HTTPS in your VPN: Caddy now uses TLS certificates from Tailscale

Today we’re pleased to formally announce that Caddy 2.5 will automatically utilize certificates managed by the locally-running Tailscale process.

Tailscale is a VPN service built on Wireguard that, much like Caddy, just works.

So we both thought you should be able to serve sites on your tailnet over HTTPS with Caddy in a way that just works!

Caddy will automatically get certificates from Tailscale for domains that end in .ts.net:

To make this work, first configure Tailscale with HTTPS:

  1. Enable HTTPS on your Tailscale account.
  2. If Caddy is not running as root, edit /etc/default/tailscaled file to give the user that runs the caddy process access to the Tailscale socket, for example: TS_PERMIT_CERT_UID=caddy

That’s all! No special configuration is needed in Caddy. Just put your *.ts.net domain in your config like normal.

You do NOT need to run tailscale cert or use any other tooling or automation. With Tailscale running and configured, Caddy will automatically get certificates for *.ts.net domains during relevant handshakes.

With this, you can effortlessly serve all your sites and services securely over HTTPS on your tailnet. There has never been an easier way to deploy trusted HTTPS for internal services.

We hope you enjoy!

Caddy 2.5 is currently in beta. Be sure to grab the latest release from GitHub!

6 Likes

I am trying to set this up, but having trouble, done everything as described (which is not a lot) but no luck. Does this work with Caddy in a docker with the same PUI as enabled int he tailscale setting?

I don’t know what a PUI is, nor do I use Docker, sorry.

If you would like help, feel free to post a new topic and fill out the help template. Thanks!

1 Like