SSL can not be served - Githubissues

semaf commented 1 month ago

Hey,

Thank you very much for the great solution. I was testing and had already the first issues with SSL :) I am not familiar with caddy and learning docker..

I see in the log on every start of the container two errors:

tailscale-whoami-proxy-1 | 2024/09/20 14:09:40 health(warnable=wantrunning-false): error: Tailscale is stopped.
tailscale-whoami-proxy-1 | boot: 2024/09/20 14:09:40 [warning] failed to symlink socket: file exists

tailscale log as below:

tailscale-whoami-proxy-1  | This is Tailscale-Caddy-proxy version
tailscale-whoami-proxy-1  | 1.72.1
tailscale-whoami-proxy-1  |   tailscale commit: 
tailscale-whoami-proxy-1  |   go version: go1.22.5
tailscale-whoami-proxy-1  | Building Caddy configfile
tailscale-whoami-proxy-1  | Starting Caddy
whoami-1                  | 2024/09/20 14:26:24 Starting up on port 80
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.28629,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2870684,"msg":"adapted config to JSON","adapter":"caddyfile"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2880397,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.288258,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00050d100"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2881851,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2883418,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2887256,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2890851,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.289243,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2895849,"msg":"autosaved config (load with --resume flag)","file":"/root/.config/caddy/autosave.json"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.2896276,"msg":"serving initial configuration"}
tailscale-whoami-proxy-1  | Successfully started Caddy (pid=23) - Caddy is running in the background
tailscale-whoami-proxy-1  | Starting Tailscale
tailscale-whoami-proxy-1  | Note: set TS_EXTRA_ARGS to  --hostname=tailscale-example
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.304651,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/root/.local/share/caddy"}
tailscale-whoami-proxy-1  | {"level":"info","ts":1726842384.305117,"logger":"tls","msg":"finished cleaning storage units"}
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:24 Starting tailscaled
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:24 Waiting for tailscaled socket
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 logtail started
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Program starting: v1.72.1-tf4a95663c, Go 1.22.5: []string{"tailscaled", "--socket=/tmp/tailscaled.sock", "--statedir=/var/lib/tailscale/", "--tun=userspace-networking"}
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 LogID: xxxxxxxxx
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 logpolicy: using system state directory "/var/lib/tailscale"
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 dns: [rc=unknown ret=direct]
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 dns: using "direct" mode
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 dns: using *dns.directManager
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 wgengine.NewUserspaceEngine(tun "userspace-networking") ...
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 dns: using dns.noopManager
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 link state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.18.0.3/16]} v4=true v6=false}
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 onPortUpdate(port=59843, network=udp6)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 magicsock: [warning] failed to force-set UDP read buffer size to 7340032: operation not permitted; using kernel default values (impacts throughput only)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 magicsock: [warning] failed to force-set UDP write buffer size to 7340032: operation not permitted; using kernel default values (impacts throughput only)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 onPortUpdate(port=49903, network=udp4)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 magicsock: [warning] failed to force-set UDP read buffer size to 7340032: operation not permitted; using kernel default values (impacts throughput only)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 magicsock: [warning] failed to force-set UDP write buffer size to 7340032: operation not permitted; using kernel default values (impacts throughput only)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 magicsock: disco key = d:0469319ce52d5f37
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Creating WireGuard device...
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Bringing WireGuard device up...
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Bringing router up...
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Clearing router settings...
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Starting network monitor...
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Engine created.
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 pm: using backend prefs for "profile-a5a6": Prefs{ra=false dns=false want=true routes=[] statefulFiltering=false nf=on host="tailscale-example" update=check Persist{lm=, o=, n=[XoXtz] u="semaf@github"}}
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 logpolicy: using system state directory "/var/lib/tailscale"
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 got LocalBackend in 7ms
tailscale-whoami-proxy-1  | 2024/09/20 14:26:24 Start
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 timeout waiting for initial portlist
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 Backend: logs: be:xxxxxxxxx fe:
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: client.Login(0)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 health(warnable=warming-up): error: Tailscale is starting. Please wait.
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: doLogin(regen=false, hasUrl=false)
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:25 [warning] failed to symlink socket: file exists
tailscale-whoami-proxy-1  |     To interact with the Tailscale CLI please use `tailscale --socket="/tmp/tailscaled.sock"`
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:25 tailscaled in state "NoState", waiting
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: control server key from https://controlplane.tailscale.com: ts2021=[fSeS+], legacy=[nlFWp]
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: RegisterReq: onode= node=[XoXtz] fup=false nks=false
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: netmap: got new dial plan from control
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 health(warnable=not-in-map-poll): ok
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 active login: semaf@github
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 Switching ipn state NoState -> Starting (WantRunning=true, nm=true)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 magicsock: SetPrivateKey called (init)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 monitor: gateway and self IP changed: gw=172.18.0.1 self=172.18.0.3
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 wgengine: Reconfig: configuring userspace WireGuard config (with 0/10 peers)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 wgengine: Reconfig: configuring router
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 wgengine: Reconfig: configuring DNS
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:11}
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 dns: Resolvercfg: {Routes:{} Hosts:11 LocalDomains:[]}
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 dns: OScfg: {}
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 peerapi: serving on http://eee.fff.bbb.ccc:41971
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 peerapi: serving on http://[xxxx:yyyy:aaaa::bbbb:cccc]:41971
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:25 tailscaled in state "Starting", waiting
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 magicsock: home is now derp-4 (fra)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 magicsock: adding connection to derp-4 for home-keep-alive
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 magicsock: 1 active derp conns: derp-4=cr0s,wr0s
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 magicsock: endpoints changed: aaa.bbb.ccc.ddd:49903 (stun), 172.18.0.3:49903 (local)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 derphttp.Client.Connect: connecting to derp-4 (fra)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 health(warnable=warming-up): ok
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 control: NetInfo: NetInfo{varies=false hairpin= ipv6=false ipv6os=true udp=true icmpv4=false derp=#4 portmap= link="" firewallmode=""}
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:25 Running 'tailscale set'
tailscale-whoami-proxy-1  | boot: 2024/09/20 14:26:25 Startup complete, waiting for shutdown signal
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 magicsock: derp-4 connected; connGen=1
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 health(warnable=no-derp-home): ok
tailscale-whoami-proxy-1  | 2024/09/20 14:26:25 health(warnable=no-derp-connection): ok

