Acme challenge on local network

mufacka · September 14, 2021, 9:20pm

I have been attempting to set up a RMM server using TacticalRMM on Ubuntu 20.04. I do not plan on making this public facing, yet it requires a cert.

I have set up Webmin on Ubuntu 20.04 server running Bind9 DNS Server -- I'm fairly new to all of this but here is how it is set up:

Two master zones created one for my domain, in this case [example.com] forwarding and another for 10.10.100 my subnet for reverse forwarding.

I have three address entries in both zones - [rmm-tactical.example.com], [api-tactical.example.com], [mesh-tactical.example.com] each pointing at the RMM server. [10.10.100.21]

I changed the DNS server on the RMM server to point to my Webmin Bind9 DNS server.

The problem that occurs is when running through the install I get to a lets encrypt portion -- it asks about the three separate entries and main domain:

Enter the subdomain for the backend (e.g. (https://api.example.com/)): [api-tactical.example.com]

Enter the subdomain for the frontend (e.g. (https://rmm.example.com/)): [rmm-tactical.example.com]

Enter the subdomain for meshcentral (e.g. (https://mesh.example.com/)): [mesh-tactical.example.com]

Enter the root domain (e.g. [example.com] or [example.co.uk]: [example.com]

I get past this point then it asks:

Please deploy a DNS TXT record under the name

_acme-challenge.example.com with the following value:

tg2pUGffgCQeojg58V3Pw4jm3H5ZDQd2t3PxNLaflO0

I create a text record under the Master zone for [Example.com] named exactly "_acme-challenge.example.com" containing the value provided above.

I press enter on install and it errors Challenge failed....is this because its a local domain and letsencrypt is attempting to check with [example.com] on the internet and the text record does not exist there? It should be going through my primary LOCAL DNS server first at [10.10.100.10] (webmin Bind9)

Any insight on how to make this work locally? I do not want this exposed to the internet. This is part of the program install so I'm not really sure how to get past this.

Github for this project: https://github.com/wh1te909/tacticalrmm

The FAQ Page(FAQ - Tactical RMM Documentation) on github says:

Can I run Tactical RMM locally behind NAT without exposing anything to the internet?¶

Yes, you will just need to setup local DNS for the 3 subdomains, either by editing host files on all your agents or through a local DNS server.

Osiris · September 14, 2021, 9:22pm

Probably.

How? How would Let's Encrypt possibly be able to connect to a 10.0.0.0/8 IP (or any private IP address) to validate your domain name?

Otherwise I would immediately run a local DNS server for whitehouse.gov and get myself a certificate for it!

rg305 · September 14, 2021, 9:32pm

By using DNS-01 authentication, you can avoid direct exposure to the Internet.
You can't, however, use an arbitrary domain name in your certificate request.
Otherwise, hey LE, I am the NSA.gov, just come to my private DNS server so I can prove it to you!

mufacka · September 14, 2021, 9:32pm

I kind of figured setting my RMM server's DNS to point to my webmin bind9 DNS server would do it, as that would have the entries for my local network but yeah I guess I don't really know how to do this on the local level.
The Let's Encrypt is part of the install process and in the FAQs (the bottom of post) makes it seem like its possible. I'm super noob at all of this cert / DNS stuff so apologies for my ignorance.

rg305 · September 14, 2021, 9:33pm

It is possible, with a real domain name (that you control and have configured to be served by those DNS servers).

mufacka · September 14, 2021, 9:34pm

But wouldn't that expose it to the internet? I really just want this RMM internally.

rg305 · September 14, 2021, 9:36pm

Only the DNS servers need to respond to DNS queries form the Internet.
But those DNS servers don't have to be in your super-secure network.
They only need to be accessible by your system that will run the ACME client.

Can't you just use a self-signed cert?

At least clarify my... confusion:
If the servers won't be accessible to the Internet, then all your clients will also be trapped within this private network.
If all your clients are so trapped, how will they be able to validate any certificate presented (when authorized by systems on the Internet)?

jvanasco · September 14, 2021, 9:38pm

You do not need to expose your servers to the public internet, but you must answer the ACME challenges on the public internet. The easiest way to do this is by using the DNS-01 ACME challenge, and placing the response on the public DNS server.

The DNS for the domains in question can either be defined publicly or within your private LAN, however the ACME-Challenge responses must be placed on the public internet.

mufacka · September 14, 2021, 9:43pm

Unfortunately the install process seems to force Let's Encrypt cert. I will attempt to get this working with a live domain. Will update once I am done!

danb35 · September 14, 2021, 10:20pm

I've lost count of how many times I've posted this link, but it could be a solution for your needs. And while this link describes the use of a Raspberry Pi, you could really use any system (even a VM) running Ubuntu:

system · October 14, 2021, 10:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.