HTTPS with Tailscale certs & TS domain
I'm just curious if I can pull this off.
I understand that tailscale does HTTPS letsencrypt certs (https://tailscale.com/kb/1153/enabling-https). I also found that traefik supports tailscale cert resolver natively (https://www.tailscale.com/blog/traefik-certificate-resolver?ref=traefik.io & https://traefik.io/blog/exploring-the-tailscale-traefik-proxy-integration/)
I want to set the local domain to my tailnet domain so that jellyfin.<tailnetdomain>.ts.net uses the tailscale cert resolver and resolves the HTTPs certificate.
is there any way I can achieve this? can I set the local domain to be the tailnet domain?
what I've tried
I've changed
myresolver to
and the following user config
with this, I can get
https://<machinename>.<tailnet>.ts.net (host domain) https working with a valid lets encrypt cert.
but the subdomains such as deluge.<machinenmae>.<tailnet>.ts.net does not resolve at all.
in context, I setup <tailnet>.ts.net as the local domain since everything is running inside tailscaleTailscale
Enabling HTTPS · Tailscale Docs
Learn how to configure HTTPS for devices in your Tailscale network.
Traefik Proxy now offers Tailscale as certificate resolver
Traefik, the popular load balancing and reverse proxy tool, has added support for Tailscale as a certificate resolver in Traefik Proxy 3.0 beta, the latest release of its forward proxy offering. Today, one of the engineers behind this integration has published a fun deep dive into how it works and how they’re using Tailscale to help with testing...
12 Replies
Hello
Tailscale doesn't support subdomains on machine names so
service.machine.network.ts.net is not possibleGot it, thanks!
Although you could technically achieve something similar with the local domains and trust the certificate manually
Yeah, I did not want to go through the whole setup of trusting the certificates manually.
Tailscale certs were nice because they were from let’s encrypt.
You can try using the dns challenge guide on our docs
Although you will need a domain
I do have a domain, I guess I’ll give it a shot.
Let me send you the link
Runtipi
Runtipi - Homeserver management made easy
Free and open-source, Runtipi lets you install all your favorite self-hosted apps without the hassle of configuring and managing each service. One-click installs and updates for more than 80 popular apps.
Thanks a lot 👍
Will check it out.
I’ve set it up as specified, works great!
One question, should I enable “expose app to internet” one by one or is there a way I can make my local domain something along the lines of
Cloud.bharatkalluri.com
So that Jellyfin.cloud.bharatkalluri.com will automatically get a cert?
@Bharat Kalluri this would require a dns challenge which we don’t support yet unfortunately
Oh but you set it up manually
You still have to add the domain one by one yes
Exposing everything automatically would be quite risky
If we can specify an optional resolver for local secure sites, then technically we can pull it off. Right?
Because technically tipi.lan would be a local. If I can re configure that to cloud.bharatkalluri.com and use my resolver for certs. Then technically it might work.
Right now this does not work since local secure does not have a resolver. I tried 😅
Yes you are correct but it would mean to refactor all apps for your case