Docs / Admin

Enabling HTTPS

Connections between Tailscale nodes are secured with end-to-end encryption. Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they’re not using TLS certificates, which is what those tools are expecting.

To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).

This feature is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale v1.14 or greater.

Configure HTTPS

To be able to provision TLS certificates for devices in your tailnet, you need to:

  1. Navigate to the DNS page of the admin console.
  2. Enable MagicDNS and add at least one “Global Nameserver”, such as 8.8.8.8 or 1.1.1.1.
  3. Navigate to the Settings page of the admin console.
  4. Under “Feature previews”, click “Configure HTTPS”.
  5. Acknowledge that your machine names and a domain alias for your tailnet will be published on a public ledger.
  6. For each machine you are provisioning with a TLS certificate, run tailscale cert on the machine to obtain a certificate.

Machine names in the public ledger

All TLS certificates on the web are recorded in the Certificate Transparency (CT) append-only public ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the full domain name of your devices. To avoid publicizing your corporate domain name, email address, or GitHub username from your MagicDNS domain name, Tailscale provides you with a private domain alias.

When configuring HTTPS for the first time, you can choose a domain alias for your tailnet from an auto-generated list. If none of these combinations inspire you, click “re-roll” for more options until you find one you like. TLS certificates are only issued for those aliases. Right now, we don’t permit changing your domain alias or choosing a custom domain alias.

Although the certificate domain obscures the owner of the tailnet, the machine names are still published in the public ledger. Do not enable the HTTPS feature if any of your machine names contain sensitive information.

The public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal.

To summarize, the domain name that gets published on the public ledger is composed as follows:

monitoring.yak-bebop.ts.net where 'monitoring' is the machine-name, 'yak-bebop' is the domain alias, and 'ts.net' is a suffix

You cannot obtain an HTTPS URL to navigate to a bare hostname, such as https://machine-name. If you obtain a TLS certificate for a node using MagicDNS, it will accessible at both https://machine-name.domain-alias.ts.net, using HTTPS, and also at http://machine-name, without HTTPS but using MagicDNS as a DNS nameserver.

Provision TLS certificates for your devices

Using tailscale cert (with sudo as needed), Tailscale will automatically request a certificate for this machine on this domain, using Let’s Encrypt (https://letsencrypt.org/). Tailscale creates a *.ts.net DNS TXT record for your nodes to complete their DNS-01 challenges. If you’re using Go, the tailscale.com/client/tailscale.GetCertificate function implements the tls.Config.GetCertificate to do it all automatically. Your certificate’s private key and your LetsEncrypt (ACME) account’s private key are generated and stored locally on your machine and Tailscale never sees them.

Either methods renew certificates as needed, before their 90 day expiry. A certificate is automatically requested for renewal within the weeks before its expiry, when a certificate is fetched.

Disable HTTPS

You can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.

To disable HTTPS for your tailnet:

  1. Navigate to the Settings page of the admin console.
  2. Under “Feature previews”, click “Disable HTTPS”.

If HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.

If you want to re-enable HTTPS, you can choose between the same domain alias that was picked the first time and a generic one.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2021 Tailscale Inc.

Privacy & Terms