Yea let’s just give a vulnerable population a free trial of a gambling addiction lol
Yea let’s just give a vulnerable population a free trial of a gambling addiction lol
{“level”:“error”,“ts”:1691499478.2793655,“logger”:“tls.handshake”,“msg”:“getting certificate from external certificate manager”,“remote_ip”:"100
.125.48.40",“remote_port”:“60140”,“sni”:“machine.domain.ts.net”,“cert_manager”:0,“error”:"Get "http://local-tailscaled.sock/localapi/v0/cert/vaulty.tail
a5148.ts.net?type=pair": dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory"}
This is your main issue - looks like Caddy can’t access the tailscale socket in order to serve their TLS cert. check you’re running caddy>2.5, check the socket exists and check the user running the caddy process has access to it. docs
Are you running Caddy with docker?
I read your comment in more detail, you’re going down the wrong path. What you’re looking for cannot function the way you want the way you want to achieve it, and may not even make sense to want. I am wrong, I didn’t realize Caddy could just serve their cert over the socket. What user is the caddy process on your VM being run as?
If you want to use Tailscale DNS, you can use their TLS cert (assuming it gives a valid cert for machine.domain.ts.net
) and just reverse proxy HTTP traffic with nginx on the VPS/VM (assuming nginx can listen on their network device. I’ve fought with that with openresty before, but that may be because I was trying to host it in another docker container lol).
But, the connection is unsecured over HTTP. I’d like to take it a step further in order to make the connections go over HTTPS.
Why? You’re already VPN’d into a machine you control via tailscale. Protecting the specific application TCP traffic with TLS is kind of redundant at that point. If you really care, just use nginx not Caddy because this will never work using Tailscale DNS, self sign a cert for your Tailscale domain and use nginx to serve traffic on the Tailscale network device.
Also, use docker compose. This will feed DNS records into the containers’ /etc/hosts file as well as put the containers on their own network so the main containers won’t be exposed directly, only caddy.
docker-compose.yml
version: "3.4"
services:
caddy:
container_name: caddy
image: ghcr.io/authp/authp:latest # I use authp for OAuth authentication instead of VPN-only access
restart: unless-stopped
ports:
- 443:443
- 443:443/udp
- 80:80
volumes:
- ${ROOT}/config/caddy/Caddyfile:/etc/caddy/Caddyfile
- ${ROOT}/config/caddy/data:/data/
dns:
- 1.1.1.1 # set these to your local DNS if you have one, I run pihole
- 8.8.8.8
- 8.8.4.4
whoami:
container_name: whoami
depends_on:
- caddy
image: containous/whoami
restart: unless-stopped
Caddyfile
{
http_port 80
https_port 443
}
whoami.example.com{
reverse_proxy whoami:80
}
As you can see the Caddyfile directs the Caddy container to reverse proxy whoami.example.com
to http://whoami:80
, which uses the /etc/hosts
entry that docker-compose
inserts for whoami
to the whoami
container’s Docker IP address. In this scheme, only Caddy needs to have a port listening on the host machine. Assuming Caddy can access your tailscale network, this will work - for that. (although I worry that Tailscale mounts the network device as a unix socket, which may complicate matters - I ran into this when trying some bullshit with nginx/openresty)
The issue that you’re having in your logs is that you’re trying to get Caddy to get a TLS cert for machine.domain.ts.net
, which will never work, because machine.domain.ts.net
is not a globally recognized DNS record - it’s a split zone DNS for within the Tailscale network exclusively. LetsEncrypt needs to be able to prove you own machine.domain.ts.net
in order to issue a cert for it, meaning it needs to be able to resolve the domain and chat with Caddy. Since LetsEncrypt isn’t on your Tailscale network, it cannot do this.
!enoughmuskspam already exists somewhere I think
Yes, the old testament has some ethically bad things in it, all Abrahamic religions share that. I’m also atheist. I just don’t make a point of commenting “fictional character” on a meme that happens to use the word “god”, not even capitalized lmao. Perhaps you aren’t aware of how much of a militant atheist you come off as. Out of curiosity, have you ever put the bible in the fiction section?
I would never read an innocuous meme comment condemning slavery and think “ah yes, time to make a point about religion being fake and bad”.
Oh I’m quite aware, all Abrahamic religions have the same base of messed up morality. I’m not religious. I just find the sort of militant atheist that would make a point of “fiction” annoying.
you don’t need to evangelize your lack of a religion to me. Evangelicals are so annoying.
it’s a meme you dip
I just grow what I can myself, or buy straight from local farmers where possible, but my access to farmers and farmers markets is a bit limited.
Sigh.
Every day we stray further from gods light
Idk about you but I paid $2 for a single white onion the other day at Safeway. At this point even home cooking is $$$, it’s insane. My farmer friends aren’t exactly making more from their crops either.
they’ll what now?
almost totally-equal redistribution of land among the peasantry
History isn’t your strong suit, is it?
Ah well, the current oligarchic state of China is totally unrelated to the system that created it, and instead is a bastardization of “true” communism, right?
Hey they promised to cut the PST though! That 1% buys me uh… uhhhhh… a whole extra coffee every so often!