connection is not secure?

[bfallik]

Hi,

Thanks for building tsnet-serve!

I'm trying to use tsnet-serve as a proxy for a local, insecure web service. Ideally, https://myapp.my-tailnet.ts.net should proxy to localhost:. I'm running tsnet-serve with:

$ go run . -hostname myapp -backend 3001 -state-dir state

When I point Chrome at https://myapp.my-tailnet.ts.net, the browser complains that the site is not secure. I see a "certificate is not valid" message clicking through to inspect in Chrome but no other obvious problems.

I can also see some errors in the console that seem related:

2024/09/15 23:29:43 http: TLS handshake error from 100.101.210.30:61189: remote error: tls: unknown certificate

Any idea why this isn't working?

Best, brian

[ananthb]

Probably related to this: https://github.com/tailscale/tailscale/issues/10220

I have a few services that are already running with tsnet-serve. I tried creating a new service now and that failed with an error similar to yours.

Can you check your console logs for something like this:

2024/09/18 16:34:22 http: TLS handshake error from 100.x.y.z:45178: SetDNS "_acme-challenge.test.my.ts.net" => "<redacted>": set-dns response: 500 Internal Server Error, failed to create DNS record

[bfallik]

@ananthb Interesting. I'm pretty sure I didn't see that TLS handshake error. If I had I would have been suspicious enough to capture it in this ticket.

Unfortunately I can't reproduce the error easily as I unwound the approach using tsnet-serve. Instead I created a custom container image that combines tailscale and the local service. That works well enough for now.

Feel free to close this ticket if there's no action to take.

[ananthb]

@bfallik I'm able to reproduce your specific issue now. The generated certificate is missing certificate transparency issues apparently. The same error occurs even after downgrading tailscale to older versions.

I'll file a new upstream bug if it doesn't get fixed as part of the one I linked above.

[bfallik]

Thanks!

[ananthb]

@bfallik this has been fixed server side. You should be good to go.