MeshCentral
MeshCentral copied to clipboard
Ylianst
Unable to get LetsEncrypt certificate with port aliasing active
I've upgraded to 0.4.9-k which has stopped the problem I was having with MeshCentral saying it isn't bound to port 80. MeshCentral is working fine but the browser is still (rightly) complaining that I am using an invalid certificate. LetsDebug says all is OK, and curl shows redirection of port 80 to port 443.
However, on running with --debug cert, I get
CERT: Notify: error: {"errno":"ECONNREFUSED","code":"ECONNREFUSED","syscall":"connect","address":"{IP address}","port":80,"context":"cert_issue","subject":"{url}","altnames":["{url}"]}
where {IP address} was the server IP address and {url} the url.
Redirection: "Port": 8443, "AliasPort": 443, "RedirPort": 8080, "RedirAliasPort": 80,
"production" is false in LetsEncrypt section. I'm using GreenLock v3.1.5.
I'm considering the firewall port forwarding must be working for port 80 to 8080 or otherwise curl wouldn't report the redirect correctly. Is MeshCentral perhaps accidentally redirecting the challenge request too and this fails because the certificate is invalid for https? This wouldn't be evident on renewing an existing certificate.
Has anyone else actually tried MeshCentral LetsEncrypt using GreenLock with aliased ports? It appears from the GreenLock documentation that it must bind to 80 and 443.
Looking at letsEncrypt.js, it would appear that the redirserver.port config value is checked but not passed to GreenLock. Hence, GreenLock doesn't know we are using a different port so will try to bind to port 80, but it can't because this is forwarded by the firewall.
hey sebtombs,
im running at this config: "Port": 444, "RedirPort": 80, and "production": true
at first i had trouble's with "production": false
look out for any spaces in the email name (after the [email protected])
did you try to temp shutdown the firewall ?
about the high ports did you run: sudo setcap 'cap_net_bind_service=+ep' which node
to enable other ports ?
Arg. I am on vacation until mid next week and must run out the door. I will try to thinks of a few things to try and post later. As long as you set the "RedirAliasPort" to 80 and the external port 80 is routed to the "RedirPort" of MeshCenral, you should be good...
petervanv - I shouldn't need the setcap if I'm using alias surely? That's to allow non-root users to use ports <1024 which the whole point of the alias is to avoid. I don't think LetsEncrypt cares what "Port" is set to - its "RedirPort" which matters so yours will work because it is the expected value. I've already fallen over and fixed the space on the end of the e-mail address. Ylian's code catches that nicely and tells you the e-mail address is invalid.
Ylian - no big rush. It's taken me a month to get back to the LetsEncrypt side of things so you deserve a few days off without worrying about this! Hope you enjoy your vacation.
I've revisited this issue with 0.7.49 and it is still failing to get a LetsEncrypt certificate. I can't understand it, as the redirect must be working as curl http://example.com/.well-known/acme-challenge/fred yields the text "Not found" rather than an HTML body, and systemctl status meshcentral logs the attempt.
Whether the following is informative, I don't know:
Jan 21 10:13:52 sebtombs-sup2 node[18141]: CERT: LE: Got no certificates, asking for one now.
Jan 21 10:13:52 sebtombs-sup2 node[18141]: CERT: LE: Generating private key...
Jan 21 10:13:53 sebtombs-sup2 node[18141]: CERT: LE: Setting up ACME client...
Jan 21 10:13:53 sebtombs-sup2 node[18141]: CERT: LE: Creating certificate request...
Jan 21 10:13:53 sebtombs-sup2 node[18141]: CERT: LE: Requesting certificate from Let's Encrypt...
Jan 21 10:14:59 sebtombs-sup2 node[18141]: CERT: LE: Failed to obtain certificate: connect ECONNREFUSED w.x.y.z:80
Jan 21 10:19:44 sebtombs-sup2 node[18141]: CERT: LE: Failed to respond to challenge, token: fred, table: {}.
I am getting same issue.
