[GH-ISSUE #1786] Linux agent not connecting after Certificate change #3057

New issue

Closed

opened 2026-03-14 06:22:57 +03:00 by kerem · 11 comments

kerem commented 2026-03-14 06:22:57 +03:00

Owner

Copy link

Originally created by @albindy on GitHub (Mar 5, 2024).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1786

Server Info (please complete the following information):

• OS: Debian 12
• Browser: chrome
• RMM Version (as shown in top left of web UI): v0.17.5

Installation Method:

• [ X] Standard
• Docker

Agent Info (please complete the following information):

• Agent version (as shown in the 'Summary' tab of the agent from web UI):Agent v2.6.2
• Agent OS: Debian 12

Describe the bug
When changing the Certificate in nginx Linux Agents no longer connect.
No error in /opt/tacticalmesh/meshagent.log or /var/log/tacticalagent.log
Switching back to old Cert brings back the Agents online. Or reinstallation.
Result: Certificate Change is impossible for me. But I have to.
How can the change be done without reinstalling all Linux Agents.
To Reproduce
Steps to reproduce the behavior:

1. Go to '/etc/nginx/site-available/*.conf'
2. Change from Lets encrypt Zertificate to bought Cert
3. Restart Nginx
4. Linux Agents no longer connecting

Expected behavior
Agents should accept other active and valid certificates without reinstallation.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Originally created by @albindy on GitHub (Mar 5, 2024). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1786 **Server Info (please complete the following information):** - OS: Debian 12 - Browser: chrome - RMM Version (as shown in top left of web UI): v0.17.5 **Installation Method:** - [ X] Standard - [ ] Docker **Agent Info (please complete the following information):** - Agent version (as shown in the 'Summary' tab of the agent from web UI):Agent v2.6.2 - Agent OS: Debian 12 **Describe the bug** When changing the Certificate in nginx Linux Agents no longer connect. No error in /opt/tacticalmesh/meshagent.log or /var/log/tacticalagent.log Switching back to old Cert brings back the Agents online. Or reinstallation. Result: Certificate Change is impossible for me. But I have to. How can the change be done without reinstalling all Linux Agents. **To Reproduce** Steps to reproduce the behavior: 1. Go to '/etc/nginx/site-available/*.conf' 2. Change from Lets encrypt Zertificate to bought Cert 3. Restart Nginx 4. Linux Agents no longer connecting **Expected behavior** Agents should accept other active and valid certificates without reinstallation. **Screenshots** If applicable, add screenshots to help explain your problem. **Additional context** Add any other context about the problem here.

kerem closed this issue 2026-03-14 06:23:02 +03:00

kerem commented 2026-03-14 06:23:08 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 5, 2024):

Are you using code signing? Or any custom config?

Works fine for me after every change of cert and a lot of others.

<!-- gh-comment-id:1979476192 --> @dinger1986 commented on GitHub (Mar 5, 2024): Are you using code signing? Or any custom config? Works fine for me after every change of cert and a lot of others.

kerem commented 2026-03-14 06:23:13 +03:00

Author

Owner

Copy link

@albindy commented on GitHub (Mar 5, 2024):

Problems are meshcentral.conf and rmm.conf
When changing the Certificate there the Agents are no longer working.
Yes we use code signing.
"Code signing all agents"
No custom configs except the tried zertificate change.

<!-- gh-comment-id:1979483756 --> @albindy commented on GitHub (Mar 5, 2024): Problems are meshcentral.conf and rmm.conf When changing the Certificate there the Agents are no longer working. Yes we use code signing. "Code signing all agents" No custom configs except the tried zertificate change.

kerem commented 2026-03-14 06:23:18 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Mar 5, 2024):

so windows agents connect fine with new cert?

can you run the linux agent in debug mode and see if any errors related to certs? don't paste the full output here because it contains sensitive info:

# stop service
sudo systemctl stop tacticalagent

# run in debug
tacticalagent -m rpc -log debug -logto stdout

# after done debugging, don't forget to start service back up
sudo systemctl start tacticalagent

<!-- gh-comment-id:1979495021 --> @wh1te909 commented on GitHub (Mar 5, 2024): so windows agents connect fine with new cert? can you run the linux agent in debug mode and see if any errors related to certs? don't paste the full output here because it contains sensitive info: ``` # stop service sudo systemctl stop tacticalagent # run in debug tacticalagent -m rpc -log debug -logto stdout # after done debugging, don't forget to start service back up sudo systemctl start tacticalagent ```

kerem commented 2026-03-14 06:23:23 +03:00

Author

Owner

Copy link

@albindy commented on GitHub (Mar 5, 2024):

SyncMesh: Post "https://api.*********/api/v3/syncmesh/": tls: failed to verify certificate: x509: certificate signed by unknown authority
But the cert is valid and an official wildcard working on several other systems.
Additional info, it is a wildcard Cert.
(CN) Sectigo RSA Domain Validation Secure Server CA
(O) Sectigo Limited

Yes Windows connects fine.

