Meshcentral: information before buying ssl cert

Hello, you could use Let's Encrypt as documented here http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide.pdf . Let's Encrypt provides free SSL certificates that are good for 90 days and can be automated to automatically renew before the 90 day period is up.

i can't use the method in that pdf because let's encrypt needs every 90 days to check your domain on port 80 but my MC server is not on port 80 because i run out of that resource so i select 8080 to redirect to 443

How about using the DNS-01 challenge instead?

i have spoke with @Ylianst but he told me that method is not supported in the auto renew feature of MC server

What about placing a reverse proxy in front of Mesh Central 2 and let it handle the SSL, it is well documented and I am using nginx in my setup to reverse proxy everything Mesh Central and I am using Let's Encrypt with DNS challenge.

@tradexsrl sorry mate I replied with a reverse proxy scenario in mind....

@FDrebin : but i have no more resource to open a new port 80 for a reverse proxy

Just wondering...depending on your local config, you could somehow to be able to install a web server (listening to non-default local TCP ports, if needed) and use it along with proper Let's Encrypt DNS plug-in just for the sake of certificates' issue and renewal...I know it would be a kind of a gimmick, and maybe you prefer paying an inexpensive commercial SSL certificate and copying a couple of files once a year...

In the meshcentral-data folder, the TLS certificate for the web server are in the following two files:

webserver-cert-public.crt
webserver-cert-private.key

They are text files, so you can edit them, look at their format, replace them with the data you want and restart the server. Make sure you cut & paste the new content to match what the old files look like.

As mentioned above, the proper way to do all this is with a reverse proxy that allows you to share a single port 80 and 443 with many services on the same server. MeshCentral has designed from the start to support reverse proxies and so, it's a great option designed just for this case. Your going to have to points many different DNS names to your one IP address (web.myserver.com and mesh.myserver.com for example) and the reverse proxy will make two different web pages show up depending on what DNS name you use to access your server. Hope that makes sense.

@tradexsrl There's a third option which doesn't require you to install a reverse proxy or reallocate your current use of port 80. Here's what you need to do:

1. Install an ACME client of your choice.
2. Request a LetsEncrypt certificate via the DNS-01 challenge.
3. Ensure that automated certificate renewals are set up, e.g. via cron job.
4. Delete MeshCentral's default certificate and private key which @Ylianst mentioned above and replace them with identically named symlinks that point to your LetsEncrypt certificate and private key.

I can personally recommend the ACME client lego. It's a Go application, so all you need to do to install it is download a statically compiled binary from the releases page and put it in your PATH.

I agree with @whalehub, that is a valid 3rd option.

reverse proxy is not possible because we have many different server behind our firewall and no more resource to open a new port 80.
We have all windows machine so for acme client i will need a windows client that can be scheduled for certifcate renew and automatically overwrite the old file in the correct dir.
i think the only one for my case is: https://www.win-acme.com/ but i'm not sure
P.S: MC is installed on a windows 10 pro vm with no IIS

@tradexsrl You could also use Posh-ACME on Windows 10 since it's distributed as a PowerShell Module.

i looked at tutorial for posh-acme and other related acme client but i have problem with dns plugin because my provider is not in the list and also posh-acme client generate .pfx and .cer file...i see you can convert certificate from one type to another but i have no experience on that

i have problem with dns plugin because my provider is not in the list

In my case I moved DN management under Cloudflare (free of charge for private use at least) so I can use dedicated plug-in (besides other perks).

in my case i can't move dns for policy reason...

I'm out of options...go with commercial cert and manual copying :stuck_out_tongue:

Ok, I think we can close this one since we ran thru all the options. If there is a specific ask, please don't hesitate to file a different issue.