caddy icon indicating copy to clipboard operation
caddy copied to clipboard

Published 20 hours ago verified publisher icon caddyserver

Allow automatic use of Headscale certs?

Open edgar-vincent opened this issue 2 years ago • 4 comments

Hello,

The docs mention that Headscale, a libre implementation of the Headscale control server, can be used with Caddy. However, Caddy only automatically uses Tailscale for *.ts.net domains, which are specific to Tailscale services. Headscale users, on the other hand, obviously get to define their own domain name.

Would it be possible, for example, to be able to define the domain used by Headscale in Caddy's configuration, in order for it to use its TLS certificates automatically?

Thanks a lot!

EV

edgar-vincent avatar Nov 10 '22 13:11 edgar-vincent

Yeah, I think we can do this. Not sure how yet, but most likely doable!

mholt avatar Nov 10 '22 15:11 mholt

Thank you very much!

edgar-vincent avatar Nov 10 '22 16:11 edgar-vincent

Headscale or tailscaled would need to know how to nudge the DNS server to add the dns txt records for verification. This is hard, because everyone uses a different DNS server and API/process to change the records.

It works so easily with tailscale, because tailscale-the-company controls *.ts.net, tailscale control plane and tailscaled (the daemon on everyone's machine). They can easily couple everything and have just 1 combination of software to worry about. Tailscale offering https to their-controlled domain is not a coincidence. :)

Caddy asking for a cert is the icing. The hard part is getting the pieces to talk to each other.

I have implemented https for headscale domains. For the curious, here is a public domain bitwarden.jakstys.lt pointing to 100.<...> ip: https://git.jakstys.lt/motiejus/config/src/commit/d60677822f3e340c1f6a96533de432884e10bc77/data.nix#L170 and implementation: https://git.jakstys.lt/motiejus/config/src/commit/d60677822f3e340c1f6a96533de432884e10bc77/modules/services/nsd-acme/default.nix

I had to change my dns server from unbound to nsd to make it work, because I couldn't reliably update the zone from a shell script.

As you can see, it's convoluted. A better place to start for the adventurous would probably be headscale, not here. :).

(And the mention of headscale should probably removed from the caddy docs, since it's not fundamentally not possible today, not due to Caddy's fault).

motiejus avatar Nov 22 '23 21:11 motiejus

@motiejus I don't use Tailscale nor Headscale so I'm not equipped to help much here, but it sounds like we need to integrate Caddy's DNS plugins to make this happen. I don't know what the triggers are here, but that does sound solvable.

francislavoie avatar Nov 23 '23 02:11 francislavoie