Today we’re pleased to formally announce that Caddy 2.5 will automatically utilize certificates managed by the locally-running Tailscale process.
Tailscale is a VPN service built on Wireguard that, much like Caddy, just works.
So we both thought you should be able to serve sites on your tailnet over HTTPS with Caddy in a way that just works!
Caddy will automatically get certificates from Tailscale for domains that end in
To make this work, first configure Tailscale with HTTPS:
- Enable HTTPS on your Tailscale account.
- If Caddy is not running as root, edit
/etc/default/tailscaledfile to give the user that runs the caddy process access to the Tailscale socket, for example:
That’s all! No special configuration is needed in Caddy. Just put your
*.ts.net domain in your config like normal.
You do NOT need to run
tailscale cert or use any other tooling or automation. With Tailscale running and configured, Caddy will automatically get certificates for
*.ts.net domains during relevant handshakes.
With this, you can effortlessly serve all your sites and services securely over HTTPS on your tailnet. There has never been an easier way to deploy trusted HTTPS for internal services.
We hope you enjoy!
Caddy 2.5 is currently in beta. Be sure to grab the latest release from GitHub!