Caddy and macOS Tailscale from App Store

macOS
1

I’m trying to get Tailscale and Caddy working together on macOS and I’m running into problems I guess might be related to the App Store install.

When curl’ing my hostname I get:

curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Tailscale version

1.26.2

Caddy version

2.5.1

Caddyfile

{
	debug
	log {
		output file log/caddy.log {
			roll_keep 1
		}
	}
}

my-host-name.turkey-snapper.ts.net {
	reverse_proxy /* localhost:9000
	tls {
		get_certificate tailscale
	}
}

Caddy logs

From running caddy with sudo:

2022/07/11 15:49:10.645	debug	tls.handshake	no matching certificates and no custom selection logic	{"identifier": "my-host-name.turkey-snapper.ts.net"}
2022/07/11 15:49:10.645	debug	tls.handshake	no matching certificates and no custom selection logic	{"identifier": "*.turkey-snapper.ts.net"}
2022/07/11 15:49:10.645	debug	tls.handshake	no matching certificates and no custom selection logic	{"identifier": "*.*.ts.net"}
2022/07/11 15:49:10.645	debug	tls.handshake	no matching certificates and no custom selection logic	{"identifier": "*.*.*.net"}
2022/07/11 15:49:10.645	debug	tls.handshake	no matching certificates and no custom selection logic	{"identifier": "*.*.*.*"}
2022/07/11 15:49:10.654	warn	tls.get_certificate.tailscale	could not get status; will try to get certificate anyway	{"error": "Get \"http://local-tailscaled.sock/localapi/v0/status\": dial unix /var/run/tailscaled.socket: connect: no such file or directory"}
2022/07/11 15:49:10.661	error	tls.handshake	getting certificate from external certificate manager	{"sni": "my-host-name.turkey-snapper.ts.net", "cert_manager": 0, "error": "Get \"http://local-tailscaled.sock/localapi/v0/cert/my-host-name.turkey-snapper.ts.net?type=pair\": dial unix /var/run/tailscaled.socket: connect: no such file or directory"}
2022/07/11 15:49:10.661	debug	tls.handshake	all external certificate managers yielded no certificates and no errors	{"sni": "my-host-name.turkey-snapper.ts.net"}
2022/07/11 15:49:10.661	debug	tls.handshake	no certificate matching TLS ClientHello	{"server_name": "my-host-name.turkey-snapper.ts.net", "remote": "100.91.187.48:61404", "identifier": "my-host-name.turkey-snapper.ts.net", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 157, 156, 61, 60, 53, 47, 255], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}

What stands out here is:

dial unix /var/run/tailscaled.socket: connect: no such file or directory

I’m guessing this might have to do with the app store vs standalone vs tailscaled differences. I haven’t tried any other form of running it.

I haven’t found the socket file at all on my system, no idea where it lives.

1 Like
2

I installed caddy from Hombrew and am running it as a non-sudo user (caddy start). I saw the instructions involving /etc/default/tailscaled don’t seem to apply to macOS, and when I try your Caddyfile with get_certificate tailscale, i.e.,

computer.tailname.ts.net:13456 {
	reverse_proxy :3456
	tls {
		get_certificate tailscale
	}
}

or just specifying the paths explicitly:

computer.tailname.ts.net:13456 {
	reverse_proxy :3456
	tls /path/to/computer.tailname.ts.net.crt /path/to/computer.tailname.ts.net.key
}

in either case, curl says curl: (35) error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version.

Two questions:

  1. is there a macOS alternative to /etc/default/tailscaled?
  2. Shouldn’t directly listing the crt and key files work? Am I doing something wrong with those (Caddy newbie here)?

Confirmed that directly setting up my web server with the Tailscale-generated crt/key files works fine. Would love to get Caddy working with them, so my application code doesn’t have to know about TLS! Any tips?