MeshCentral2 Failed To Renew SSL Cert

NashBrydges

Been running an internal MeshCentral2 server and noticed that it just failed to renew a SSL certificate that has been properly updating for nearly 2 yrs. It's running on Fedora 30 and was setup using this awesome tutorial...

https://www.mangolassi.it/topic/18767/install-meshcentral2-on-fedora-29-with-mongodb?_=1670279143289

I checked the letsencrypt log files but only entries are dated with today's date (cert expired Dec 2 so renewal was probably sometime before that)

sudo systemctl status meshcentral indicates MeshCentral is running and listening on port 443 properly with no errors indicated.

Everything I looked at appears to tell me it should be working but for some reason isn't renewing certs.

I have rebooted the server as well...just in case, to no avail.

Anyone have any suggestions for where to look next?

EddieJennings

Try stopping the MeshCentral service, then use node /path_to_your/node_modules/meshcentral/ --debug cert. Unless by "letsencrypt log files" you mean that you did the cert debug.

That may provide you some insight into what's going on.

This was my output for comparison (my Let's encrypt stuff seems to function fine)

MeshCentral HTTP redirection server running on port 80.
CERT: LE: Getting certs from local store (Production)
CERT: LE: Reading certificate files
CERT: LE: Setting LE cert for default domain.
MeshCentral v1.1.0, Hybrid (LAN + WAN) mode.
MeshCentral Intel(R) AMT server running on mc.ejsllc.com:4433.
MeshCentral HTTPS server running on mc.ejsllc.com:443.
CERT: LE: Certificate has 67 day(s) left.
CERT: LE: Certificate is ok.

NashBrydges

@EddieJennings Here is the outcome (domain redacted):

node /opt/meshcentral/node_modules/meshcentral --debug cert

[root@ppmmeshcentral ~]# node /opt/meshcentral/node_modules/meshcentral --debug cert
MeshCentral HTTP redirection server running on port 80.
CERT: LE: Getting certs from local store (Production)
CERT: LE: Reading certificate files
CERT: LE: Setting LE cert for default domain.
MeshCentral v1.0.0, WAN mode.
MeshCentral Intel(R) AMT server running on xxxxxxxxx.com:4433.
Server customer1 has no users, next new account will be site administrator.
MeshCentral HTTPS server running on xxxxxxxx.com:443.
CERT: LE: Certificate has -4 day(s) left.
CERT: LE: Asking for new certificate because of expire time.
CERT: LE: Generating private key...
CERT: LE: Setting up ACME client...
CERT: LE: Creating certificate request...
CERT: LE: Requesting certificate from Let's Encrypt...
CERT: LE: Succesful response to challenge.
CERT: LE: Succesful response to challenge.
CERT: LE: Succesful response to challenge.
CERT: LE: Succesful response to challenge.
CERT: LE: Failed to obtain certificate: Error finalizing order :: signature algorithm not supported

NashBrydges

@EddieJennings

I also found this post from the MeshCentral author with a suggested tweak to the json file:

https://github.com/Ylianst/MeshCentral/issues/3245#issuecomment-982111380

NashBrydges

@EddieJennings

Next I checked status via letsdebug.net with the following results:

All OK!
OK
No issues were found with xxxxxxxx[dot]com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

Still showing an expired cert. Is there a way to force renew the cert?

NashBrydges

@NashBrydges said in MeshCentral2 Failed To Renew SSL Cert:

Failed to obtain certificate: Error finalizing order :: signature algorithm not supported

One final update. After more searching, I found this that referenced the actual error I was seeing about algorithm not supported.

https://github.com/Ylianst/MeshCentral/issues/4676

After upgrading from v1.0 to v1.1 and rebooting, the cert automatically renewed and issue was resolved!