[GH-ISSUE #196] Internal server certs #2062

New issue

Closed

opened 2026-03-14 02:19:26 +03:00 by kerem · 8 comments

kerem commented 2026-03-14 02:19:26 +03:00

Owner

Copy link

Originally created by @Uzzi on GitHub (Nov 30, 2020).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/196

HI, I wanto to deploy RMM into internal server, no external exposure, than install.sh notify me: The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "*.DOMAIN.intranet": Domain name does not end with a valid public suffix (TLD)

How can I fix it?
Thank you

Originally created by @Uzzi on GitHub (Nov 30, 2020). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/196 HI, I wanto to deploy RMM into internal server, no external exposure, than install.sh notify me: The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "*.DOMAIN.intranet": Domain name does not end with a valid public suffix (TLD) How can I fix it? Thank you

kerem closed this issue 2026-03-14 02:19:31 +03:00

kerem commented 2026-03-14 02:19:37 +03:00

Author

Owner

Copy link

@Uzzi commented on GitHub (Nov 30, 2020):

I've created certs by: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/selfsigned.key -out /etc/ssl/selfsigned.crt

I've edited install.sh and modifyed certs sections.

But now I cannot login. Error: Bad credentials

<!-- gh-comment-id:735876920 --> @Uzzi commented on GitHub (Nov 30, 2020): I've created certs by: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/selfsigned.key -out /etc/ssl/selfsigned.crt I've edited install.sh and modifyed certs sections. But now I cannot login. Error: Bad credentials

kerem commented 2026-03-14 02:19:42 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Nov 30, 2020):

Hi, self signed certs will no longer work since we switched to NATS which is why I removed them from the install script.

You can still get a free let's encrypt cert for internal use, you don't need to open any ports. If you don't have a domain just get a free one from freenom.com

<!-- gh-comment-id:735919197 --> @wh1te909 commented on GitHub (Nov 30, 2020): Hi, self signed certs will no longer work since we switched to NATS which is why I removed them from the install script. You can still get a free let's encrypt cert for internal use, you don't need to open any ports. If you don't have a domain just get a free one from freenom.com

kerem commented 2026-03-14 02:19:47 +03:00

Author

Owner

Copy link

@meyerje commented on GitHub (Nov 30, 2020):

Does this remove support for an internal root CA as well?

On Mon, Nov 30, 2020 at 11:11 AM Tragic Bronson notifications@github.com
wrote:

Hi, self signed certs will no longer work since we switched to NATS which
is why I removed them from the install script.

You can still get a free let's encrypt cert for internal use, you don't
need to open any ports. If you don't have a domain just get a free one from
freenom.com

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/wh1te909/tacticalrmm/issues/196#issuecomment-735919197,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ADLS2ID4WF3HZETVVVNXFX3SSPG3NANCNFSM4UHNTSRA
.

<!-- gh-comment-id:735927790 --> @meyerje commented on GitHub (Nov 30, 2020): Does this remove support for an internal root CA as well? On Mon, Nov 30, 2020 at 11:11 AM Tragic Bronson <notifications@github.com> wrote: > Hi, self signed certs will no longer work since we switched to NATS which > is why I removed them from the install script. > > You can still get a free let's encrypt cert for internal use, you don't > need to open any ports. If you don't have a domain just get a free one from > freenom.com > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/wh1te909/tacticalrmm/issues/196#issuecomment-735919197>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ADLS2ID4WF3HZETVVVNXFX3SSPG3NANCNFSM4UHNTSRA> > . >

kerem commented 2026-03-14 02:19:52 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Nov 30, 2020):

@meyerje no that should still be fine cuz yours is a proper cert, NATS just doesn't like ghetto ones generated by openssl. Will DM you on discord cuz I need to you test.

<!-- gh-comment-id:735934640 --> @wh1te909 commented on GitHub (Nov 30, 2020): @meyerje no that should still be fine cuz yours is a proper cert, NATS just doesn't like ghetto ones generated by openssl. Will DM you on discord cuz I need to you test.

kerem commented 2026-03-14 02:19:57 +03:00

Author

Owner

Copy link

@Uzzi commented on GitHub (Nov 30, 2020):

Can I configure Tactical to work only with interna domain and ask let's encrypt cert for other public domain?
I've let's encrypt certs for other public domain, can I use its?