Port 41971 is the only port to call by browser.

docker-compoyse.yml

networks:
  tailscale_proxy_example:
    external: false

volumes:
  tailscale-whoami-state:

services:

  whoami:
    image: traefik/whoami
    networks:
     - tailscale_proxy_example

  tailscale-whoami-proxy:
    image: hollie/tailscale-caddy-proxy:latest
    volumes:
      - tailscale-whoami-state:/var/lib/tailscale # Persist the tailscale state directory
    environment:
      - TS_HOSTNAME=tailscale-example     # Hostname you want this instance to have on the tailscale network
      - TS_TAILNET=tailscale-example.tailxxxx           # Your tailnet name without the .ts.net suffix!
      - CADDY_TARGET=whoami:80            # Target service and port
#      - TS_EXTRA_ARGS=--accept-dns       # Optional extra arguments to pass when starting tailscale
#      - SKIP_CADDYFILE_GENERATION=1      # Set this if you want to be able to override /etc/caddy/Caddyfile via a volume mapping      
    restart: on-failure
    init: true
    networks:
     - tailscale_proxy_example

hollie commented 1 month ago

Hey @semaf

let me check if I can reproduce this.

hollie commented 1 month ago

Just to confirm @semaf that the error/warning in the log of tailscale that is starting are not the cause of your problem.

Reference log from a new container I created also contains:

tailscale-whoami-proxy-1  | 2024/09/25 15:04:12 control: client.Login(0)
tailscale-whoami-proxy-1  | 2024/09/25 15:04:12 control: doLogin(regen=false, hasUrl=false)
tailscale-whoami-proxy-1  | 2024/09/25 15:04:12 health(warnable=warming-up): error: Tailscale is starting. Please wait.
tailscale-whoami-proxy-1  | boot: 2024/09/25 15:04:12 [warning] failed to symlink socket: file exists
tailscale-whoami-proxy-1  |     To interact with the Tailscale CLI please use `tailscale --socket="/tmp/tailscaled.sock"`

The 'error' is telling that Tailscale is still starting up, it resumes when Tailscale is started. The 'warning' is not an error, but telling that the file Tailscale wishes to symlink already exists (because I created it already). This was because previous versions of Tailscale did not create the symlink, see line 18 in https://github.com/hollie/tailscale-caddy-proxy/blob/main/image/Dockerfile.

From the input you delivered it is not clear to me what is wrong with your setup. You state 'SSL can not be served'. How are you trying to access the service?

At the first connection to the service you should see in your tailscale logs the request to generate the SSL certificate.

tailscale-whoami-proxy-1  | 2024/09/25 15:04:21 cert("tailscale-example.tailnet-XXXX.ts.net"): starting async renewal
tailscale-whoami-proxy-1  | 2024/09/25 15:04:21 cert("tailscale-example.tailnet-XXXX.ts.net"): already had ACME account.
tailscale-whoami-proxy-1  | 2024/09/25 15:04:22 cert("tailscale-example.tailnet-XXXX.ts.net"): starting SetDNS call...
tailscale-whoami-proxy-1  | 2024/09/25 15:04:34 cert("tailscale-example.tailnet-XXXX.ts.net"): did SetDNS
tailscale-whoami-proxy-1  | 2024/09/25 15:04:36 cert("tailscale-example.tailnet-XXXX.ts.net"): requesting cert...
tailscale-whoami-proxy-1  | 2024/09/25 15:04:36 cert("tailscale-example.tailnet-XXXX.ts.net"): got cert

Best regards, Lieven

semaf commented 1 month ago

I got the issue after I check the Caddyfile, its here TS_TAILNET=tailscale-example.tailxxxx

This should be TS_TAILNET=tailxxxx

and now its working.

hollie commented 1 month ago

Good to hear that you found the issue and thanks for reporting back!

hollie / tailscale-caddy-proxy

SSL can not be served #13