New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: TLS Certificates for subdomains - or wildcard certificates #7081
Comments
Not exactly the same feature request, but very related: it would be great to have CNAME support in MagicDNS and the HTTPS cert generation feature. It would deliver on the needs of the original request more generically.
But only allows for its own node name as domain. If aliases or CNAMEs where available, the node should be able to request certs for them. |
I'd also like some sort of subdomain or CNAME support, so that I could generate (preferably) multiple certificates for different services running on the same machine, or (failing that) a single certificate containing multiple hostnames. |
I need this feature too. And I also need magicDns return the same dns record for all subdomians to machine DNS record I want access my service via https, and I have many service on my machine, so I use caddy as my fronted https server and it works fine with tailscale. The way to access my service is reverse_proxy by path, like A more common practice is to use subdomains, but there have two choke points:
|
Thinking about it, this issue if fully dependent on #1543, while you could use an own DNS server to route While unrelated to tailscale here is a complicated solution to having certified local services: |
Yes, But in this way you need to update the DNS record manually or use Webhook automatically. Update: Caddy can use |
I hope this feature request is addressed soon, but looking at the timeline it seems unlikely. I have a home server that runs a lot of self-hosted applications. For a lot of those, it is sometimes a real pain or impractical to place them on a subfolder of the domain, e.g. While this problem is easily solved using a personal domain, having this capability native to Tailscale's HTTPS feature would be far better. |
I have become so used to the “magic” in Magic DNS that I spent hours trying to debug why my automatic HTTPS on Caddy doesn’t work (NixOS’s I personally don’t need to set DNS records; I would just like HTTPS to work for I guess the “DNS CNAME record” feature could be related to this issue: #1543. |
What are you trying to do?
I want to use
https://subdomain.device.random.ts.net
and be presented with a valid certificate.Currently I can request a signed certificate for each of my device inside the tailscale network, so i can access
https://device.random.ts.net
and my browser does not warn about self-signed certificates.Now i have the service running on
abc.xyz.random.ts.net
and would like to request a certificate for that domain.How should we solve this?
Allow requesting certificates for subdomains of devices or the option to request a wildcard certificate.
What is the impact of not solving this?
I was currently using self signed certificates on subdomains that are handled by magicDNS and a local DNS server, which is set as Global nameserver and is configured to override local DNS
Anything else?
The documentation: Enabling HTTPS mentions using the DNS-01 challenge, which allows requesting wildcard certificates.
Related to #3847 (Subdomains cannot be accessed using only magicDNS) but not dependent since you can use a self hosted DNS server.
I also noticed when using
address=/device.random.ts.net/100.123.345.678
(Forwarding device.random.ts.net and all its subdomains to the IP.When using magicDNS only the
device.random.ts.net
works, but not its subdomains. Without magicDNS it works as intended.The text was updated successfully, but these errors were encountered: