Can't register headscale as an alternate server #1162

New Issue

adam · 2025-12-29T02:28:40+01:00

adam commented

2025-12-29 02:28:40 +01:00

Originally created by @europacafe on GitHub (Nov 29, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

Headscale 0.27.1
I've been running Headscale and tailscale clients for years on my Android phone without problems. Lately, I had to reinstall Tailscale 1.90.9 from scratch, and when I entered my https://headscale.mydomain.com as an alternate server on my Android phone, the app didn't register it. No error message.

Below are headscale log entries when I tried to add headscale server to Tailscale on Android phone.

I tried downgrading Tailscale client to 1.88.4, but it still behaves the same

Expected Behavior

When entering https://headscale.mydomain.com as an alternate server on Tailscale client app, the server should be registered so that I can proceed with adding my phone as a new node.

Steps To Reproduce

open Tailscale app on Android phone
Settings-->Account, use an alternate server
Enter headscale url https://headscale.mydomain.com
press "Add account" button

I've tried clearing app data, but it didn't help.

Environment

- OS: Android 12 SKQ1.211006.001
- Headscale version: 0.27.1
- Tailscale version: 1.90.4, 1.88.4
- Number of nodes: 18

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

Originally created by @europacafe on GitHub (Nov 29, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Headscale 0.27.1 I've been running Headscale and tailscale clients for years on my Android phone without problems. Lately, I had to reinstall Tailscale 1.90.9 from scratch, and when I entered my `https://headscale.mydomain.com` as an alternate server on my Android phone, the app didn't register it. No error message. Below are headscale log entries when I tried to add headscale server to Tailscale on Android phone. I tried downgrading Tailscale client to 1.88.4, but it still behaves the same ### Expected Behavior When entering https://headscale.mydomain.com as an alternate server on Tailscale client app, the server should be registered so that I can proceed with adding my phone as a new node. ### Steps To Reproduce 1. open Tailscale app on Android phone 2. Settings-->Account, use an alternate server 3. Enter headscale url `https://headscale.mydomain.com` 4. press "Add account" button I've tried clearing app data, but it didn't help. ### Environment ```markdown - OS: Android 12 SKQ1.211006.001 - Headscale version: 0.27.1 - Tailscale version: 1.90.4, 1.88.4 - Number of nodes: 18 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Debug information <img width="872" height="157" alt="Image" src="https://github.com/user-attachments/assets/95bfab52-280c-4069-a2bc-d2e576dd3674" />

adam added the question bug labels 2025-12-29 02:28:40 +01:00

adam commented

2025-12-29 02:28:40 +01:00

@kpalang commented on GitHub (Nov 29, 2025):

I too am seeing similar behavior, although haven't yet tried downgrading headscale.

So, I'm running Headscale 0.27.1 using the official .deb package downloaded from GH Releases. I've set up my TLS config, but I have a feeling Headscale is not requesting a TLS cert as the ./cache directory mentioned in tls_letsencrypt_cache_dir: /var/lib/headscale/cache is not created.

Further debug info:

server_url: https://tailscale.mydomain.com:443
tls_letsencrypt_hostname: "tailscale.mydomain.com"

Nov 29 17:03:32 headscale systemd[1]: Started headscale.service - headscale coordination server for Tailscale.
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Starting Headscale commit=f658a8eacd4d86edc65424b50635afed46ca4b2a version=v0.27.1+dirty
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Clients with a lower minimum version will be rejected minimum_version=v1.64.0
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Enabling remote gRPC at 127.0.0.1:50443
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving gRPC on: 127.0.0.1:50443
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving HTTP on: 127.0.0.1:8080
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving debug and metrics on: 127.0.0.1:9090

@kpalang commented on GitHub (Nov 29, 2025): I too am seeing similar behavior, although haven't yet tried downgrading headscale. So, I'm running Headscale 0.27.1 using the official `.deb` package downloaded from GH Releases. I've set up my TLS config, but I have a feeling Headscale is not requesting a TLS cert as the `./cache` directory mentioned in `tls_letsencrypt_cache_dir: /var/lib/headscale/cache` is not created. Further debug info: - `server_url: https://tailscale.mydomain.com:443` - `tls_letsencrypt_hostname: "tailscale.mydomain.com"` ``` Nov 29 17:03:32 headscale systemd[1]: Started headscale.service - headscale coordination server for Tailscale. Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Starting Headscale commit=f658a8eacd4d86edc65424b50635afed46ca4b2a version=v0.27.1+dirty Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Clients with a lower minimum version will be rejected minimum_version=v1.64.0 Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Enabling remote gRPC at 127.0.0.1:50443 Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving gRPC on: 127.0.0.1:50443 Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving HTTP on: 127.0.0.1:8080 Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving debug and metrics on: 127.0.0.1:9090 ```

adam commented

2025-12-29 02:28:40 +01:00

@nblock commented on GitHub (Dec 10, 2025):

Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Enabling remote gRPC at 127.0.0.1:50443
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving gRPC on: 127.0.0.1:50443
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving HTTP on: 127.0.0.1:8080
Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving debug and metrics on: 127.0.0.1:9090

It seems that no client connected? Otherwise, on 0.27.x, you'd see something like Starting node registration using …. Can you successfully connect to your Headscale with a browser / curl?

