New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to know if Tailscale cert integration was attempted? #5041
Comments
Enable debug mode. I just realized there's not a flag for that with the
Most common causes for failures are Caddy not having permission to read the socket or not restarting the TS service. (PS. Stay tuned for something really cool to make this easier, soon!) |
(There ya go, now you can use the |
From log file when request comes in:
I can't see in the logs where it attempts to comms with the socket that's there. When running tailscale cert on same system:
Caddy version:
|
Also, not sure if this makes a difference but it's running on Kubernetes in tailscale sidecar as root (as a test). Not sure if it's expecting anything else as part of the discovery process to determine if tailscale is running (which it is) and where the socket is. |
Are you mounting the tailscale socket into your container? Caddy uses the socket to communicate with tailscale. |
It's all happening in the same container for debugging / testing purposes. I.e. I'm trying to get caddy to talk with the tailscale socket that is present in the same container. But I can't even see if it's even attempting to from the log output. As per #5041 (comment) when I run the tailscale cert option in the same container the socket stuff is working as it's bringing back a cert. This is probably lack of understanding how caddy "detects" tailscale socket but there's nothing that shows in the log output that makes it obvious. |
Did you see the notes in https://caddyserver.com/docs/automatic-https#activation about it? There might be some key insights in the links there that might help. |
The only note is:
What I am trying:
How do I get more log output on the attempt to work with the tailscale socket given the ts.net domain that's being used. I don't see any attempt in the logs even with DEBUG option. |
I've switched back to relying on the Thanks for your input. |
@dcarrion87 Does it work outside of the container? I'm concerned that the odd container setup is probably breaking things.
That's what You can explicitly enable tailscale certs easily enough:
And that should yield the specific error in the logs for you. |
I think Caddy is looking specifically for this path: |
I just added a debug log to the tailscale code as well, so if there's a (currently-hidden) error it'll now appear in the debug logs. |
@mholt bingo! Added this with debugging:
Revealed this:
Tailscale's default args for the tailscale container pins to /tmp/tailscaled.sock: After overriding this to the hard coded path caddy is looking for it all came good! |
Great! Thanks for the follow-up. I wonder if we should we make that socket path configurable? I'm also kind of waiting on https://github.com/tailscale/caddy-tailscale. It is a Caddy plugin that, once the PR is merged, allows Caddy to join the tailnet and get TS certs without needing the TS daemon at all, is my understanding. So the need for that go away entirely soon. |
Trying to work out how caddy interacts with tailscale HTTPS mechanism and it's a bit of a mystery...
I have tailscale running in a kubernetes pod container. Running a tailscale cert works fine and produces cert and key file. Socket is at /tmp/tailscaled.socket by default in the sidecar.
As a test I bring the caddy binary into the container and run this to see if it interacts with socket directly:
caddy reverse-proxy --from REDCATED.REDCATED.ts.net --to localhost:3000
The logs don't indicate that they try to get a certificate via tailscale integration:
Trying to access from another machine in the tailnet:
How does one get more verbose info on the tailscale cert integration mechanism to see what it's actually doing?
The text was updated successfully, but these errors were encountered: