search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
23.5k stars 1.29k forks source link

[Feature] Support self-signed TLS (other than Let's Encrypt) #2201

Closed cg31 closed 3 weeks ago

cg31 commented 1 month ago

Use case

We can use self-signed TLS service without outside service like Let's Encrypt, for simple network.

Description

Headscale support Let's Encrypt, but it still needs domain name, and it also makes Headscale depending on other service.

Nowadays we can use mkcert or openssl to generate self-signed certificate, they can be done with IP only.

Contribution

How can it be implemented?

  1. User generate local CA with mkcert or openssl
  2. User installs the CA on all nodes
  3. User creates a new certificate with CA for the headscale server
  4. Headscale uses the certificate with ListenAndServeTLS to provide TLS service, client nodes (Tailscale) use the installed CA to verify the certificate.
hopleus commented 1 month ago

Isn't that what you're suggesting?

https://headscale.net/ref/tls/#bring-your-own-certificate

cg31 commented 1 month ago

I tried it with certificate, but it doesn't work, and headscale report error "headscale/cli/utils.go:124 > Could not connect: context deadline exceeded"

When I look inside headscale, it still uses ListenAndServe, ListenAndServeTLS can use paths to cert and key directly.

cg31 commented 3 weeks ago

Isn't that what you're suggesting?

https://headscale.net/ref/tls/#bring-your-own-certificate

Turns out... it works after trying again, only I need to use 443 as serving port.

But "headscale nodes list" seems not working anymore, but it doesn't matter.