diff --git a/certoperations.js b/certoperations.js index 4ddc1052..fcc4c840 100644 --- a/certoperations.js +++ b/certoperations.js @@ -742,12 +742,15 @@ module.exports.CertificateOperations = function (parent) { // Return true if the name is found in the certificates names, we support wildcard certificates obj.compareCertificateNames = function(certNames, name) { if (certNames == null) return false; - if (certNames.indexOf(name.toLowerCase()) >= 0) return true; - for (var i in certNames) { - if ((certNames[i].startsWith('*.') == true) && (name.endsWith(certNames[i].substring(1)) == true)) { return true; } - if (certNames[i].startsWith('http://*.') == true) { - if (name.endsWith(certNames[i].substring(8)) == true) { return true; } - if ((certNames[i].endsWith('/') == true) && (name.endsWith(certNames[i].substring(8, certNames[i].length - 1)) == true)) { return true; } + name = name.toLowerCase(); + var xcertNames = []; + for (var i in certNames) { xcertNames.push(certNames[i].toLowerCase()); } + if (xcertNames.indexOf(name) >= 0) return true; + for (var i in xcertNames) { + if ((xcertNames[i].startsWith('*.') == true) && (name.endsWith(xcertNames[i].substring(1)) == true)) { return true; } + if (xcertNames[i].startsWith('http://*.') == true) { + if (name.endsWith(xcertNames[i].substring(8)) == true) { return true; } + if ((xcertNames[i].endsWith('/') == true) && (name.endsWith(xcertNames[i].substring(8, xcertNames[i].length - 1)) == true)) { return true; } } } return false; @@ -992,12 +995,13 @@ module.exports.CertificateOperations = function (parent) { if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; } // Check if we have correct certificates. - if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; } else { r.CommonName = commonName; } + if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { console.log("Error: " + commonName + " does not match name in TLS certificate: " + r.CommonNames.join(', ')); forceWebCertGen = 1; } else { r.CommonName = commonName; } if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; } + if (args.keepcerts == true) { forceWebCertGen = 0; forceMpsCertGen = 0; r.CommonName = commonName; } // If the certificates matches what we want, use them. if ((forceWebCertGen == 0) && (forceMpsCertGen == 0)) { - if (func !== undefined) { func(r); } + if (func !== null) { func(r); } return r; } } @@ -1051,7 +1055,7 @@ module.exports.CertificateOperations = function (parent) { // If the web certificate does not exist, create one var webCertAndKey, webCertificate, webPrivateKey; - if ((r.web == null) || (forceWebCertGen == 1)) { + if ((r.web == null) || (forceWebCertGen === 1)) { console.log("Generating HTTPS certificate..."); webCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, commonName, country, organization, null, strongCertificate); webCertificate = obj.pki.certificateToPem(webCertAndKey.cert); @@ -1108,7 +1112,7 @@ module.exports.CertificateOperations = function (parent) { // If the Intel AMT MPS certificate does not exist, create one var mpsCertAndKey, mpsCertificate, mpsPrivateKey; - if ((r.mps == null) || (forceMpsCertGen == 1)) { + if ((r.mps == null) || (forceMpsCertGen === 1)) { console.log("Generating Intel AMT MPS certificate..."); mpsCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, mpsCommonName, mpsCountry, mpsOrganization, null, false); mpsCertificate = obj.pki.certificateToPem(mpsCertAndKey.cert); diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index 61e9974e..49e969bb 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -8,6 +8,7 @@ "type": "object", "properties": { "cert": { "type": "string", "description": "Set this to the primary DNS name of this MeshCentral server." }, + "keepCerts": { "type": "boolean", "default": false, "description": "Force MeshCentral to use the HTTPS and MPS certificates even if the name does not match the expected DNS value." }, "mongoDb": { "type": "string", "default": null }, "mongoDbName": { "type": "string" }, "mongoDbChangeStream": { "type": "boolean", "default": false }, diff --git a/webserver.js b/webserver.js index 7e2a7861..316d5c96 100644 --- a/webserver.js +++ b/webserver.js @@ -144,8 +144,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF obj.agentCertificateHashHex = parent.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert); obj.agentCertificateHashBase64 = Buffer.from(obj.agentCertificateHashHex, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); obj.agentCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.agent.cert))).getBytes(); - obj.defaultWebCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert); - obj.defaultWebCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert); + obj.defaultWebCertificateHash = obj.certificates.webdefault ? parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert) : null; + obj.defaultWebCertificateFullHash = obj.certificates.webdefault ? parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert) : null; // Compute the hash of all of the web certificates for each domain for (var i in obj.parent.config.domains) {