<!-- gh-comment-id:1979521574 --> @albindy commented on GitHub (Mar 5, 2024): SyncMesh: Post "https://api.*********/api/v3/syncmesh/": tls: failed to verify certificate: x509: certificate signed by unknown authority But the cert is valid and an official wildcard working on several other systems. Additional info, it is a wildcard Cert. (CN) Sectigo RSA Domain Validation Secure Server CA (O) Sectigo Limited Yes Windows connects fine.

kerem commented 2026-03-14 06:23:28 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 5, 2024):

Did you follow this and update all files? https://docs.tacticalrmm.com/unsupported_scripts/#using-purchased-ssl-certs-instead-of-lets-encrypt-wildcards

You don't need to do the nats regen.

You need to use the fullchain which you maybe haven't

<!-- gh-comment-id:1979531485 --> @dinger1986 commented on GitHub (Mar 5, 2024): Did you follow this and update all files? https://docs.tacticalrmm.com/unsupported_scripts/#using-purchased-ssl-certs-instead-of-lets-encrypt-wildcards You don't need to do the nats regen. You need to use the fullchain which you maybe haven't

kerem commented 2026-03-14 06:23:33 +03:00

Author

Owner

Copy link

@albindy commented on GitHub (Mar 5, 2024):

Yes, followed the guide. Did the nats regen and worked like a charme.
But! Good hint, I'm trying fullchain actual using cert.

<!-- gh-comment-id:1979535702 --> @albindy commented on GitHub (Mar 5, 2024): Yes, followed the guide. Did the nats regen and worked like a charme. But! Good hint, I'm trying fullchain actual using cert.

kerem commented 2026-03-14 06:23:38 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 5, 2024):

So it worked after a nats regen and restarting all services?

<!-- gh-comment-id:1979539932 --> @dinger1986 commented on GitHub (Mar 5, 2024): So it worked after a nats regen and restarting all services?

kerem commented 2026-03-14 06:23:43 +03:00

Author

Owner

Copy link

@albindy commented on GitHub (Mar 5, 2024):

Nats worked before.
Just to complete the picture. Problem was using cert instead of fullchain.
But Nats works with cert only and frontend too.
For rmm and meshcentral fullchain is mandatory to work.

Maybe a hint in the docu would help. But, yes I know it is unsupported.
Thanks for clearing things up and helping lightning fast!
Thanks for the great support!
All up and running now!

<!-- gh-comment-id:1979564810 --> @albindy commented on GitHub (Mar 5, 2024): Nats worked before. Just to complete the picture. Problem was using cert instead of fullchain. But Nats works with cert only and frontend too. For rmm and meshcentral fullchain is mandatory to work. Maybe a hint in the docu would help. But, yes I know it is unsupported. Thanks for clearing things up and helping lightning fast! Thanks for the great support! All up and running now!

kerem commented 2026-03-14 06:23:48 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 5, 2024):

Did you not see this?

Nats doesnt actually need a cert anymore, glad its working now

<!-- gh-comment-id:1979572006 --> @dinger1986 commented on GitHub (Mar 5, 2024): Did you not see this?  Nats doesnt actually need a cert anymore, glad its working now

kerem commented 2026-03-14 06:23:53 +03:00

Author

Owner

Copy link

@albindy commented on GitHub (Mar 5, 2024):

OMG Sorry! Totally overlooked this note.
Thanks again!
Closing.

<!-- gh-comment-id:1979581502 --> @albindy commented on GitHub (Mar 5, 2024): OMG Sorry! Totally overlooked this note. Thanks again! Closing.

kerem commented 2026-03-14 06:23:58 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 5, 2024):

lol no worries!

<!-- gh-comment-id:1979581896 --> @dinger1986 commented on GitHub (Mar 5, 2024): lol no worries!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#3057

No description provided.