Connections between Tailscale nodes are secured with end-to-end encryption. Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they’re not using TLS certificates, which is what those tools are expecting.
To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).
This feature uses the active tailnet name for your tailnet.
To be able to provision TLS certificates for devices in your tailnet, you need to:
- Open the DNS page of the admin console.
- Enable MagicDNS if not already enabled for your tailnet.
- Under HTTPS Certificates, click Enable HTTPS.
- Acknowledge that your machine names and your tailnet name will be published on a public ledger.
- For each machine you are provisioning with a TLS certificate, run
tailscale certon the machine to obtain a certificate.
All TLS certificates on the web are recorded in the Certificate Transparency (CT) append-only public ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the fully qualified domain name of your devices. To avoid publicizing your organization name, such as your corporate domain, email address, or GitHub username, Tailscale provides you with a tailnet name. Each tailnet has a default name like tailNNNN.ts.net or tailnet-NNNN.ts.net, but you can also choose a fun tailnet name generated by Tailscale, like yak-bebop.ts.net.
TLS certificates are issued based on your tailnet name. Right now, we don’t permit changing your tailnet name (other than between your default tailnet name and your fun tailnet name).
The public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal.
Additionally, only devices where you run
tailscale cert will have their certificate in the public ledger.
To summarize, the domain name that gets published on the public ledger is composed as follows:
MagicDNS automatically registers DNS names for devices in your network, using their machine name. If the machine name changes, the MagicDNS entry will change. You can edit your machine name to set it to a specific name.
https://machine-name. If you obtain a TLS certificate for a node using MagicDNS, it will be accessible at both
https://machine-name.tailNNNN.ts.net, using HTTPS, and also at
http://machine-name, without HTTPS but using MagicDNS as a DNS nameserver.
tailscale cert (with
sudo as needed), Tailscale will automatically request a certificate for this machine on this domain, using
Let’s Encrypt (https://letsencrypt.org/).
Tailscale creates a
*.ts.net DNS TXT record for your nodes to complete their DNS-01 challenges.
If you’re using Go, the
tailscale.com/client/tailscale.LocalClient.GetCertificate method implements the
tls.Config.GetCertificate callback to do it all automatically.
Your certificate’s private key and your LetsEncrypt (ACME) account’s private key are generated and stored locally on your machine and Tailscale never sees them.
The certificates provided by Let’s Encrypt have a 90 day expiry and require periodic renewal. When a certificate is delivered as files on disk which you then move to an install location, such as when using
tailscale cert, the
tailscaled daemon doesn’t know where to place a renewed certificate nor how to install it. So for any certificates that you create via
tailscale cert, you are responsible for renewing the certificate.
If a certificate is handled without the user initiating any file-based certificate installation, such as when using the Caddy integration of Tailscale, then the certificate will automatically be renewed without the user doing anything.
If you are manually installing a certificate from another certificate provider, consult their documentation for how to configure the machine and how to renew the certificate.
You can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.
To disable HTTPS for your tailnet:
- Open the DNS page of the admin console.
- Under HTTPS Certificates, click Disable HTTPS.
If HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.
If you want to re-enable HTTPS, it will be enabled with the active tailnet name for your tailnet.
Within the Tailscale admin console, you can view the TLS certificate status for any machine in your network, provided the machine is:
- online for your tailnet
- running Tailscale v1.56 or later
To view the certificate status:
- Open the Machines page of the admin console.
- Find the machine whose certificate status you want to view. You can use the search bar or filters to find a machine.
- Click the machine.
- See the certificate status in the TLS certificate section of the machine page.
The following statuses can be reported for a machine’s certificate:
- Certificate expired
- No certificate found
- Upgrade client to check status