[GH-ISSUE #95] Feature Request: Support internal CA #1993

New issue

Closed

opened 2026-03-14 02:00:10 +03:00 by kerem · 4 comments

kerem commented 2026-03-14 02:00:10 +03:00

Owner

Copy link

Originally created by @meyerje on GitHub (Sep 8, 2020).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/95

Originally assigned to: @sadnub on GitHub.

We are deploying this behind a firewall and VPN using our domain certificate authority. To enable this I made the below modifications to the install script and am wondering if these can be leveraged moving forward with install.sh and update.sh?

Change line 101 to =true to force BEHIND_NAT (probably not necessary)
BEHIND_NAT=true

Comment out lines 122 - 126 to bypass Lets Encrypt

#sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email
#while [[ $? -ne 0 ]]
#do
#sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email
#done

And then changed each section of the nginx configurations to point to the certificates we got from our CA for the server. The certificates must be staged before running the installer script. Replace each instance of:

ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem;

With:

ssl_certificate /etc/ssl/certs/caissued.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;

Originally created by @meyerje on GitHub (Sep 8, 2020). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/95 Originally assigned to: @sadnub on GitHub. We are deploying this behind a firewall and VPN using our domain certificate authority. To enable this I made the below modifications to the install script and am wondering if these can be leveraged moving forward with install.sh and update.sh? Change line 101 to =true to force BEHIND_NAT (probably not necessary) `BEHIND_NAT=true` Comment out lines 122 - 126 to bypass Lets Encrypt ``` #sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email #while [[ $? -ne 0 ]] #do #sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email #done ``` And then changed each section of the nginx configurations to point to the certificates we got from our CA for the server. The certificates must be staged before running the installer script. Replace each instance of: ``` ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; ``` With: ``` ssl_certificate /etc/ssl/certs/caissued.pem; ssl_certificate_key /etc/ssl/private/privkey.pem; ```

kerem 2026-03-14 02:00:10 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-03-14 02:00:26 +03:00

Author

Owner

Copy link

@sadnub commented on GitHub (Sep 9, 2020):

@wh1te909 I was thinking more about this and we can allow updating certificates through the UI. We could also allow completing the letsencrypt setup in the UI as well. The reverse proxy can just fallback to self-signed certs if none are present. Let me know if this sounds good and I can implement it.

<!-- gh-comment-id:689705065 --> @sadnub commented on GitHub (Sep 9, 2020): @wh1te909 I was thinking more about this and we can allow updating certificates through the UI. We could also allow completing the letsencrypt setup in the UI as well. The reverse proxy can just fallback to self-signed certs if none are present. Let me know if this sounds good and I can implement it.

kerem commented 2026-03-14 02:00:31 +03:00

Author

Owner

Copy link

@meyerje commented on GitHub (Sep 9, 2020):

That'd be great. I noticed the four Let's Encrypt lines in the install.sh file will loop indefinitely if the commands fail so we may have to account for at least that.

<!-- gh-comment-id:689726266 --> @meyerje commented on GitHub (Sep 9, 2020): That'd be great. I noticed the four Let's Encrypt lines in the install.sh file will loop indefinitely if the commands fail so we may have to account for at least that.

kerem commented 2026-03-14 02:00:36 +03:00

Author

Owner

Copy link

@sadnub commented on GitHub (Oct 18, 2020):

@meyerje I added #140 to remove the Let's Encrypt dependency from the install script. If you opt out of Let's Encrypt, it will create a self signed certificate. You can replace the self-signed certificate with your internal CA certs and restart nginx. I added a section to the readme also.

<!-- gh-comment-id:711390663 --> @sadnub commented on GitHub (Oct 18, 2020): @meyerje I added #140 to remove the Let's Encrypt dependency from the install script. If you opt out of Let's Encrypt, it will create a self signed certificate. You can replace the self-signed certificate with your internal CA certs and restart nginx. I added a section to the readme also.

kerem commented 2026-03-14 02:00:41 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Oct 18, 2020):

merged

<!-- gh-comment-id:711442427 --> @wh1te909 commented on GitHub (Oct 18, 2020): merged

kerem referenced this issue 2026-03-14 06:49:30 +03:00

[GH-ISSUE #1993] Feature Request: Improve Notes display #3191

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#1993

No description provided.