-
Notifications
You must be signed in to change notification settings - Fork 1
Certificate Management
Manage Tailscale HTTPS certificates on remote hosts. Handles renewal, permission setup for Caddy, and service reload.
Since: v0.24.0
If you use Tailscale for internal networking and Caddy as a reverse proxy, strut automates the cert renewal lifecycle:
strut harbor cert:renew # Renew cert + set permissions + reload Caddy
strut harbor cert:status # Check certificate expiryThe host alias (harbor) resolves via [hosts] in strut.conf (see Multi-Host Topology).
Renews the Tailscale HTTPS certificate on a host:
- Ensures the cert directory exists
- Runs
tailscale certto generate/renew the certificate - Sets ownership (
root:caddy) and permissions (key mode640) - Reloads Caddy
strut harbor cert:renew
strut harbor cert:renew --dry-runShows certificate details including subject, issuer, and expiry date:
strut harbor cert:statusWarns if the certificate expires within 14 days. Errors if already expired.
| Variable | Default | Description |
|---|---|---|
CERT_DIR |
/etc/caddy/certs |
Remote directory for certificate files |
CERT_OWNER |
root:caddy |
Ownership for cert and key files |
CERT_KEY_MODE |
640 |
File permissions for the private key |
TAILSCALE_HOSTNAME |
Host alias | Override the Tailscale MagicDNS hostname |
Set these in strut.conf to override.
Certificates are stored at:
-
Cert:
<CERT_DIR>/<hostname>.crt -
Key:
<CERT_DIR>/<hostname>.key
Where <hostname> is the Tailscale hostname (defaults to the host alias).
On the remote host:
- Tailscale installed and running with HTTPS enabled
-
opensslavailable (forcert:status) - Caddy running as a systemd service (for reload after renewal)
Combine with a cron job or scheduled task to auto-renew:
# In a CI pipeline or cron:
strut harbor cert:renew
strut compass cert:renewTailscale certs are valid for 90 days. Renewing early is safe (idempotent).
strut · v0.28.0 · Report an Issue
Getting Started
Core Concepts
Operations
- Deployment
- Ship and Rebuild
- GitHub Actions
- Remote Host Setup
- Provisioning
- Blue-Green Deploy
- Deploy Rollback
- Database Backups
- Secrets Management
- Stack Groups
- Lifecycle Hooks
- Notifications
- Key Rotation
- Drift Detection
- Domain and SSL
- Certificate Management
- Gateway Management
- Monitoring
- Volume Management
Advanced
- Security Posture
- VPS Audit and Migration
- Stack Validation
- Data Anonymization
- Debugging
- Local Development
Extending
Contributing