@nblock commented on GitHub (Dec 10, 2025): > Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF Enabling remote gRPC at 127.0.0.1:50443 > Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving gRPC on: 127.0.0.1:50443 > Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving HTTP on: 127.0.0.1:8080 > Nov 29 17:03:33 headscale headscale[10423]: 2025-11-29T17:03:33Z INF listening and serving debug and metrics on: 127.0.0.1:9090 It seems that no client connected? Otherwise, on 0.27.x, you'd see something like `Starting node registration using …`. Can you successfully connect to your Headscale with a browser / curl?

adam commented

2025-12-29 02:28:40 +01:00

@nblock commented on GitHub (Dec 10, 2025):

Lately, I had to reinstall Tailscale 1.90.9 from scratch, and when I entered my https://headscale.mydomain.com as an alternate server on my Android phone, the app didn't register it. No error message.

What happens when you accept the node registration key that is printed in the logs?

@nblock commented on GitHub (Dec 10, 2025): > Lately, I had to reinstall Tailscale 1.90.9 from scratch, and when I entered my `https://headscale.mydomain.com` as an alternate server on my Android phone, the app didn't register it. No error message. What happens when you accept the node registration key that is printed in the logs?

adam commented

2025-12-29 02:28:40 +01:00

@nblock commented on GitHub (Dec 20, 2025):

Just tried to register Tailscale Android 1.90.9 on a Headscale 0.28.0-beta.1 instance with a regular https URL and a Let's Encrypt certificate following the steps outlined in the docs and it worked on first try.

Could you please test 0.28.0-beta.1 and in case it fails provide debug information as outlined in the issue template and in https://headscale.net/stable/ref/debug/?

@nblock commented on GitHub (Dec 20, 2025): Just tried to register Tailscale Android 1.90.9 on a Headscale 0.28.0-beta.1 instance with a regular https URL and a Let's Encrypt certificate following the steps outlined in the [docs](https://headscale.net/development/usage/connect/android/#connect-via-normal-interactive-login) and it worked on first try. Could you please test [0.28.0-beta.1](https://github.com/juanfont/headscale/releases/tag/v0.28.0-beta.1) and in case it fails provide debug information as outlined in the issue template and in https://headscale.net/stable/ref/debug/?

adam commented

2025-12-29 02:28:40 +01:00

@europacafe commented on GitHub (Dec 21, 2025):

Thanks for the update. I've installed the latest beta as you suggested. It still has the same issue as described earlier.
My other existing nodes are still working fine, but I can't register my headscale as an alternate server. (Tailscale Android app v1.92.3)

One thing I noticed is after I cleared data on Tailscale app and started registering headscale server from scratch, nothing happened as usual, but after a few second, tailscale client UI displayed an exclaimation mark. When I clicked to see the message

Headscale log just show the key, nothing else

@europacafe commented on GitHub (Dec 21, 2025): Thanks for the update. I've installed the latest beta as you suggested. It still has the same issue as described earlier. My other existing nodes are still working fine, but I can't register my headscale as an alternate server. (Tailscale Android app v1.92.3) One thing I noticed is after I cleared data on Tailscale app and started registering headscale server from scratch, nothing happened as usual, but after a few second, tailscale client UI displayed an exclaimation mark. When I clicked to see the message <img width="426" height="947" alt="Image" src="https://github.com/user-attachments/assets/617cd659-2594-4014-9502-96f8a14fb64f" /> Headscale log just show the key, nothing else <img width="622" height="118" alt="Image" src="https://github.com/user-attachments/assets/eea96eb3-f5a8-4276-b9b4-e390b3f12c94" />

adam commented

2025-12-29 02:28:40 +01:00

@nblock commented on GitHub (Dec 21, 2025):

One thing I noticed is after I cleared data on Tailscale app and started registering headscale server from scratch

So you don't see the usual Headscale instructions page for machine registration? Are you able to connect to your Headscale on /windows from the browser on your phone?

@nblock commented on GitHub (Dec 21, 2025): > One thing I noticed is after I cleared data on Tailscale app and started registering headscale server from scratch So you don't see the usual Headscale instructions page for machine registration? Are you able to connect to your Headscale on `/windows` from the browser on your phone?

adam commented

2025-12-29 02:28:40 +01:00

@europacafe commented on GitHub (Dec 21, 2025):

/windows displays as usual.

@europacafe commented on GitHub (Dec 21, 2025): /windows displays as usual.

adam commented

2025-12-29 02:28:40 +01:00

@nblock commented on GitHub (Dec 21, 2025):

/windows displays as usual.

Can you provide some debug logs from the phone via adb logcat …?

@nblock commented on GitHub (Dec 21, 2025): > /windows displays as usual. Can you provide some debug logs from the phone via `adb logcat` …?

adam referenced this issue

2025-12-29 03:18:54 +01:00

[PR #1162] [MERGED] Align behaviour of dns_config.restricted_nameservers to tailscale #1925

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1162