Tailscale plus MS Exchange results in cert error

Tailscale version
1.24.2
Your operating system & version
Windows Server 2012R2 + iOS 15

I’ve just tested Tailscale on a windows server running exchange. I was able to access the server via an iOS device. The issue I found is that accessing the exchange instance results in a certificate error. Accessing the server by the magic DNS host name causes the iOS device to fail the cert issuer name check. Is there a proper way around this issue?

Thanks,
D

Not sure if bumping issues is a thing here but I’m trying to get this sorted before my corporate trial period runs out.

Hello.

You can use the tailscale cert command to get a certificate for your magicDNS name and a randomly assigned subdomain of (something with tails)-(something with scales).ts.net

These are generated by LetsEncrypt, so they won’t need any trust overrides set.

There’s more information about that here: Provision TLS certificates for your internal Tailscale services · Tailscale

If you run into any bumps along that path, please email support@tailscale.com

Not sure that solves the issue though right. So my exchange server is serving a cert that iOS thinks was improperly issued when it uses the tailscale tunnel. Let’s say I got the Lets Encrypt cert created, what next? I have my exchange server issue that cert because it would be valid for all the subject alternative names my normal cert has. Do i need my cert that is in use reissued to include another SAN? If so, what SAN would I use? I read about the tailscale cert process but I’m not sure that, in practice, it actually solves my issue. That is, unless I’m missing something. Totally possible.

I have not used an Exchange server over tailscale, so it might be me missing something too.

But I believe you can import a second certificate into Exchange to have it trusted at that domain name.

So that when your clients hit Exchange via exchange.tail-scale.ts.net or whatever your internal MagicDNS Certificate Domain is, they will get a valid certificate.

Interesting idea. I’m going to give that a try.

So, an update on this project. It looks like client syncing is done via the activesync protocol. That’s done via https and handled by IIS. What that means for certs is that only 1 cert will be issued by the server for the https connection. By using the tailscale tunnel, I get served a certificate that is valid for server.domain.name but not for tailscale_machine_name. If I were to add a cert created by tailscale, I’d loose all the domain names I’ve added as valid in my current cert. That would break connections not done via TailScale. I suppose I could also pay to add the Tailscale machine name or IP as an additional SAN on my regular cert, but those are FQDNs and I’m not sure my cert supplier would even do that. Even if they did, if those items ever change, I have to pay to reissue the cert with the updated data. I feel like I’m missing something here. I feel like there has to be a less cumbersome way to handle this.

D