"version": "1.0.85"
"settings": { "MongoDb": "mongodb://127.0.0.1:27017/meshcentral", "cert": "xx.yy.com", "WANonly": true, "_sessionKey": "MyReallySecretPassword1", "port": 443, "_aliasPort": 443, "redirPort": 80, "redirAliasPort": 80 }, "letsencrypt": { "email": "[email protected]", "names": "xx.yy.com,xx.zz.com", "production": false }
leevents 9/21/2022 3:05:16 PM - Getting certs from local store (Staging) 9/21/2022 3:05:16 PM - No certificate files found 9/21/2022 3:05:22 PM - Got no certificates, asking for one now. 9/21/2022 3:05:22 PM - Generating private key... 9/21/2022 3:05:22 PM - Setting up ACME client... 9/21/2022 3:05:22 PM - Creating certificate request... 9/21/2022 3:05:22 PM - Requesting certificate from Let's Encrypt... 9/21/2022 3:05:23 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:05:24 PM - Succesful response to challenge. 9/21/2022 3:08:16 PM - Request for certificate is in process. 9/21/2022 3:08:59 PM - Failed to obtain certificate: connect ECONNREFUSED xxxx:80
Please help this issue
"production": false
That needs to be true at a minimum.
I'm guessing you've replaced the real email and other places with fake for this post.
Still same issue.
MeshCentral HTTP redirection server running on port 80. CERT: LE: Getting certs from local store (Production) CERT: LE: No certificate files found MeshCentral v1.0.85, WAN mode. MeshCentral Intel(R) AMT server running on assets.xxx.com:4433. MeshCentral HTTPS server running on assets.xxx.com:443. CERT: LE: Got no certificates, asking for one now. CERT: LE: Generating private key... CERT: LE: Setting up ACME client... CERT: LE: Creating certificate request... CERT: LE: Requesting certificate from Let's Encrypt... CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Succesful response to challenge. CERT: LE: Failed to obtain certificate: connect ECONNREFUSED 198.24.x.x:80
Did you try the troubleshooting? https://git.meshcentral.com/meshcentral/SSLnletsencrypt/
Is port 80 open?
@dinger1986
yes. port 80 is open. I already checked it. because I got the error (connect ECONNREFUSED 198.24.x.x:80) in node.js
"redirPort": 80, "redirAliasPort": 80
possible to turn 1 off, so like this "redirPort": 80, "_redirAliasPort": 80
maybe that helps
I was just thinking that myself but wanted to check it against my config
"redirPort": 80, "redirAliasPort": 80
possible to turn 1 off, so like this "redirPort": 80, "_redirAliasPort": 80
maybe that helps
@petervanv I tried it already before but same issue.
and now, I tried it again. still same issue.
}, "letsencrypt": { "comment": "Requires NodeJS 10.12 or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.", "email": "[email protected]", "names": "my.domain.com", "rsaKeySize": 3072, "production": true, "lib": "acme-client" }, did you meet recuirements ?
@petervanv yes. I added lib and rsakeySize and tried again.
same issue.
only different is "production":false.
is this met the requirements ? Requires NodeJS 10.12 or better
and wich versions are you running ?
please use 1 dns name, just to be sure its not an dns name issue.
and set production at: true
i did also do not say if im having just wan or lan mode, maybe you could disable it, and yes i can communicate with the internet
@petervanv perhaps, version issue? this is my versions
possible update all if you can, it could do no harm.
node ./node_modules/meshcentral --cert your.domainname.com:portnumber
if I do > node ./node_modules/meshcentral --cert your.domainname.com:80
(80) port number
then. I get errors "Invalid certificate name"
if I do > node ./node_modules/meshcentral --cert your.domainname.com still same issue
Please note that I changed production mode to true.
likely is your external domain name not bind to your internal dns name for your certificate. and im assuming your replaced it with your dns name wich you registerd en binded to you ip adres.
(going to sleep now, so im not responding anymore until 12 hours from now)