

possible to turn 1 off, so like this "redirPort": 80, "_redirAliasPort": 80

maybe that helps

@petervanv I tried it already before but same issue.
and now, I tried it again. still same issue.

[petervanv]

}, "letsencrypt": { "comment": "Requires NodeJS 10.12 or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.", "email": "email@domaim.com", "names": "my.domain.com", "rsaKeySize": 3072, "production": true, "lib": "acme-client" }, did you meet recuirements ?

[AkioUnity]

@petervanv yes. I added lib and rsakeySize and tried again.
same issue. only different is "production":false.

[dinger1986]

Do you have 2 dns names after names?

[petervanv]

is this met the requirements ? Requires NodeJS 10.12 or better

and wich versions are you running ?

please use 1 dns name, just to be sure its not an dns name issue.

and set production at: true

[AkioUnity]

@petervanv
perhaps, version issue?
this is my versions

[petervanv]

i did also do not say if im having just wan or lan mode, maybe you could disable it, and yes i can communicate with the internet

[petervanv]

@petervanv perhaps, version issue? this is my versions

possible update all if you can, it could do no harm.

[AkioUnity]

upgraded as the latest version and used one DNS. still same

[petervanv]

[petervanv]

also did you start meshcentral with using your dnsname too ?

[AkioUnity]

yes.

with same dns.

[petervanv]

node ./node_modules/meshcentral --cert your.domainname.com:portnumber

[petervanv]

also productionmode is FALSE its needs to be: true

[AkioUnity]

node ./node_modules/meshcentral --cert your.domainname.com:portnumber

if I do > node ./node_modules/meshcentral --cert your.domainname.com:80

(80) port number

then. I get errors "Invalid certificate name"

if I do > node ./node_modules/meshcentral --cert your.domainname.com still same issue

Please note that I changed production mode to true.

[petervanv]

likely is your external domain name not bind to your internal dns name for your certificate. and im assuming your replaced it with your dns name wich you registerd en binded to you ip adres.

(going to sleep now, so im not responding anymore until 12 hours from now)

[AkioUnity]

Hello. I have checked the code and reason in detail. My node.js version is v16. so, we should use acme-client v5.x

https://www.npmjs.com/package/acme-client

https://github.com/publishlab/node-acme-client/blob/HEAD/docs/upgrade-v5.md

but in our code.

we are using Old version.

On September 15, 2022, Let's Encrypt will stop accepting Certificate Signing Requests signed using the obsolete SHA-1 hash. This change affects all acme-client versions lower than 3.3.2 and 4.2.4.

What do you think?

[AkioUnity]

Hello

I am sorry. I found this https://github.com/publishlab/node-acme-client/issues/59 https://github.com/Ylianst/MeshCentral/commit/a4bb51fd5569284d5a934ea397da0cc3cd0beec0

acme-client@4.2.5 is fine. by the way, still why am I getting the cert issue?

Anyone could help this issue?

[si458]

@AkioUnity can you run npm list from the root of the meshcentral folder (folder contains node_modules, meshcentral-data, meshcentral-files folder) and let us have the output?

[AkioUnity]

@si458 Hello

+-- @yetzt/nedb@1.8.0 +-- acme-client@4.2.5 +-- archiver@5.3.1 +-- body-parser@1.20.0 +-- cbor@5.2.0 +-- compression@1.7.4 +-- cookie-session@1.4.0 +-- express-handlebars@5.3.5 +-- express-ws@4.0.0 +-- express@4.18.1 +-- ipcheck@0.1.0 +-- minimist@1.2.6 +-- mongodb@4.10.0 +-- multiparty@4.2.3 +-- node-forge@1.3.1 +-- otplib@10.2.3 +-- saslprep@1.0.3 +-- ws@5.2.3 `-- yauzl@2.10.0

This was the result.

[AkioUnity]

this is current cert issue.

[si458]

@si458 Hello

+-- @yetzt/nedb@1.8.0 +-- acme-client@4.2.5 +-- archiver@5.3.1 +-- body-parser@1.20.0 +-- cbor@5.2.0 +-- compression@1.7.4 +-- cookie-session@1.4.0 +-- express-handlebars@5.3.5 +-- express-ws@4.0.0 +-- express@4.18.1 +-- ipcheck@0.1.0 +-- minimist@1.2.6 +-- mongodb@4.10.0 +-- multiparty@4.2.3 +-- node-forge@1.3.1 +-- otplib@10.2.3 +-- saslprep@1.0.3 +-- ws@5.2.3 `-- yauzl@2.10.0

This was the result.

your output doesnt look right, its missing meshcentral did you clone meshcentral from git repo rather than install from npm npm install meshcentral ?

my output is this

simon@meshcentral:~/meshcentral$ npm list
meshcentral@ /home/simon/meshcentral
├── acme-client@4.2.5
├── meshcentral@1.0.93
└── otplib@10.2.3

[AkioUnity]

Hello @si458 @Ylianst @petervanv

Thank you for helping with this issue. Finally, I resolved the issue.

This helped me. https://github.com/Ylianst/MeshCentral/issues/986#issuecomment-596201036 I added my fully qualified domain name (FQDN) in /etc/hosts

We can close this issue. Thank you again!