MeshCentral with CloudFlare Tunnels

[teparky]

Hi All,

I have been setting up MeshCentral to try it out. I have been trying to get it working using CloudFlare Tunnels.

I have configured the "certUrl" option for the domain used however my Remote Agents fail to connect unless I add in the line "ignoreAgentHash".

Have I done something completely silly here and missed a configuration step? I have included my config.json file but I have replaced domains with "example.com".
config.json

This is the error I keep finding in the logs:
WEBREQUEST: (172.17.0.3) /agent.ashx/.websocket
AGENT: New agent at 172.17.0.3:43902
CERT: loadCertificate() - Loading certificate from rmm.example.com:443, Hostname: rmm.example.com...
AGENT: Agent bad web cert hash (Agent:9b8aa02e85 != Server:7e45e33c1a or 29093a3e99), holding connection (172.17.0.3:43902).
AGENT: Agent reported web cert hash:9b8aa02e85a5f868cd87a46b2ce3079edc15783bbc16275f2412ce8b9883243a7e3c8eb706767848e086e3da840e203e.
Agent bad web cert hash (Agent:9b8aa02e85 != Server:7e45e33c1a or 29093a3e99), holding connection (172.17.0.3:43902).
Agent reported web cert hash:9b8aa02e85a5f868cd87a46b2ce3079edc15783bbc16275f2412ce8b9883243a7e3c8eb706767848e086e3da840e203e.
CERT: loadCertificate() - TLS connected, got certificate.
HTTPHEADERS: GET /agent.ashx/.websocket {
host: 'rmm.example.com',
'accept-encoding': 'gzip, br',
'cdn-loop': 'cloudflare',
'cf-connecting-ip': '51.0.0.1',
'cf-ipcountry': 'GB',
'cf-ray': '873bce02489a63a7-LHR',
'cf-visitor': '{"scheme":"https"}',
'cf-warp-tag-id': 'b28b94ac-9199-419d-896f-cf5ace0dca9c',
connection: 'Upgrade',
'sec-websocket-key': '9tf86INvGrQVEfSOspPGvT==',
'sec-websocket-version': '13',
upgrade: 'websocket',
'x-forwarded-for': '51.0.0.1',
'x-forwarded-proto': 'https'
}
WEBREQUEST: (172.17.0.3) /agent.ashx/.websocket
AGENT: New agent at 172.17.0.3:54134
AGENT: Agent bad web cert hash (Agent:9b8aa02e85 != Server:7e45e33c1a or 29093a3e99), holding connection (172.17.0.3:54134).
AGENT: Agent reported web cert hash:9b8aa02e85a5f868cd87a46b2ce3079edc15783bbc16275f2412ce8b9883243a7e3c8eb706767848e086e3da840e203e.
Agent bad web cert hash (Agent:9b8aa02e85 != Server:7e45e33c1a or 29093a3e99), holding connection (172.17.0.3:54134).
Agent reported web cert hash:9b8aa02e85a5f868cd87a46b2ce3079edc15783bbc16275f2412ce8b9883243a7e3c8eb706767848e086e3da840e203e.

[si458]

You have domains set with a dns name,
The very first domain should always be blank!!!
so change "rmm.example.com" to ""

Edit also just try curl -v https://rmm.example.com from ur meshcentral server and see what ssl gets returned, and check its returning the correct one from cloudflare
Edit2. Also do edit1 but from a remote device which has the agent installed, and see if the ssl certs are the same

[Xiaoh-123]

I have a similar setup with what I imagine is a similar issue : Cloudflare tunnel, web GUI is reachable from LAN and WAN, but clients don't connect or appear offline unless "ignoreAgentHashCheck": true, is set in config.json.
@si458 I see that like in my own post, you recommend using curl to test the domain. In my case the first block of lines in the curl output actually lists mesh.mydomain.tld a lot and I can also see an HTTP/2 200, so I'd guess that means things are looking fine, however it still won't work.
I would like to check the logs but I have no idea how to do this (my install is from tteck script on a Proxmox LXC with nodejs), could you point me to the instructions on how to read MC logs? Looked for those but couldn't find anything that works.

[si458]

To view logs, u can use systemctl status meshcentral
But the best way is to, systemctl stop meshcentral to stop it
Then start it manually in full debug mode (this will output ALOT of logs, so be prepared) node node_modules/meshcentral --debug

[Xiaoh-123]

Thanks for the help with the commands. Looks like my problem was unrelated, but I managed to fix it browsing the certificates and doing lots and lots of curl.
I'll give out a fully detailed explanation on my own post #6285 for anyone interested.
TLDR it was because of a local DNS rewrite that was sending the certurl request to my NginxProxyManager cert instead of the Cloudflare cert.