Enabling HTTPS

Connections between Tailscale nodes are secured with end-to-end encryption. Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they’re not using TLS certificates, which is what those tools are expecting.

To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).

This feature uses the active tailnet name for your tailnet.

This feature is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale v1.14 or later.

Configure HTTPS

To be able to provision TLS certificates for devices in your tailnet, you need to:

  1. Navigate to the DNS page of the admin console.
  2. Enable MagicDNS if not already enabled for your tailnet.
  3. Under HTTPS Certificates, click Enable HTTPS.
  4. Acknowledge that your machine names and your tailnet name will be published on a public ledger.
  5. For each machine you are provisioning with a TLS certificate, run tailscale cert on the machine to obtain a certificate.

Machine names in the public ledger

All TLS certificates on the web are recorded in the Certificate Transparency (CT) append-only public ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the fully qualified domain name of your devices. To avoid publicizing your organization name, such as your corporate domain, email address, or GitHub username, Tailscale provides you with a tailnet name. Each tailnet has a default name like tailNNNN.ts.net or tailnet-NNNN.ts.net, but you can also choose a fun tailnet name generated by Tailscale, like yak-bebop.ts.net.

TLS certificates are issued based on your tailnet name. Right now, we don’t permit changing your tailnet name (other than between your default tailnet name and your fun tailnet name).

Although the certificate domain obscures the owner of the tailnet, the machine names are still published in the public ledger. Do not enable the HTTPS feature if any of your machine names contain sensitive information. You can edit your machine name before obtaining a certificate.

The public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal. Additionally, only devices where you run tailscale cert will have their certificate in the public ledger.

To summarize, the domain name that gets published on the public ledger is composed as follows:

monitoring.yak-bebop.ts.net where 'monitoring' is the machine-name and 'yak-bebop.ts.net' is the tailnet name

MagicDNS automatically registers DNS names for devices in your network, using their machine name. If the machine name changes, the MagicDNS entry will change. You can edit your machine name to set it to a specific name.

You cannot obtain an HTTPS URL to navigate to a bare hostname, such as https://machine-name. If you obtain a TLS certificate for a node using MagicDNS, it will be accessible at both https://machine-name.tailNNNN.ts.net, using HTTPS, and also at http://machine-name, without HTTPS but using MagicDNS as a DNS nameserver.

Provision TLS certificates for your devices

Using tailscale cert (with sudo as needed), Tailscale will automatically request a certificate for this machine on this domain, using Let’s Encrypt (https://letsencrypt.org/). Tailscale creates a *.ts.net DNS TXT record for your nodes to complete their DNS-01 challenges. If you’re using Go, the tailscale.com/client/tailscale.LocalClient.GetCertificate method implements the tls.Config.GetCertificate callback to do it all automatically. Your certificate’s private key and your LetsEncrypt (ACME) account’s private key are generated and stored locally on your machine and Tailscale never sees them.

Either methods renew certificates as needed, before their 90 day expiry. A certificate is automatically requested for renewal within the weeks before its expiry, when a certificate is fetched.

Using other TLS certificates

In addition to Let’s Encrypt, Caddy provides a way to use certificates for your tailnet machines. For details, see Caddy certificates on Tailscale.

If you are manually installing a certificate from another certificate provider, consult their documentation for how to configure the machine and how to renew the certificate.

Disable HTTPS

You can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.

To disable HTTPS for your tailnet:

  1. Navigate to the DNS page of the admin console.
  2. Under HTTPS Certificates, click Disable HTTPS.

If HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.

If you want to re-enable HTTPS, it will be enabled with the active tailnet name for your tailnet.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms