Calling MeshCentral Users / Experts

chris_jacksys

Hi all

Ive been lurking here for a few weeks trying to figure out a problem with MeshCentral that I have.
Basically im trying to push it through an NGinx server which is what all of my other web stuff goes through, its on the same network as my MeshCentral Server.

In my config file my cert option is 'remote.website.com' mt TLSOffload is pointing to the internal IP of my NGinx server and the cert URL I have tried pointing to website.com and remote.wbsite.com and nothing... my clients try to connect I get an error server-side saying Bad certificate hash. So I am not entirely sure which bit I need to use.
On my site, I have a cert for remote. and also a wildcard.

In Nginx everything seems to be fine, my alias port is 443, when connecting in from a client, the agent say wss://remote.website.com:443 so that part is correct.

How do I get around the certificate issue??

My Mesh Server is port 80 only no certs that side at all, maybe a self signed one which TLSOffload should negate.
I am stuck but would really appreciate some assistance - and would really love to get it working this way!

Thanks in advance.
Chris

dafyre

This is how I have my nginx server set up:

/etc/hosts

x.y.z.a   mesh.example.com

/etc/nginx/conf.d/mesh.conf

server {
       listen         80;
       server_name    mesh.example.com
       return         301 https://$server_name$request_uri;

        location /.well-known/acme-challenge {
            root /var/www/letsencrypt;
         }
}

server {
 #listen 80;
 listen 443 ssl;

 server_name mesh.example.com
 client_max_body_size 10G;
 fastcgi_buffers 64 4K;
 proxy_send_timeout     7200;
 send_timeout   7200;


##
# SSL Settings
##

    ssl on;
    ssl_certificate /etc/nginx/certs/mesh.example.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/mesh.example.com/privkey.pem;
    #ssl_protocols  TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';


ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

# access_log /var/log/nginx/mesh.access.log;
# error_log /var/log/nginx/mesh.error.log;


 location / {
  proxy_pass https://<ip of mesh server>
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  #Websocket Support
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";

}


 location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
 }

}

chris_jacksys

Thanks is your NGinx not part of your MEsh Central and on another Server? I'll post my config.

server {
#    if ($host = remote.website.co.uk) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


 listen 443 ssl;
 server_name remote.website.co.uk;
 # MeshCentral uses long standing web socket connections, set longer timeouts.
 proxy_send_timeout 330s;
 proxy_read_timeout 330s;
 # We can use the MeshCentral generated certificate & key
    ssl_certificate /etc/letsencrypt/live/remote.website.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/remote.website.co.uk/privkey.pem; # managed by Certbot
 ssl on;
 ssl_session_cache shared:WEBSSL:10m;
 ssl_ciphers HIGH:!aNULL:!MD5;


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;


 location / {
 proxy_pass http://10.9.8.15:4430;
# proxy_http_version 1.1;

 # Allows websockets over HTTPS.
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 # Inform MeshCentral about the real host, port and protocol
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 }

}

10.9.8.15 being an example IP of my Mesh Central.z

dafyre

My Nginx server is separate from my Mesh server. I am using a LetsEncrypt cert on my Nginx box.

chris_jacksys

@dafyre OK Same here, I am using certbot for certs which uses LE.

black3dynamite

@chris_jacksys said in Calling MeshCentral Users / Experts:

@dafyre OK Same here, I am using certbot for certs which uses LE.

If your nginx is on a separate server, remove the port number from your proxy_pass setting.

black3dynamite

Will you show us your MeshCentral config.json file?

JaredBusch

Can a moderator edit post 3 to wrap all of that is code block tags ```

scottalanmiller

@JaredBusch said in Calling MeshCentral Users / Experts:

Can a moderator edit post 3 to wrap all of that is code block tags ```

Done

dafyre

@scottalanmiller said in Calling MeshCentral Users / Experts:

@JaredBusch said in Calling MeshCentral Users / Experts:

Can a moderator edit post 3 to wrap all of that is code block tags ```

Done

Thanks.