Meshcentral: letsencrypt in config.json prevents MC from starting

Hi and thanks. MeshCentral is evolving quickly with plenty more to work on.

For the config.json, one trick is to run the file thru a JSON Validator like the one from DuckDuckGo. In the JSON above, there are 2 commas that should not be present:

{
  "settings": {
    "Cert": "subnetAt.mywebsite.com",
    "WANonly": true,
    "Port": 443,
    "RedirPort": 80, <--------
  },
  "letsencrypt": {
    "email": "[email protected]",
    "rsaKeySize": 3072,
    "production": false
  }, <--------
}

You can also look for the "mesherrors.txt" file in the "meshcentral-data" folder, that should contain any exceptions the server has encountered.

Lastly and probably most importantly, when you enable the Let's Encrypt section, MeshCentral will need to install additional NPM modules. If you run MeshCentral with reduced rights in Linux, it will not be able to do this. The solution is to run MeshCentral manually once to have it install the missing modules:

node node_modules/meshcentral

This will also show you any problems MeshCentral has with parsing the config.json or other things. Once it works, start it back up in systemd.

Hope it's helpful,
Ylian

Edit: Sorry, I didn't see Ylianst had commented when I posted mine.

I don't know if it's a syntax error or not in your _actual_ config, but the example you posted has 2 syntax errors that would prevent MeshCentral from starting. It would be nice if it could be a little more fault tolerant, but for now at least, it's _very_ picky about those extra commas.

  {
  "settings": {
  "Cert": "subnetAt.mywebsite.com",
  "WANonly": true,
  "Port": 443,
- "RedirPort": 80,
+ "RedirPort": 80
  },
  "letsencrypt": {
  "email": "[email protected]",
  "rsaKeySize": 3072,
  "production": false
- },
+ }
}

Yeah, that wasn't my actual entire config, just an excerpt, but I'll take those notes and go dig back into it today. Since I was just uncommenting single lines out of the example config it's highly likely there's an unnecessary trailing comma in there!

Got it, combo of things.
Once I turned on the letsencrypt options (with fixed commas), I then had to again start it manually in order to trigger it installing the letsencrypt support modules. Once those modules were started I could then restart it as a service and it successfully loaded.

I flipped Production to True, will wait and hope it takes effect!

One other note, oddly when starting it I get an error that it's listening on 81 and not 80, but the config file says 80/443, and connecting to it on 80 and 443 works, 81 does not. Weird inaccurate error there, since it's working as expected in spite of the error (and letsdebug agrees).

[[email protected] ~]$ node node_modules/meshcentral
Installing le-acme-core...
Installing greenlock...
MeshCentral HTTP redirection server running on port 81.
ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work.
MeshCentral v0.4.1-p, WAN mode.
MeshCentral HTTPS server running on mysub.mydomain.net:444.
^CServer Ctrl-C exit...

LetsEncrypt success!

Perfect, thanks for reporting back. If a port is busy, MeshCentral will grab the next available port so, if you see 81 and 444 being used, your probably running MeshCentral twice. Please make sure this is corrected. Also, MeshCentral should auto-review the certificate and this will cause a quick restart of the server every few months.

FYI: MeshCentral uses GreenLock v2 to request the Let's Encrypt certificate and on November 1st it will stop working due to a breaking protocol change. So, MeshCentral will need to move to GreenLock v3 that is being worked on. There is a donation page for that effort.

Perfect, thanks!
I did a kill-all so they shouldn't be running, but I'll bounce the whole machine and make sure it all starts up once and cleanly just to be sure.

I'll keep kicking the tires and toss some cash in the change jar if it works out!

Note: Ports 80 and 443 are the standard ports for http and https (respectively), so any other program on your computer that acts as a web server will want to use them too, as well as some other programs that just use them because they're a little less likely to be blocked than other random ports (I'm looking at you Skype).
See this comment if you need help tracking down what's using those ports.