Allow automatic use of Headscale certs? #5197
Comments
|
Yeah, I think we can do this. Not sure how yet, but most likely doable! |
|
Thank you very much! |
|
Headscale or tailscaled would need to know how to nudge the DNS server to add the dns txt records for verification. This is hard, because everyone uses a different DNS server and API/process to change the records. It works so easily with tailscale, because tailscale-the-company controls Caddy asking for a cert is the icing. The hard part is getting the pieces to talk to each other. I have implemented https for headscale domains. For the curious, here is a public domain I had to change my dns server from unbound to nsd to make it work, because I couldn't reliably update the zone from a shell script. As you can see, it's convoluted. A better place to start for the adventurous would probably be headscale, not here. :). (And the mention of headscale should probably removed from the caddy docs, since it's not fundamentally not possible today, not due to Caddy's fault). |
|
@motiejus I don't use Tailscale nor Headscale so I'm not equipped to help much here, but it sounds like we need to integrate Caddy's DNS plugins to make this happen. I don't know what the triggers are here, but that does sound solvable. |
|
Note that Headscale does not yet fetch certs to use with server over TLS but it probably will some day: |
Hello,
The docs mention that Headscale, a libre implementation of the Headscale control server, can be used with Caddy. However, Caddy only automatically uses Tailscale for
*.ts.netdomains, which are specific to Tailscale services. Headscale users, on the other hand, obviously get to define their own domain name.Would it be possible, for example, to be able to define the domain used by Headscale in Caddy's configuration, in order for it to use its TLS certificates automatically?
Thanks a lot!
EV
The text was updated successfully, but these errors were encountered: