Tactical RMM Instructions say 3 domains are needed, but asks for 4.

Question

Tactical RMM Instructions say 3 domains are needed, but asks for 4.

W1BTR opened this issue a month ago · comments

The docs say the following:

The RMM uses 3 different sites. The Vue frontend e.g. rmm.example.com which is where you'll be accessing your RMM from the browser, the REST backend e.g. api.example.com and MeshCentral e.g. mesh.example.com
rmm. api. and mesh. are what we recommend, but you can use whatever you want if they're already in use.

Which makes me think I would want:
api.mydomain.com
mesh.mydomain.com
and rmm.mydomain.com

However, when setting up, Tactical RMM also asks for my ROOT domain, which would be mydomain.com

However, mydomain.com is already in use for something else. I dont understand what this fourth domain is for. Can I just set it to rmm.mydomain.com as well?

I can do api.rmm.mydomain.com etc if need be.

Dan · Answer 1 · Tue Jun 18 2024 04:45:31 GMT+0800 (China Standard Time)

no, it's just used in the certbot command to get the wildcard cert. has nothing to do with it being already used.

Lucas Elliott · Answer 2 · Tue Jun 18 2024 04:46:43 GMT+0800 (China Standard Time)

Okay, I dont want to sacrifice my entire domain so the wildcard cert will always fail. Why doesnt it get individual certs? Obviously as a workaround I can just have it behind another rmm subdomain, just seems silly.

Dan · Answer 3 · Tue Jun 18 2024 04:47:30 GMT+0800 (China Standard Time)

you can have as many certs as you want for your root domain, no sacrifice needed. nothing will break.

Lucas Elliott · Answer 4 · Tue Jun 18 2024 04:48:07 GMT+0800 (China Standard Time)

All I can tell you is that it fails because it points to another IP address so it cant confirm I own it, where the other three point to this server.

dinger1986 · Answer 5 · Tue Jun 18 2024 04:50:53 GMT+0800 (China Standard Time)

Yes you can cause it's got nothing to do with the IP address, you are adding a new TXT record for lets encrypt to get the wildcard

Dan · Answer 6 · Tue Jun 18 2024 04:51:59 GMT+0800 (China Standard Time)

the install script uses the DNS TXT record method to get the wildcard cert. it doesn't matter which IP your domain is pointed to. This is the reason we use TXT record so that you don't have to worry about IP addresses.

If you want you can just get a cert for api.example.com with 2 SANs for mesh.example.com and rmm.example.com and then call the install script with the --use-own-cert flag: https://docs.tacticalrmm.com/functions/settings_override/#using-your-own-wildcard-ssl-cert

Lucas Elliott · Answer 7 · Tue Jun 18 2024 04:56:02 GMT+0800 (China Standard Time)

Okay, I see what's going on. I've never seen / heard of certbot using txt challenges or anything other than the standard apache check, so I just glossed over it. My experience goes back a good number of years but appears more narrow than I'd thought. Apologies!