[GH-ISSUE #1895] Tactical RMM Instructions say 3 domains are needed, but asks for 4. #3121

New issue

Closed

opened 2026-03-14 06:36:24 +03:00 by kerem · 7 comments

kerem commented 2026-03-14 06:36:24 +03:00

Owner

Copy link

Originally created by @W1BTR on GitHub (Jun 17, 2024).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1895

The docs say the following:

The RMM uses 3 different sites. The Vue frontend e.g. rmm.example.com which is where you'll be accessing your RMM from the browser, the REST backend e.g. api.example.com and MeshCentral e.g. mesh.example.com
rmm. api. and mesh. are what we recommend, but you can use whatever you want if they're already in use.

Which makes me think I would want:
api.mydomain.com
mesh.mydomain.com
and rmm.mydomain.com

However, when setting up, Tactical RMM also asks for my ROOT domain, which would be mydomain.com

However, mydomain.com is already in use for something else. I dont understand what this fourth domain is for. Can I just set it to rmm.mydomain.com as well?

I can do api.rmm.mydomain.com etc if need be.

Originally created by @W1BTR on GitHub (Jun 17, 2024). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1895 The docs say the following: ``` The RMM uses 3 different sites. The Vue frontend e.g. rmm.example.com which is where you'll be accessing your RMM from the browser, the REST backend e.g. api.example.com and MeshCentral e.g. mesh.example.com rmm. api. and mesh. are what we recommend, but you can use whatever you want if they're already in use. ``` Which makes me think I would want: api.mydomain.com mesh.mydomain.com and rmm.mydomain.com However, when setting up, Tactical RMM also asks for my ROOT domain, which would be mydomain.com  However, mydomain.com is already in use for something else. I dont understand what this fourth domain is for. Can I just set it to rmm.mydomain.com as well? I can do api.rmm.mydomain.com etc if need be.

kerem closed this issue 2026-03-14 06:36:29 +03:00

kerem commented 2026-03-14 06:36:35 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Jun 17, 2024):

no, it's just used in the certbot command to get the wildcard cert. has nothing to do with it being already used.

<!-- gh-comment-id:2174391970 --> @wh1te909 commented on GitHub (Jun 17, 2024): no, it's just used in the certbot command to get the wildcard cert. has nothing to do with it being already used.

kerem commented 2026-03-14 06:36:40 +03:00

Author

Owner

Copy link

@W1BTR commented on GitHub (Jun 17, 2024):

Okay, I dont want to sacrifice my entire domain so the wildcard cert will always fail. Why doesnt it get individual certs? Obviously as a workaround I can just have it behind another rmm subdomain, just seems silly.

<!-- gh-comment-id:2174393873 --> @W1BTR commented on GitHub (Jun 17, 2024): Okay, I dont want to sacrifice my entire domain so the wildcard cert will always fail. Why doesnt it get individual certs? Obviously as a workaround I can just have it behind another rmm subdomain, just seems silly.

kerem commented 2026-03-14 06:36:45 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Jun 17, 2024):

you can have as many certs as you want for your root domain, no sacrifice needed. nothing will break.

<!-- gh-comment-id:2174395129 --> @wh1te909 commented on GitHub (Jun 17, 2024): you can have as many certs as you want for your root domain, no sacrifice needed. nothing will break.

kerem commented 2026-03-14 06:36:50 +03:00

Author

Owner

Copy link

@W1BTR commented on GitHub (Jun 17, 2024):

All I can tell you is that it fails because it points to another IP address so it cant confirm I own it, where the other three point to this server.

<!-- gh-comment-id:2174396119 --> @W1BTR commented on GitHub (Jun 17, 2024): All I can tell you is that it fails because it points to another IP address so it cant confirm I own it, where the other three point to this server.

kerem commented 2026-03-14 06:36:56 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Jun 17, 2024):

Yes you can cause it's got nothing to do with the IP address, you are adding a new TXT record for lets encrypt to get the wildcard

<!-- gh-comment-id:2174400422 --> @dinger1986 commented on GitHub (Jun 17, 2024): Yes you can cause it's got nothing to do with the IP address, you are adding a new TXT record for lets encrypt to get the wildcard

kerem commented 2026-03-14 06:37:01 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Jun 17, 2024):

the install script uses the DNS TXT record method to get the wildcard cert. it doesn't matter which IP your domain is pointed to. This is the reason we use TXT record so that you don't have to worry about IP addresses.

If you want you can just get a cert for api.example.com with 2 SANs for mesh.example.com and rmm.example.com and then call the install script with the --use-own-cert flag: https://docs.tacticalrmm.com/functions/settings_override/#using-your-own-wildcard-ssl-cert

<!-- gh-comment-id:2174401999 --> @wh1te909 commented on GitHub (Jun 17, 2024): the install script uses the DNS TXT record method to get the wildcard cert. it doesn't matter which IP your domain is pointed to. This is the reason we use TXT record so that you don't have to worry about IP addresses. If you want you can just get a cert for `api.example.com` with 2 SANs for `mesh.example.com` and `rmm.example.com` and then call the install script with the `--use-own-cert` flag: https://docs.tacticalrmm.com/functions/settings_override/#using-your-own-wildcard-ssl-cert

kerem commented 2026-03-14 06:37:06 +03:00

Author

Owner

Copy link

@W1BTR commented on GitHub (Jun 17, 2024):

Okay, I see what's going on. I've never seen / heard of certbot using txt challenges or anything other than the standard apache check, so I just glossed over it. My experience goes back a good number of years but appears more narrow than I'd thought. Apologies!

<!-- gh-comment-id:2174408680 --> @W1BTR commented on GitHub (Jun 17, 2024): Okay, I see what's going on. I've never seen / heard of certbot using txt challenges or anything other than the standard apache check, so I just glossed over it. My experience goes back a good number of years but appears more narrow than I'd thought. Apologies!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#3121

No description provided.