starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

tls_client_auth_mode Documentation Question #336

New Issue
Closed
opened 2025-12-29 01:27:11 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:27:11 +01:00
Owner
Copy Link

Originally created by @RUzOfuz5m on GitHub (Sep 24, 2022).

Problem using tls_client_auth_mode relaxed or enforced

Everything works fine if I have tls_client_auth_mode: disabled. However, I'd like to set it to enforced or even relaxed but I'm not able to. The documentation leaves a lot of open questions and I'm curious if this is a work in progress feature or if I'm doing something wrong.

It's a fresh install of CentOS7 with headscale v0.16.4 and tailscale v1.30.1. I followed the documentation here, exposed headscale directly on port 8443. I also set the tls_cert_path and tls_cert_path configuration parameters with my LetsEncrypt cert. It's running as a headscale user (non-root).

tailscale up --login-server https://headscale.example.com:8443 --authkey 8876....a5a39 --advertise-exit-node

headscale[9381]: 2022/09/23 22:53:31 http: TLS handshake error from 11.22.33.44:31124: tls: client didn't provide a certificate
tailscaled[812]: Received error: PollNetMap: Post "https://headscale.example.com:8443/machine/5248212521bd4ae12acd64c435a35236f32acdee42a53f2a64a2a3c424bc3243/map": remote error: tls: bad certificate
  • Version of headscale: v0.16.4
  • Version of tailscale client: 1.30.1
  • OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: CentOS Linux release 7.9.2009 (Core)
  • Kernel version: 3.10.0-1160.71.1.el7.x86_64

So, I guess the question is, Should this work or am I doing something wrong? I'd be happy to send up a PR to update the documentation once I figure this out. Thank you!

Originally created by @RUzOfuz5m on GitHub (Sep 24, 2022). <!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. --> <!-- If you have a question, please consider using our Discord for asking questions --> **Problem using tls_client_auth_mode relaxed or enforced** <!-- Please add your issue description. --> Everything works fine if I have `tls_client_auth_mode: disabled`. However, I'd like to set it to enforced or even relaxed but I'm not able to. The [documentation](https://github.com/juanfont/headscale/blob/main/docs/tls.md) leaves a lot of open questions and I'm curious if this is a work in progress feature or if I'm doing something wrong. <!-- Steps to reproduce the behavior. --> It's a fresh install of CentOS7 with headscale v0.16.4 and tailscale v1.30.1. I followed the documentation here, exposed headscale directly on port 8443. I also set the `tls_cert_path` and `tls_cert_path` configuration parameters with my LetsEncrypt cert. It's running as a headscale user (non-root). `tailscale up --login-server https://headscale.example.com:8443 --authkey 8876....a5a39 --advertise-exit-node` ``` headscale[9381]: 2022/09/23 22:53:31 http: TLS handshake error from 11.22.33.44:31124: tls: client didn't provide a certificate tailscaled[812]: Received error: PollNetMap: Post "https://headscale.example.com:8443/machine/5248212521bd4ae12acd64c435a35236f32acdee42a53f2a64a2a3c424bc3243/map": remote error: tls: bad certificate ``` - Version of headscale: v0.16.4 - Version of tailscale client: 1.30.1 - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: CentOS Linux release 7.9.2009 (Core) - Kernel version: 3.10.0-1160.71.1.el7.x86_64 So, I guess the question is, Should this work or am I doing something wrong? I'd be happy to send up a PR to update the documentation once I figure this out. Thank you!
adam added the bug label 2025-12-29 01:27:11 +01:00
adam closed this issue 2025-12-29 01:27:15 +01:00
adam commented 2025-12-29 01:27:17 +01:00
Author
Owner
Copy Link

@Georift commented on GitHub (Nov 5, 2022):

I'm in a similar boat, I'm admittedly new to Tailscale and would love if someone could point me in the right direction to read more about the implications of disabling tls_client_auth_mode and/or how to get it working when setup in relaxed mode.

@Georift commented on GitHub (Nov 5, 2022): I'm in a similar boat, I'm admittedly new to Tailscale and would love if someone could point me in the right direction to read more about the implications of disabling `tls_client_auth_mode` and/or how to get it working when setup in `relaxed` mode.
adam commented 2025-12-29 01:27:17 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (May 10, 2023):

This option has been removed.

@kradalby commented on GitHub (May 10, 2023): This option has been removed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#336
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?