Letsencrypt certificate corrupt

[CrazybernieNL]

Describe the bug
Most our agents do not connect to server with error message : server certhe tificate mismatch. A couple of agents to not have this behaviour.
If we manually revert to an older letsencrypt certificate the agents show up untill the new letsencrypt certificate is issued.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'any machine that is runnig the agent.'
2. Run meshagent -connect

Expected behavior
Agents stay connected after a new letsencrypt certificate has been issued.

Screenshots
If applicable, add screenshots to help explain your problem.

Server Software (please complete the following information):

• OS: Windows Server 2022
• Virtualization: HYPER_V
• Network: Direct WAN
• Version: 1.1.0 (also tried 1.1.33)
• Node: v20.17.0

Client Device (please complete the following information):

• Device: PC
• OS: Windows 11
• Network: WAN
• Browser: Chrome

Remote Device (please complete the following information):

• Device: PC
• OS: Windows 11/10/linux
• Network: Remote over wam
• Current Core Version (if known): [HINT: Go to a device then console Tab then type info]

Additional context

{
  "__comment__" : "This is a sample configuration file, edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "settings": {
    "Cert" : "xxx.xxx-ip.com",
	"_WANonly": true,
    "_LANonly": true,
    "_Minify": 1,
    "_SessionTime": 30,
    "_SessionKey": "MyReallySecretPassword1",
    "_DbEncryptKey": "MyReallySecretPassword2",
    "_DbExpire": { "events": 1728000, "powerevents": 864000 },
    "_Port": 443,
    "_RedirPort": 80,
    "_AllowLoginToken": true,
    "_AllowFraming": true,
    "_WebRTC": false,
    "_ClickOnce": false,
    "_SelfUpdate": true,
    "_UserAllowedIP": "127.0.0.1,192.168.1.0/24",
    "_UserBlockedIP": "127.0.0.1,::1,192.168.0.100",
    "_AgentAllowedIP": "192.168.0.100/24",
    "_AgentBlockedIP": "127.0.0.1,::1",
    "OrphanAgentUser": "admin",
"IgnoreAgentHashCheck": true,
    "_LocalDiscovery": { "name": "Local server name", "info": "Information about this server" },
    "TlsOffload": false,
    "MpsTlsOffload": false,
    "WebRtConfig": { "iceServers": [ { "urls": "stun:stun.services.mozilla.com" }, { "urls": "stun:stun.l.google.com:19302" } ] }
  },
  "domains": {
    "mesh.rax-ip.com": {
      "Title": "Rax-IP MeshCentral Test;",
      "Title2": "Rax-IP-Mesh-01 TEST",
      "TitlePicture": "Rax-IPLOGO.png",
      "UserQuota": 1048576,
      "MeshQuota": 248576,
      "NewAccounts": 1,

      "Footer": "<a href='https://www.xxx-ip.com'>XXX-IP</a>",
      "_CertUrl": "https://10.0.200.3",
      "_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1 },
      "_AgentNoProxy": true,
      "_UserAllowedIP": "127.0.0.1,192.168.1.0/24",
      "_UserBlockedIP": "127.0.0.1,::1,192.168.0.100",
      "_AgentAllowedIP": "192.168.0.100/24",
      "_AgentBlockedIP": "127.0.0.1,::1",
      "Limits": {
        "MaxUserAccounts": 100,
        "MaxUserSessions": 1000,
        "MaxAgentSessions": 999,
        "MaxSingleUserSessions": 100
      },
      "_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
      "httpheaders": { "Strict-Transport-Security": "max-age=360000" },
      "agentConfig": [ "webSocketMaskOverride=1" ]
    }
  },
  "letsencrypt": {
    "__comment__": "Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "[email protected]",
    "names": "xxx.xxx.com",
    "rsaKeySize": 2048,
    "production": true
  },
  "_peers": {
    "serverId": "server1",
    "servers": {
      "server1": { "url": "wss://192.168.2.133:443/" },
      "server2": { "url": "wss://192.168.1.106:443/" }
    }
  },
  "_smtp": {
    "host": "smtp.myserver.com",
    "port": 25,
    "from": "[email protected]",
    "tls": false
  }
}

[si458]

Try removing the line rsaKeySize and restarting meshcentral

[CrazybernieNL]

Removed old certificates
Removed the rsakey line from the config
restarted
new certificates are generated
but still the same error.

Would buying a commercial certificate help ?

[si458]

another user had a similar issue as you

have you verified the SSL you are seeing in the web ui, is the SAME SSL that the remote device sees?

also try the following:

1. remove TlsOffload
2. remove MpsTlsOffload
3. remove httpheaders
4. remove agentConfig
5. remove IgnoreAgentHashCheck
6. dont delete any certs and restart meshcentral
7. try again?

one other thing to try is as the other person did, was uninstall the meshagent, then redownload meshagent and reinstall it
its a pain but might work

[CrazybernieNL]

How can I verify what cert the remote device sees ?

I will try changing the config .

Reinstalling al 600 agents is gonna be a pain because for about half we can’t remotely access them except through mesh central.

[si458]

You can just visit the website login page.
Then click the shield and view its certificate (well firefox anyways, think chrome's similar)