Request TLS certificate for tailnet domain alias.

[ananthb]

Proposed Changes

Request TLS certificate from tailscale. HTTPS must be enabled for the tailnet.
https://tailscale.com/kb/1153/enabling-https/

Related Issues

#62

@lmagyar has an even easier solution in #137.

[ananthb]

tailscale cert has to be run periodically to keep certs fresh. I can either run a background script from the post script, or start a cron daemon and use that. Any suggestions here?

Edit: created a new service that runs tailscale cert periodically.

[franzbischoff]

Right!

1. add ssl folder to the addon
2. add options
3. fetch new cert every day

👍

[ananthb]

All three are done. The cert process runs once every 24 hours to fetch a new cert. The SSL folder is mapped rw and the cert files are copied into it. There is an option to enable the addon and another mandatory one for the tailnet domain name. There are two more options to customise the output path for the cert files. Both have defaults.

[franzbischoff]

The PR is failing because of the label?

Valid labels are: ['breaking-change', 'bugfix', 'documentation', 'enhancement', 'refactor', 'performance', 'new-feature', 'maintenance', 'ci', 'dependencies', 'translations']

[frenck]

The PR is failing because of the target name :-/

Its not.

[ananthb]

Yes automation seems to expect a label but the PR is currently unlabeled. I don't have permission to label it either.

[frenck]

Yup, that is not a issue

[ananthb]

@frenck so how do we proceed?

[frenck]

By having patience

[ananthb]

@frenck is this failure unexpected? I don't understand the error message.

[frenck]

is this failure unexpected?

Yes

I don't understand the error message.

OK... not sure what to do about that 🤷 It complains a label is missing, so that needs to be added by someone with permissions to do that.

[ananthb]

I meant after you added the label, the amd64 build failed at a docker buildx step. I was wondering if i had to fix something but that doesn't appear to be the case.

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.

[nsiicm0]

Please don’t let this PR go stale. Would like to see this feature implemented!

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.

[ShadowJonathan]

(Still not stale)

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.

[ShadowJonathan]

(Not stale)

[ananthb]

@frenck this change is eagerly awaited by me and quite a few others it would seem. Any chance it gets merged soon?

If you don't want this, then tell us as much. It's pretty inconsiderate to just leave us hanging.

[ShadowJonathan]

Anecdotally, I'm also awaiting this change as I've moved over every homelab-hosted service to tailscale HTTPS a few months ago, save for Home Assistant, because of this PR's timeline. Currently I'm still using cloudflare and a port-forward instead.

[ananthb]

For what it's worth, I've stopped using homeassistant entirely because of the petty handling of this change. I will keep this PR open until they decide to do something about it.

[lmagyar]

Until it is merged I forked the repo, updated it to Tailscale v1.34.2, and bumped the add-on base image also to v13.0.1.

And I merged this PR and made some modifications and bugfixes:

• the Configuration option is certificate_tailnet_name (not domain_alias), it is more logical, it is analog to the tailscale cert <machine-name>.<tailnet-name>.ts.net command
• it creates the /ssl/tailscale directory before fetching the cert
• uses --statedir=/data instead of --state=/data/tailscaled.state, see Tailscale.sh: use --statedir instead of --state tailscale/tailscale-qpkg#64
• fetch certificate on start and only within 1 week before expiration
• modified the daemon finish script to the usual script, I know new add-ons have better, it can be bumped later with other scripts

See: https://github.com/lmagyar/homeassistant-addon-tailscale

Disclaimer: I'm just a tinkerer, and "it works on my machine..." (tested on armv7)

I will create some new PR-s soon.

[franzbischoff]

Hi My domain is from the beginning and doesnt comply with your regex filter... I use only letters and dashes for ex, and the regex fails... -- Francisco Bischoff Laszlo Magyar ***@***.***> escreveu no dia sábado, 7/01/2023 à(s) 21:38:

…

Until it is merged I forked the repo, updated it to Tailscale v1.34.2, and bumped the add-on base image also to v13.0.1. And I merged this PR and made some modifications and bugfixes: - the Configuration option is cert_domain (not domain_alias), it is much more logical, it is analog to the tailscale cert <domain> command - it creates the /ssl/tailscale directory before fetching the cert - uses --statedir=/data instead of --state=/data/tailscaled.state, see tailscale/tailscale-qpkg#64 <tailscale/tailscale-qpkg#64> - fetch certificate on start and only within 1 week before expiration - modified the daemon finish script to the usual script, I know new add-ons have better, it can be bumped later with other scripts See: https://github.com/lmagyar/homeassistant-addon-tailscale Disclaimer: I'm just a tinkerer, and "it works on my machine..." (tested on armv7) I will create some new PR-s soon. — Reply to this email directly, view it on GitHub <#89 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHQMEFVSQFBZQC3KHB4LA3WRHO37ANCNFSM5S7YDDBQ> . You are receiving this because you commented.Message ID: ***@***.***>

[lmagyar]

Hi My domain is from the beginning and doesnt comply with your regex filter...
I use only letters and dashes for ex, and the regex fails...

Could you please send what is in your config? cert_domain: ?????

Maybe you entered the machine name also, like cert_domain: abcd.tail1234.ts.net, instead of only cert_domain: tail1234.ts.net

[franzbischoff]

I found that what you ask is the main domain: xyz.ts.net
I was trying the device subdomain: myha.xyz.ts.net

it works as it was :)
sorry

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.

[sirreal]

I'm still hoping this progresses. Not stale.

[lmagyar]

I think #137 is a better solution, because that doesn't require any configuration and also provides a built-in proxy by tailscaled.

[ananthb]

@lmagyar that does look better!

I'm not holding my breath waiting for either one to get merged though. The response from Nabu Casa is pretty clear now.

By having patience

@frenck this patient enough for you, or should we continue waiting forever?

Honestly this single issue has really turned me off of homeassistant. I'm a big believer in the spirit behind open source and Nabu Casa has shown absolutely none of that here. The community should really question their commitment to all of the projects they control.

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.