<!-- gh-comment-id:735934910 --> @Uzzi commented on GitHub (Nov 30, 2020): Can I configure Tactical to work only with interna domain and ask let's encrypt cert for other public domain? I've let's encrypt certs for other public domain, can I use its?

kerem commented 2026-03-14 02:20:02 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Nov 30, 2020):

@Uzzi yea so NATS needs a valid certificate, which doesn't necessarily have to be the same cert used for the rmm website so I guess you could use the self signed cert for everything except NATS, and then use a letsencrypt cert just for NATS.

I'll be releasing an update soon with that option, so I will follow up with you then with instructions.

<!-- gh-comment-id:735994425 --> @wh1te909 commented on GitHub (Nov 30, 2020): @Uzzi yea so NATS needs a valid certificate, which doesn't necessarily have to be the same cert used for the rmm website so I guess you could use the self signed cert for everything except NATS, and then use a letsencrypt cert just for NATS. I'll be releasing an update soon with that option, so I will follow up with you then with instructions.

kerem commented 2026-03-14 02:20:07 +03:00

Author

Owner

Copy link

@Uzzi commented on GitHub (Dec 1, 2020):

@wh1te909 during agents installation, I've certification x509 error.

<!-- gh-comment-id:736638997 --> @Uzzi commented on GitHub (Dec 1, 2020): @wh1te909 during agents installation, I've certification x509 error.

kerem commented 2026-03-14 02:20:12 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Dec 2, 2020):

@Uzzi im not familiar at all with certs but i think prolly you have to add the cert in the agent's trusted cert store or something. Which is why I recommend you just do letsencrypt or get a proper cert and you wont have any of these errors.

I did some optional settings in the latest release in 0.2.4 for using custom certs though if you want to try

you can add the 2 following variables to the bottom of /rmm/api/tacticalrmm/tacticalrmm/local_settings.py

CERT_FILE = "/path/to/your/fullchain.pem"
KEY_FILE = "/path/to/your/privkey.pem"

then do a sudo systemctl restart rmm and from the web interface, go to Tools > Server Maintenance > Reload Nats
then check sudo systemctl status nats and see if there are any certificate errors or just try installing an agent again
Note that these custom certs are only for NATS, not for nginx. You can read more about the NATS cert requirements here: https://docs.nats.io/nats-server/configuration/securing_nats/tls#certificate-authorities

For nginx you should still be able to use a ghetto cert generated by openssl

edit: forgot to add make sure the path to those 2 certs are owned by whatever linux user you installed the rmm as or that they have at least read access so do a chmod 755 on them. do not edit or create anything as root, always from same user you installed rmm.

<!-- gh-comment-id:737079364 --> @wh1te909 commented on GitHub (Dec 2, 2020): @Uzzi im not familiar at all with certs but i think prolly you have to add the cert in the agent's trusted cert store or something. Which is why I recommend you just do letsencrypt or get a proper cert and you wont have any of these errors. I did some optional settings in the latest release in 0.2.4 for using custom certs though if you want to try you can add the 2 following variables to the bottom of `/rmm/api/tacticalrmm/tacticalrmm/local_settings.py` ``` CERT_FILE = "/path/to/your/fullchain.pem" KEY_FILE = "/path/to/your/privkey.pem" ``` then do a `sudo systemctl restart rmm` and from the web interface, go to Tools > Server Maintenance > Reload Nats then check `sudo systemctl status nats` and see if there are any certificate errors or just try installing an agent again Note that these custom certs are only for NATS, not for nginx. You can read more about the NATS cert requirements here: https://docs.nats.io/nats-server/configuration/securing_nats/tls#certificate-authorities For nginx you should still be able to use a ghetto cert generated by openssl edit: forgot to add make sure the path to those 2 certs are owned by whatever linux user you installed the rmm as or that they have at least read access so do a `chmod 755` on them. do not edit or create anything as root, always from same user you installed rmm.

kerem referenced this issue 2026-03-14 06:54:14 +03:00

[GH-ISSUE #2062] Fix "Unknown Make/Model" #3227

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2062

No description provided.