Meshcentral: can't load certificate from Apache reverse proxy

just installed a RoutePlus plugin, and looks like routing is working - a can RDP to one of my Win devices..

Hi. A few things here, first, you can run MeshCentral with --debug cert to get extra information about the loading of the certificate from Apache. Also, when MeshCentral tries to resolve "mesh.mydomain.lv", it will get an external IP address that may not always work for loading the Apache certificate, feel free to put the private IP address instead like this:

"CertUrl": "https://192.168.2.100:443/"

As long as MeshCentral is able to load the same TLS certificate as the agent will see, you can use a private DNS name or private IP address to load that certificate. Let me know if this works or what you see with the --debug cert option.

Hello!
just tried your suggestions:

1. changed Certurl to proxy LAN address, no changes;
2. added --debug cert to startmeshcentral.sh file, and still see no additional log on docker log, see below:

`+ [email protected]
added 26 packages from 9 contributors, removed 3 packages, updated 4 packages and audited 454 packages in 11.412s

1 package is looking for funding
run npm fund for details

found 0 vulnerabilities

Installing semver...
Installing [email protected]...
MeshCentral HTTP redirection server running on port 80.
MeshCentral v0.5.0-z, WAN mode.
MeshCentral Intel(R) AMT server running on mesh.mydomain.lv:4433.
MeshCentral HTTP server running on port 448, alias port 443.

Oh! I just noticed that in your config.json above, there is "_domain", the underscore will cause the domain section and everything within it to be ignored. Change _domain to domain and try again.

Doh, what a mess from my side.. now i'm seeing it reads certificate from proxy, but only, if i choose LAN side address in certUrl. BTW, where it saves it? webserver-cert-public.crt stays untouched..

just a side note , i see interesting undocumented option in settings part:
"AllowHighQualityDesktop": true,
"Log": "main,web,webrequest,cert"
what are they for?
are there any others worth to be mentioned ?
thank's

"AllowHighQualityDesktop": true - allow higher quality settings on Desktop - on my server, it 90% now max.

"Log": "main,web,webrequest,cert" - it's for debuging, it writes log.txt file in meshcentral-data folder with appropriate logs.
and for others: "_IgnoreAgentHashCheck": true, - another one for debugging to deal with certificate problems - in my case it was the first way i got it working at all(agents started connecting), and then next tried to resolve certificate issues. once resolved, then you should switch it off.

thank's .
where do you get these undocumented option?

huh, google is your friend :)

yes of course , i hoped there was a page or pdf that explain all the undocumented options.. ;-)

@uldiseihenbergs, to answer your original question above:

BTW, where it saves it? webserver-cert-public.crt stays untouched.

The certificate that is loaded by CerlURL is not saved anywhere, it is hashed and the result is kept in memory. When an agent connects, the agent will report that is saw TLS cert with that hash, if it matches, everything is ok.

Note that if agents start connecting with reports of a different TLS cert hash, MeshCentral will re-load the certificate from the reverse proxy to see if it changed. This should handle the case where the certificate on the reverse proxy is changed on the fly. Hope that helps.

@tradexsrl I do agree that I keep adding configuration options and documentation has not followed. I think I will need to write documentation on just the config.json, but another option as some point is to have a web control panel that guide you thru all the options.

I am going to close this one as I think the original issue was addressed. However, please feel free to open new issues for the other topics.