HA OS machine not reconnecting to Tailscale after key expiry + renewal

[Aaroneisele55]

Hello, I'm currently away from home and yesterday, the node key of my HA host (RPi 4 with HA OS and this addon being the only way of remote access) expired. I first clicked the "extend temporarily" button in the Tailscale admin console, but my HA didn't reconnect. When I then renewed the key (all from TS admin console), it still didn't reconnect.

I can access my HA instance again when I come home in about 2 days, but what is the recommended procedure for dealing with node key expiry when remote?

I normally turn off node key expiry, but forgot to turn it off after switching to your addon from the official one.

Is the add-on expected to reconnect on renewal? If not, this should be considered to be added.

Best regards Aaron

[lmagyar]

At https://tailscale.com/kb/1028/key-expiry/ it says "The key will be extended for 30 minutes. Instruct the owner of the machine to log in and reauthenticate within the extended timeframe, or disable key expiry for this device within that window."

It would be great if they had specified what it exactly means. Should we execute tailscale up --force-reauth? How can we detect this situation? Becasue "Instruct the owner of the machine" has no help for a docker container.

So I don't know the answer, we should experiment with it. I have no time until the end of Sept. and a lightning destroyed some of my live and test environments, so I will have no chance to play with it for a few weeks. But it is an interesting situation.

[lmagyar]

If you have access to the host's SSH (not the SSH add-on, but the real host's SSH, see: https://developers.home-assistant.io/docs/operating-system/debugging/), please execute this command: journalctl CONTAINER_NAME=addon_09716aab_tailscale | tail -n 1000 This will show the log of the add-on from the past, and maybe we can see what happened when the keys are expired, what error can be detected. Please check, that the logs contain that time period, when the key expired and when the key extension happened, maybe tail -n 1000 should be increased to more lines.

My guess is that the add-on stopped, because the the tailscale service stopped, and we should prevent this. But I can be completely wrong. :D

[Aaroneisele55]

Hello @lmagyar , I don't have host access on my Pi as I'm running HA OS, but what can I do to help debugging this instead?

[lmagyar]

TLDR:

• press "extend temporarily"
• press "disable key expiry"
• problem solved

I will add a warning to the log during add-on startup to consider disabling key expiration.

---

Long version.

I don't have host access on my Pi as I'm running HA OS, but what can I do to help debugging this instead?

OK, no problem. (Though you can have host SSH access on HA OS. It is rarely needed, but sometimes it is handy, especially for seeing logs from the past. But to set it up, it requires physical access to the host, you need to plug an USB drive temporarily to it to set it up.)

I've bought new PI-s, and made a quick experiment, I've set the key expiry for 1 day:

• When the keys expired, I've lost access, but the add-on was running normally, only the tailscale daemon changed it's status from running to needslogin.
• When I extended the keys temporarily, I've regained access immediately.
• I've tested re-authentication, I've pressed "reauthenticate" on the web UI through the tailscale connection, and I've lost access immediately, nothing strange. The tailscale daemon went from running state to starting and remained there, that is strange, I had to restart the add-on from the "inside" connection, but then it worked normally, as if I have never pressed the "reauthenticate" link. In summary, this re-authentication through the tailscale connection doesn't work. No surprise.
• What works is that there is the "disable key expiry" button on tailscale's management UI after you press the "extend temporarily", after I disabled key expiration in this 30 minutes period, the connection remained live "forever".