Added 'keepcerts' option to force keeping HTTPS/MPS cert.

certoperations.js

@@ -742,12 +742,15 @@ module.exports.CertificateOperations = function (parent) {
     // Return true if the name is found in the certificates names, we support wildcard certificates
     obj.compareCertificateNames = function(certNames, name) {
         if (certNames == null) return false;
-        if (certNames.indexOf(name.toLowerCase()) >= 0) return true;
+        name = name.toLowerCase();
-        for (var i in certNames) {
+        var xcertNames = [];
-            if ((certNames[i].startsWith('*.') == true) && (name.endsWith(certNames[i].substring(1)) == true)) { return true; }
+        for (var i in certNames) { xcertNames.push(certNames[i].toLowerCase()); }
-            if (certNames[i].startsWith('http://*.') == true) {
+        if (xcertNames.indexOf(name) >= 0) return true;
-                if (name.endsWith(certNames[i].substring(8)) == true) { return true; }
+        for (var i in xcertNames) {
-                if ((certNames[i].endsWith('/') == true) && (name.endsWith(certNames[i].substring(8, certNames[i].length - 1)) == true)) { return true; }
+            if ((xcertNames[i].startsWith('*.') == true) && (name.endsWith(xcertNames[i].substring(1)) == true)) { return true; }
+            if (xcertNames[i].startsWith('http://*.') == true) {
+                if (name.endsWith(xcertNames[i].substring(8)) == true) { return true; }
+                if ((xcertNames[i].endsWith('/') == true) && (name.endsWith(xcertNames[i].substring(8, xcertNames[i].length - 1)) == true)) { return true; }
             }
         }
         return false;
@@ -992,12 +995,13 @@ module.exports.CertificateOperations = function (parent) {
             if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
 
             // Check if we have correct certificates.
-            if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; } else { r.CommonName = commonName; }
+            if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { console.log("Error: " + commonName + " does not match name in TLS certificate: " + r.CommonNames.join(', ')); forceWebCertGen = 1; } else { r.CommonName = commonName; }
             if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
+            if (args.keepcerts == true) { forceWebCertGen = 0; forceMpsCertGen = 0; r.CommonName = commonName; }
 
             // If the certificates matches what we want, use them.
             if ((forceWebCertGen == 0) && (forceMpsCertGen == 0)) {
-                if (func !== undefined) { func(r); }
+                if (func !== null) { func(r); }
                 return r;
             }
         }
@@ -1051,7 +1055,7 @@ module.exports.CertificateOperations = function (parent) {
 
         // If the web certificate does not exist, create one
         var webCertAndKey, webCertificate, webPrivateKey;
-        if ((r.web == null) || (forceWebCertGen == 1)) {
+        if ((r.web == null) || (forceWebCertGen === 1)) {
             console.log("Generating HTTPS certificate...");
             webCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, commonName, country, organization, null, strongCertificate);
             webCertificate = obj.pki.certificateToPem(webCertAndKey.cert);
@@ -1108,7 +1112,7 @@ module.exports.CertificateOperations = function (parent) {
 
         // If the Intel AMT MPS certificate does not exist, create one
         var mpsCertAndKey, mpsCertificate, mpsPrivateKey;
-        if ((r.mps == null) || (forceMpsCertGen == 1)) {
+        if ((r.mps == null) || (forceMpsCertGen === 1)) {
             console.log("Generating Intel AMT MPS certificate...");
             mpsCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, mpsCommonName, mpsCountry, mpsOrganization, null, false);
             mpsCertificate = obj.pki.certificateToPem(mpsCertAndKey.cert);

meshcentral-config-schema.json

@@ -8,6 +8,7 @@
       "type": "object",
       "properties": {
         "cert": { "type": "string", "description": "Set this to the primary DNS name of this MeshCentral server." },
+        "keepCerts": { "type": "boolean", "default": false, "description": "Force MeshCentral to use the HTTPS and MPS certificates even if the name does not match the expected DNS value." },
         "mongoDb": { "type": "string", "default": null },
         "mongoDbName": { "type": "string" },
         "mongoDbChangeStream": { "type": "boolean", "default": false },

webserver.js

@@ -144,8 +144,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
     obj.agentCertificateHashHex = parent.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert);
     obj.agentCertificateHashBase64 = Buffer.from(obj.agentCertificateHashHex, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
     obj.agentCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.agent.cert))).getBytes();
-    obj.defaultWebCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert);
+    obj.defaultWebCertificateHash = obj.certificates.webdefault ? parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert) : null;
-    obj.defaultWebCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert);
+    obj.defaultWebCertificateFullHash = obj.certificates.webdefault ? parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert) : null;
 
     // Compute the hash of all of the web certificates for each domain
     for (var i in obj.parent.config.domains) {