MeshCentral
MeshCentral copied to clipboard
Ylianst
`Error: Vault/Database missing some certificates.` Please tell me which one(s)
After updating past 1.0.27 (i.e. 1.0.28 and above) my MeshCentral server wouldn't launch any more. I started getting Error: Vault/Database missing some certificates. which was accurate, since I didn't have a code-signing cert pushed into my database. I definitely appreciate that it didn't simply generate a new code-signing cert, since I'm operating (semi-)stateless, and thus it would be lost next time the server reboots, however it would have been nice if it told me specifically which cert(s) I was missing.
This is an (edited) log, which (due to my semi-stateless config) shows which certs were in the DB, but still gives no indication of which cert(s) I'll need to generate and push to the DB to get it up and running again.
(I also added set -x to my npm start to show which command the output is coming from.)
+ npm start
| > @ start /path/to/meshcentral
| > set -x; node node_modules/meshcentral --mongodb $MONGO --configkey $CONFIGKEY --dbpullconfigfiles meshcentral-data; node node_modules/meshcentral --port $PORT --mongodb $MONGO --configkey $CONFIGKEY --loadconfigfromdb
| + node node_modules/meshcentral --mongodb mongodb+srv://<username>:<password>@<domain>/<database>?retryWrites=true&w=majority --configkey <configkey> --dbpullconfigfiles meshcentral-data
| Pulling agentserver-cert-private.key, 2498 bytes.
| Pulling agentserver-cert-public.crt, 1538 bytes.
| Pulling config.json, 2018 bytes.
| Pulling mpsserver-cert-private.key, 1706 bytes.
| Pulling mpsserver-cert-public.crt, 1526 bytes.
| Pulling root-cert-public.crt, 1566 bytes.
| Pulling webserver-cert-public.crt, 1702 bytes.
| Pulling root-cert-private.key, 2494 bytes.
| Pulling webserver-cert-private.key, 2498 bytes.
| + node node_modules/meshcentral --port 5000 --mongodb mongodb+srv://<username>:<password>@<domain>/<database>?retryWrites=true&w=majority --configkey <configkey> --loadconfigfromdb
| { Error: Command failed: "mongodump" --uri="mongodb+srv://<username>:<password>@<domain>/<database>?retryWrites=true&w=majority" --archive="/dev/null"
| /bin/sh: 1: mongodump: not found
| at ChildProcess.exithandler (child_process.js:294:12)
| at ChildProcess.emit (events.js:198:13)
| at maybeClose (internal/child_process.js:982:16)
| at Socket.stream.socket.on (internal/child_process.js:389:11)
| at Socket.emit (events.js:198:13)
| at Pipe._handle.close (net.js:607:12)
| killed: false,
| code: 127,
| signal: null,
| cmd:
| '"mongodump" --uri="mongodb+srv://<username>:<password>@<domain>/<database>?retryWrites=true&w=majority" --archive="/dev/null"' }
| WARNING: Unable to find mongodump, MongoDB database auto-backup will not be performed.
| Error: Vault/Database missing some certificates.
[DONE] Killing all processes with signal SIGINT
Exited Successfully
I found where the existing error message is in the code, but I'm not sure how to go about making a list of missing certs. https://github.com/Ylianst/MeshCentral/blob/acd281c990359ee0279a74137ac8473e22778233/certoperations.js#L990
Oh! I think I understand that is going on. I added a new code signing certificate that is not in your installation. Since it's not in the database, it's causing this issue. Working on this now.
I put in a fix for this. If you are reading certs from a database or vault and the code-signing cert is missing, MeshCentral now will gracefully skip it. The result is that your agent will not be self-signed until a code-signing cert is added to the database, but this is not critical.
Fix will be in MeshCentral v1.0.57, but you can get unstuck now by replacing the "certoperations.js" file with the one in GitHub here: https://raw.githubusercontent.com/Ylianst/MeshCentral/master/certoperations.js
Hope that helps.
Sorry @Ylianst, I think you may have misunderstood the purpose of this report.
Yes, as I had stated, I was missing the code-signing cert (because that one didn't exist prior to 1.0.28, and thus I hadn't generated one yet), however I had already figured that out, generated one, pushed it into my DB and have a working install of the MeshCentral server currently running on 1.0.56.
I do NOT think that MeshCentral should ignore this missing cert and revert to not self-signing the agent binaries, but rather (as stated in the title of this issue) I'd like to see the error message that occurs when a cert is missing inform you of which cert(s) are missing. This way instead of potentially accidentally running the server with diminished functionality or security, one can take a single glance at the error message and it will tell them exactly why it didn't launch. I think having the server fail to launch when it's missing a cert is the correct way to handle that situation. If I wanted to be able to run the server without that cert, with diminished functionality and/or security, I would have asked to have that made available via a configuration option, NOT as a default or a fallback that occurs automatically when a cert which should be present is missing.
Hello Ylian. Sorry for the delay, just got back to this. Thank you for improving the error message. I just tested it, and it works.
I'm still not sure I like the fact that a missing "Agent code signing certificate" silently reverts the server to not using the shiny new .exe signing feature. I also find it strange that in the error message, you refer to root-cert-public.crt as the "Code signing certificate" when another cert is named codesign-cert-public.crt, and the error message refers to that cert as "Agent code signing certificate". That kind of discrepancy can cause unnecessary confusion in the future.
Anyway, thank you so much for making the error message more useful. Error messages are always better when they're actually helpful.
@Ylianst I haven't closed this because I'm hoping you'll consider reverting 3dd8531ef959343e179d0fa669c32ab9569e50a4 (or maybe adding a config option so it's possible to disable .exe signing and thus not require a codesign-cert but not have it happen by default just because the appropriate cert hasn't been added to the DB yet) and also possibly changing the wording on the new error message to eliminate the potential for confusion between the "Code signing certificate" (root-cert-public.crt) and codesign-cert-public.crt (the "Agent code signing cert")
@si458 maybe @MailYouLater opening a new issue with the last message to request that change and closing this
closing as we have left this in to help with old setups who dont use code-signing certs
