FR: TLS Certificates for subdomains - or wildcard certificates

[lennartbrandin]

What are you trying to do?

I want to use https://subdomain.device.random.ts.net and be presented with a valid certificate.

Currently I can request a signed certificate for each of my device inside the tailscale network, so i can access https://device.random.ts.net and my browser does not warn about self-signed certificates.

Now i have the service running on abc.xyz.random.ts.net and would like to request a certificate for that domain.

[user@domain]$ sudo tailscale cert *.device.random.ts.net
500 Internal Server Error: invalid domain "*.device.random.ts.net"; must be one of ["device.random.ts.net" "device.random.ts.net"]
[user@domain]$ sudo tailscale cert abc.device.random.ts.net
500 Internal Server Error: invalid domain "abc.device.random.ts.net"; must be one of ["device.random.ts.net" "device.random.ts.net"]

How should we solve this?

Allow requesting certificates for subdomains of devices or the option to request a wildcard certificate.

What is the impact of not solving this?

I was currently using self signed certificates on subdomains that are handled by magicDNS and a local DNS server, which is set as Global nameserver and is configured to override local DNS

Anything else?

The documentation: Enabling HTTPS mentions using the DNS-01 challenge, which allows requesting wildcard certificates.

Related to #3847 (Subdomains cannot be accessed using only magicDNS) but not dependent since you can use a self hosted DNS server.

I also noticed when using address=/device.random.ts.net/100.123.345.678 (Forwarding device.random.ts.net and all its subdomains to the IP.
When using magicDNS only the device.random.ts.net works, but not its subdomains. Without magicDNS it works as intended.

[peralta]

Not exactly the same feature request, but very related: it would be great to have CNAME support in MagicDNS and the HTTPS cert generation feature. It would deliver on the needs of the original request more generically.
Use case: host running docker, using caddy or other proxy to terminate SSL, then proxying to the right container without the need to reuse the host node name for everything (and URL paths for routing).
cert command already allows passing the host name:

USAGE
  cert [flags] <domain>

But only allows for its own node name as domain. If aliases or CNAMEs where available, the node should be able to request certs for them.

[jordemort]

I'd also like some sort of subdomain or CNAME support, so that I could generate (preferably) multiple certificates for different services running on the same machine, or (failing that) a single certificate containing multiple hostnames.

[ikidou]

I need this feature too. And I also need magicDns return the same dns record for all subdomians to machine DNS record

I want access my service via https, and I have many service on my machine, so I use caddy as my fronted https server and it works fine with tailscale. The way to access my service is reverse_proxy by path, like homelab.tailnet.ts.net/service{1,2,3} , but some service can not support subdirectory reverse proxy(eg: [uptime-kuma](https://github.com/louislam/uptime-kuma)) , so I try to resolve this problem.

A more common practice is to use subdomains, but there have two choke points:

1. can't resovle service1.homelab.tailnet.ts.net dns record,
2. tailscale cert only support homelab.tailnet.ts.net and do not support *.homelab.tailnet.ts.net

[lennartbrandin]

Thinking about it, this issue if fully dependent on #1543, while you could use an own DNS server to route service1.homelab.tailnet.ts.net i think the use case of this feature would be minimal without custom records directly featured by tailscale.

While unrelated to tailscale here is a complicated solution to having certified local services:
Have a public domains test.abc
Get a certificate for *.home.test.abc
Use this certificate for your services
Resolve *.home.test.abc to your local server on a local DNS

[ikidou]

Yes, But in this way you need to update the DNS record manually or use Webhook automatically.

Update: Caddy can use dynamic_dns module to automatically update the DNS record, I will try later.

[Techman]

I hope this feature request is addressed soon, but looking at the timeline it seems unlikely.

I have a home server that runs a lot of self-hosted applications. For a lot of those, it is sometimes a real pain or impractical to place them on a subfolder of the domain, e.g. https://device.tailxxxx.ts.net/application/. It becomes far better to host them on a subdomain.

While this problem is easily solved using a personal domain, having this capability native to Tailscale's HTTPS feature would be far better.

[Diti]

I have become so used to the “magic” in Magic DNS that I spent hours trying to debug why my automatic HTTPS on Caddy doesn’t work (NixOS’s service.caddy only seems to show Let’s Encrypt errors for the main Tailnet subdomain – the one with the machine name in it –, not the sub-subdomains).

I personally don’t need to set DNS records; I would just like HTTPS to work for subdomain.machinename.tailnet-name.ts.name, by having MagicDNS set up some kind of subdomain CNAME machinename.tailnet-name DNS record) internally.

I guess the “DNS CNAME record” feature could be related to this issue: #1543.