Enabling HTTPS

Connections between Tailscale nodes are secured with end-to-end encryption. Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they’re not using TLS certificates, which is what those tools are expecting.

To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).

This feature uses the active tailnet name for your tailnet.

Configure HTTPS

To be able to provision TLS certificates for devices in your tailnet, you need to:

  1. Open the DNS page of the admin console.
  2. Enable MagicDNS if not already enabled for your tailnet.
  3. Under HTTPS Certificates, click Enable HTTPS.
  4. Acknowledge that your machine names and your tailnet name will be published on a public ledger.
  5. For each machine you are provisioning with a TLS certificate, run tailscale cert on the machine to obtain a certificate.

Machine names in the public ledger

All TLS certificates on the web are recorded in the Certificate Transparency (CT) append-only public ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the fully qualified domain name of your devices. To avoid publicizing your organization name, such as your corporate domain, email address, or GitHub username, Tailscale provides you with a tailnet name. Each tailnet has a default name like tailNNNN.ts.net or tailnet-NNNN.ts.net, but you can also choose a fun tailnet name generated by Tailscale, like yak-bebop.ts.net.

TLS certificates are issued based on your tailnet name. Right now, we don’t permit changing your tailnet name (other than between your default tailnet name and your fun tailnet name).

Although the certificate domain obscures the owner of the tailnet, the machine names are still published in the public ledger. Do not enable the HTTPS feature if any of your machine names contain sensitive information. You can edit your machine name before obtaining a certificate.

The public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal. Additionally, only devices where you run tailscale cert will have their certificate in the public ledger.

To summarize, the domain name that gets published on the public ledger is composed as follows:

monitoring.yak-bebop.ts.net where 'monitoring' is the machine-name and 'yak-bebop.ts.net' is the tailnet name

MagicDNS automatically registers DNS names for devices in your network, using their machine name. If the machine name changes, the MagicDNS entry will change. You can edit your machine name to set it to a specific name.

You cannot obtain an HTTPS URL to navigate to a bare hostname, such as https://machine-name. If you obtain a TLS certificate for a node using MagicDNS, it will be accessible at both https://machine-name.tailNNNN.ts.net, using HTTPS, and also at http://machine-name, without HTTPS but using MagicDNS as a DNS nameserver.

Provision TLS certificates for your devices

Using tailscale cert (with sudo as needed), Tailscale will automatically request a certificate for this machine on this domain, using Let’s Encrypt (https://letsencrypt.org/). Tailscale creates a *.ts.net DNS TXT record for your nodes to complete their DNS-01 challenges. If you’re using Go, the tailscale.com/client/tailscale.LocalClient.GetCertificate method implements the tls.Config.GetCertificate callback to do it all automatically. Your certificate’s private key and your LetsEncrypt (ACME) account’s private key are generated and stored locally on your machine and Tailscale never sees them.

The certificates provided by Let’s Encrypt have a 90 day expiry and require periodic renewal. When a certificate is delivered as files on disk which you then move to an install location, such as when using tailscale cert, the tailscaled daemon doesn’t know where to place a renewed certificate nor how to install it. So for any certificates that you create via tailscale cert, you are responsible for renewing the certificate.

If a certificate is handled without the user initiating any file-based certificate installation, such as when using the Caddy integration of Tailscale, then the certificate will automatically be renewed without the user doing anything.

Using other TLS certificates

In addition to Let’s Encrypt, Caddy provides a way to use certificates for your tailnet machines. For details, see Caddy certificates on Tailscale.

If you are manually installing a certificate from another certificate provider, consult their documentation for how to configure the machine and how to renew the certificate.

Disable HTTPS

You can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.

To disable HTTPS for your tailnet:

  1. Open the DNS page of the admin console.
  2. Under HTTPS Certificates, click Disable HTTPS.

If HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.

If you want to re-enable HTTPS, it will be enabled with the active tailnet name for your tailnet.

View certificate status

Within the Tailscale admin console, you can view the TLS certificate status for any machine in your network, provided the machine is:

  • online for your tailnet
  • running Tailscale v1.56 or later

To view the certificate status:

  1. Open the Machines page of the admin console.
  2. Find the machine whose certificate status you want to view. You can use the search bar or filters to find a machine.
  3. Click the machine.
  4. See the certificate status in the TLS certificate section of the machine page.
If a machine is offline, Tailscale will not be able to report its certificate status.

The following statuses can be reported for a machine’s certificate:

  • Valid
  • Invalid
  • Certificate expired
  • No certificate found
  • Upgrade client to check status