Post

ssl certificates for tailscale nodes with nginx proxy

Provision ssl/tls certificates for your applications with tailscale.

ssl certificates for tailscale nodes with nginx proxy

If any nodes behind tailscale VPN serving any application and don’t want the hassle of setting up reverse proxy with domain and managing the certificates with your own domain, tailscale Provisions Let's Encrypt certificates and manages them. But we can use them however we want and configure them how ever we want.

Enable settings

First we need to enable two settings on tailscale dashboard. Visit the dashboard and go to DNS.

  • Enable MagicDNS
  • Enable HTTPS Certificates

Tailscale Magic DNS and HTTPS Certificates

Provision Certificates

To generate certificates, Machine name and tailscale’s tailnet or DNSName of the machine.

1
tailscale cert  <MACHINE-NAME>.<TAILNET>.ts.net

You can either get DNSName from the dashboard or tailscale CLI, run

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
tailscale status --json
.
.
.
  "Self": {
      "ID": "n**********",
      "PublicKey": "nodekey:*************************",
      "HostName": "machine",
      "DNSName": "machine.tailnet.ts.net.",
      "OS": "linux",
      "UserID": ************,
      "TailscaleIPs": [
        "***.***.***.***",
        "************"
      ],
  }

To Provision the certificates, run

1
tailscale cert machine.tailnet.ts.net

Result would be

1
2
Wrote public cert to machine.tailnet.ts.net.crt
Wrote private key to machine.tailnet.ts.net.key

Now we’ve valid certificates from Let's Encrypt.

nginx configuration

Create a new nginx config at /etc/nginx/sites-available/machine.tailnet.ts.net

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server {
    listen 80;
    listen 443 ssl;
    ssl_certificate /home/user/certs/machine.tailnet.ts.net.crt;
    ssl_certificate_key /home/user/certs/machine.tailnet.ts.net.key;
    server_name machine.tailnet.ts.net;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

In the above config, we are creating a proxy to a service running at http://127.0.0.1:8080 from machine.tailnet.ts.net

Enable this config by running the following

1
sudo ln -s /etc/nginx/sites-available/machine.tailnet.ts.net /etc/nginx/sites-enabled/

Now restart the nginx

1
sudo systemctl reload nginx

Now visit the site and check for tls status.

Conclusion

Any queries, feel free to comment below.

This post is licensed under MIT by the author.