search

amidaware / tacticalrmm

A remote monitoring & management tool, built with Django, Vue and Go.
https://docs.tacticalrmm.com
Other
2.92k stars 422 forks source link

Tactical RMM Instructions say 3 domains are needed, but asks for 4. #1895

Closed W1BTR closed 1 week ago

W1BTR commented 1 week ago

The docs say the following:

The RMM uses 3 different sites. The Vue frontend e.g. rmm.example.com which is where you'll be accessing your RMM from the browser, the REST backend e.g. api.example.com and MeshCentral e.g. mesh.example.com
rmm. api. and mesh. are what we recommend, but you can use whatever you want if they're already in use.

Which makes me think I would want: api.mydomain.com mesh.mydomain.com and rmm.mydomain.com

However, when setting up, Tactical RMM also asks for my ROOT domain, which would be mydomain.com

image

However, mydomain.com is already in use for something else. I dont understand what this fourth domain is for. Can I just set it to rmm.mydomain.com as well?

I can do api.rmm.mydomain.com etc if need be.

wh1te909 commented 1 week ago

no, it's just used in the certbot command to get the wildcard cert. has nothing to do with it being already used.

W1BTR commented 1 week ago

Okay, I dont want to sacrifice my entire domain so the wildcard cert will always fail. Why doesnt it get individual certs? Obviously as a workaround I can just have it behind another rmm subdomain, just seems silly.

wh1te909 commented 1 week ago

you can have as many certs as you want for your root domain, no sacrifice needed. nothing will break.

W1BTR commented 1 week ago

All I can tell you is that it fails because it points to another IP address so it cant confirm I own it, where the other three point to this server.

dinger1986 commented 1 week ago

Yes you can cause it's got nothing to do with the IP address, you are adding a new TXT record for lets encrypt to get the wildcard

wh1te909 commented 1 week ago

the install script uses the DNS TXT record method to get the wildcard cert. it doesn't matter which IP your domain is pointed to. This is the reason we use TXT record so that you don't have to worry about IP addresses.

If you want you can just get a cert for api.example.com with 2 SANs for mesh.example.com and rmm.example.com and then call the install script with the --use-own-cert flag: https://docs.tacticalrmm.com/functions/settings_override/#using-your-own-wildcard-ssl-cert

W1BTR commented 1 week ago

Okay, I see what's going on. I've never seen / heard of certbot using txt challenges or anything other than the standard apache check, so I just glossed over it. My experience goes back a good number of years but appears more narrow than I'd thought. Apologies!