Local install without lets encrypt

[mhktc]

Is your feature request related to a problem? Please describe.
I want to install RMM inside of our network. We have our own CA and internal domains and the server wont be reachable from the internet but the installer always forces me to use a lets encrypt certificate.

Describe the solution you'd like
A mode in the installer where i can choose something like "local installation" where i can provide my own certificates or tell the installer that the server runs behind an SSLproxy.

Or is there some other way to install RMM locally without the lets encrypt stuff in my way?

[dinger1986]

You cant really do the install without an SSL certificate, so you can do it one of 2 ways.

1. Use the lets encrypt ssl cert (it just needs a txt record added to a domain) and change to your own certs later https://docs.tacticalrmm.com/unsupported_scripts/#using-purchased-ssl-certs-instead-of-lets-encrypt-wildcards
2. copy the certs somewhere on the linux server, comment out lines 162-167, change lines 169 and 170 to the locations of the certs and run the install as normal.

2 is really unsupported and could lead to all sorts of issues which is why the time has been spent to write such a comprehensive installer

[wh1te909]

https://docs.tacticalrmm.com/functions/settings_override/#using-your-own-wildcard-ssl-cert

[psychos4]

The official documentation provides guidance on using your own wildcard SSL certificates.

For the "classic" installation, the --use-own-cert flag, as described in the installation guide, works as expected.

However, this approach does not currently work for the Docker-based installation.

To address this, I tried adding my custom SSL certificate to the .env file as follows:

CERT_PUB_KEY=C0ah3YC81csC4J+KWyJ8pUb9sOAyRrDB7TS......
CERT_PRIV_KEY=zMrGaxs68LYdvsxixZ9AO0vVfC6RLwu......

Unfortunately, it’s not as straightforward as that—additional steps seem to be required, but these are not clearly documented or supported at the moment.

Suggestion: Local-Only Installation as a Security Improvement?
By the way, wouldn’t an option for a local-only installation (no external accessibility) be a significant security improvement? This could benefit users who do not need external access and prioritize a fully contained, secure setup.

[dinger1986]

Docker isn't the same that's for installation in bare metal.

Also I'm sure those should be file paths not the certificate

Using let's encrypt the way trmm is doesn't require any external access as it uses a dns challenge. It requires the trmm server seeing the internet but no ports need opened

[psychos4]

I would say it clearly describes encoding the certificate in Base64, not using a file path:
https://docs.tacticalrmm.com/install_docker/#base64-encoding-certificates-to-pass-as-env-variables

Additionally, the environment variable should be removed after creation.

[wh1te909]

the docker stuff is more community maintained, so might not be up to date and definitely not on par with the officially supported standard install. if you have any recommendations or improvements feel free to submit PR with requested changes