Enabling HTTPS
Connections between Tailscale nodes are secured with end-to-end encryption. Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they’re not using TLS certificates, which is what those tools are expecting.
To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).
This feature uses the active tailnet name for your tailnet.
Configure HTTPS
To be able to provision TLS certificates for devices in your tailnet, you need to:
- Open the DNS page of the admin console.
- Enable MagicDNS if not already enabled for your tailnet.
- Under HTTPS Certificates, click Enable HTTPS.
- Acknowledge that your machine names and your tailnet name will be published on a public ledger.
- For each machine you are provisioning with a TLS certificate, run
tailscale cert
on the machine to obtain a certificate.
Machine names in the public ledger
All TLS certificates on the web are recorded in the Certificate Transparency (CT) append-only public ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the fully qualified domain name of your devices. To avoid publicizing your organization name, such as your corporate domain, email address, or GitHub username, Tailscale provides you with a tailnet name. Each tailnet has a default name like tailNNNN.ts.net or tailnet-NNNN.ts.net, but you can also choose a fun tailnet name generated by Tailscale, like yak-bebop.ts.net.
TLS certificates are issued based on your tailnet name. Right now, we don’t permit changing your tailnet name (other than between your default tailnet name and your fun tailnet name).
The public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal.
Additionally, only devices where you run tailscale cert
will have their certificate in the public ledger.
To summarize, the domain name that gets published on the public ledger is composed as follows:
MagicDNS automatically registers DNS names for devices in your network, using their machine name. If the machine name changes, the MagicDNS entry will change. You can edit your machine name to set it to a specific name.
https://machine-name
. If you obtain a TLS certificate for a node using MagicDNS, it will be accessible at both https://machine-name.tailNNNN.ts.net
, using HTTPS, and also at http://machine-name
, without HTTPS but using MagicDNS as a DNS nameserver.Provision TLS certificates for your devices
Using tailscale cert
(with sudo
as needed), Tailscale will automatically request a certificate for this machine on this domain, using
Let’s Encrypt (https://letsencrypt.org/).
Tailscale creates a *.ts.net
DNS TXT record for your nodes to complete their DNS-01 challenges.
If you’re using Go, the tailscale.com/client/tailscale.LocalClient.GetCertificate
method implements the
tls.Config.GetCertificate
callback to do it all automatically.
Your certificate’s private key and your LetsEncrypt (ACME) account’s private key are generated and stored locally on your machine and Tailscale never sees them.
Using other TLS certificates
In addition to Let’s Encrypt, Caddy provides a way to use certificates for your tailnet machines. For details, see Caddy certificates on Tailscale.
If you are manually installing a certificate from another certificate provider, consult their documentation for how to configure the machine and how to renew the certificate.
Disable HTTPS
You can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.
To disable HTTPS for your tailnet:
- Navigate to the DNS page of the admin console.
- Under HTTPS Certificates, click Disable HTTPS.
If HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.
If you want to re-enable HTTPS, it will be enabled with the active tailnet name for your tailnet.