search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
16.83k stars 1.27k forks source link

Custom DERP relay server client nodekey rejected #11887

Closed adamk closed 2 weeks ago

adamk commented 2 weeks ago

What is the issue?

I use ZeroSSL. I renewed and installed a new cert and verified the installation with ZeroSSL with all green check marks now. My DERP relay server was working great for months.

I concatenated the ca_bundle.crt and certificate.crt into a single .crt with my server hostname in /opt/derp/.cache/tailscale/derper-certs/ and also the private.key exists with my server hostname in the same folder. I ran chmod 755 on both and also chown derp:derp file.crt/.key on each as usual. I also have copies in /etc/ssl/certs and the private.key in /etc/ssl/private/

Apr 26 14:49:27 raspberrypi bash[9602]: 2024/04/26 14:49:27 derp: "IP-I-don't-recognize":53190: rejected client "nodekey-I-don't-recognize"> not in set of peers

I've tried reinstalling the whole DERP service with no luck.

Steps to reproduce

Renew ZeroSSL cert on existing/working DERP custom relay server.

Are there any recent changes that introduced the issue?

Renewed ZeroSSL cert

OS

Linux

OS version

Debian GNU/Linux 11 (bullseye)

Tailscale version

1.64.0

Other software

go version: go1.22.2

Bug report

No response

bradfitz commented 2 weeks ago

Unless there's a bug or crash, we generally don't provide technical support in this forum with running custom DERP servers with bespoke configurations.

adamk commented 2 weeks ago

Unless there's a bug or crash, we generally don't provide technical support in this forum with running custom DERP servers with bespoke configurations.

What is "bespoke" about the configuration? Tailscale lists custom DERP relay servers on their official website (albeit without proper documentation), so I'd assume some level of support could be provided. The whole setup was working fine until the SSL cert needed renewing. I've also verified the SSL chain is correct at https://whatsmychaincert.com/. There's just some issue between derper and Tailscale with the IP and nodekeys.

bradfitz commented 2 weeks ago

Here's some information on Tailscale support offerings: https://tailscale.com/kb/1250/support-options

The bespoke part is not using LetsEncrypt. If you want to do custom TLS certs, that's not something we help with. The derper code to support custom certs was contributed by the community, primarily for use in China where LetsEncrypt (or encryption in general) is blocked. IIRC, you need to restart the derper process after changing certs. It doesn't monitor the files on disk for changes.

adamk commented 2 weeks ago

I've tried re-installing the entire DERP server with no luck. Same error.

I will try the following next:

  1. sudo systemctl stop tailscaled
  2. sudo rm /var/lib/tailscale/tailscaled.state
  3. sudo systemctl start tailscaled
  4. tailscale up

This should give me a new node identity. If this doesn't work, then I will try LetsEncrypt.

adamk commented 2 weeks ago

Well that didn't work. Also tried LetsEncrypt and now I get the SAME error as when I was using ZeroSSL. The other weird thing is I also get the error "from 75.108.XXX.YYY" IP address and I have no idea where the 75. IP came from in the first place. It says it originates from Beckley, WV which is not where I am. Very strange.

adamk commented 2 weeks ago

OK realized that IP is likely a friend's node trying to connect but failing because I removed him from my exit node a while ago. Now to figure out why I can't connect back to my own DERP relay server when the SSL chain is correct.