search

amidaware / tacticalrmm

A remote monitoring & management tool, built with Django, Vue and Go.
https://docs.tacticalrmm.com
Other
2.92k stars 422 forks source link

Linux agent not connecting after Certificate change #1786

Closed albindy closed 3 months ago

albindy commented 4 months ago

Server Info (please complete the following information):

Installation Method:

Agent Info (please complete the following information):

Describe the bug When changing the Certificate in nginx Linux Agents no longer connect. No error in /opt/tacticalmesh/meshagent.log or /var/log/tacticalagent.log Switching back to old Cert brings back the Agents online. Or reinstallation. Result: Certificate Change is impossible for me. But I have to. How can the change be done without reinstalling all Linux Agents. To Reproduce Steps to reproduce the behavior:

  1. Go to '/etc/nginx/site-available/*.conf'
  2. Change from Lets encrypt Zertificate to bought Cert
  3. Restart Nginx
  4. Linux Agents no longer connecting

Expected behavior Agents should accept other active and valid certificates without reinstallation.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

dinger1986 commented 4 months ago

Are you using code signing? Or any custom config?

Works fine for me after every change of cert and a lot of others.

albindy commented 4 months ago

Problems are meshcentral.conf and rmm.conf When changing the Certificate there the Agents are no longer working. Yes we use code signing. "Code signing all agents" No custom configs except the tried zertificate change.

wh1te909 commented 4 months ago

so windows agents connect fine with new cert?

can you run the linux agent in debug mode and see if any errors related to certs? don't paste the full output here because it contains sensitive info:

# stop service
sudo systemctl stop tacticalagent

# run in debug
tacticalagent -m rpc -log debug -logto stdout

# after done debugging, don't forget to start service back up
sudo systemctl start tacticalagent
albindy commented 4 months ago

SyncMesh: Post "https://api.*********/api/v3/syncmesh/": tls: failed to verify certificate: x509: certificate signed by unknown authority But the cert is valid and an official wildcard working on several other systems. Additional info, it is a wildcard Cert. (CN) Sectigo RSA Domain Validation Secure Server CA (O) Sectigo Limited

Yes Windows connects fine.

dinger1986 commented 4 months ago

Did you follow this and update all files? https://docs.tacticalrmm.com/unsupported_scripts/#using-purchased-ssl-certs-instead-of-lets-encrypt-wildcards

You don't need to do the nats regen.

You need to use the fullchain which you maybe haven't

albindy commented 3 months ago

Yes, followed the guide. Did the nats regen and worked like a charme. But! Good hint, I'm trying fullchain actual using cert.

dinger1986 commented 3 months ago

So it worked after a nats regen and restarting all services?

albindy commented 3 months ago

Nats worked before. Just to complete the picture. Problem was using cert instead of fullchain. But Nats works with cert only and frontend too. For rmm and meshcentral fullchain is mandatory to work.

Maybe a hint in the docu would help. But, yes I know it is unsupported. Thanks for clearing things up and helping lightning fast! Thanks for the great support! All up and running now!

dinger1986 commented 3 months ago

Did you not see this? image

Nats doesnt actually need a cert anymore, glad its working now

albindy commented 3 months ago

OMG Sorry! Totally overlooked this note. Thanks again! Closing.

dinger1986 commented 3 months ago

lol no worries!