I use Tailscale and its MagicDNS with Tailscale fetched certs, which I understand come from Let's Encrypt, to secure web interfaces on Proxmox and OMV. Works fine but I cannot renew certs in advance of their expiry unlike on Debian or Ubuntu. Why is this, or am I missing something?
I am not sure this is the best forum to address your question.
Renewing certs is done by the ACME Client. Let's Encrypt is an ACME Server which issues certs based on the client's request.
We see certain clients often (Certbot, acme.sh, and such) and often give advice on those. But, we don't often see the config you describe. It's possible some volunteer will offer help anyway. But, ultimately the renewal of any cert is done by the client you used to get the first cert and you should contact the author of that.
The docs below don't describe renewals but it's the only thing I found at all related to your comment. Maybe this will help when you ask them what to do.
Thanks for your reply, I came here as no answer on Tailscale forum and Reddit Tailscale forum. I can easy get round the problem by using a precisely timed cron job to grab and install new certs. Just curious why it works as it does.
A cron job or systemd timer is commonly used by ACME clients for renewal.
You should avoid a fixed time and especially avoid "abused" times like the top of any hour.
Below is some good advice about setting up a cron in the Certbot docs. Of course, your command is different but the technique for varying the start time is useful at least.
What have you tried?
What was the failure/error?
I use the command tailscale cert proxmox.chicken.duck.ts.net (example). Certs are downloaded but when inspected they have same expiry date as existing ones. After expiry I do same and get good certs that expire in three months.
Sounds like it might be a bug with Tailscale's integration of their ACME client: simply returning the existing cert until it expires and then getting a new one. I'd be surprised if that's intentional, but.
Tailscale's logic for whether or not they should renew the cert depends on whether the cert is going to be expired at a point in time 14 days in the future. When that's the case, they continue returning the same cached cert for now, but kick off a background thread to renew it so that a new cert will be available for a future request.
Have you tried running the
tailscale cert <hostname> command within the last 14 days of the certificate's lifetime?
Yes even the day before expiry it returns the same cert.
I've filed a bug against tailscale to improve this behavior: HTTPS certificate renewal is based on hard-coded time until expiry · Issue #8204 · tailscale/tailscale · GitHub
Thanks I'll follow this with interest.
While that would improve things in tailscale it doesn't explain why you can't renew until after expiration. At least that's how I see it (as noted, not a tailscale or go expert).
Can you show the last three renewed dates for an actual name?
Answered in PM.
That first name has only been issued two certs:
Viewed with crt.sh as:
And the second cert came 25 days after the first one expired.
I don't see how it is renewing on its' own [at all].
The second name has been issued three certs:
The first renewal happened about 8 days before expiry.
The second renewal happened the day it expired.
I fail to see how this is working as expected
Checking cert renewals for other FQDNs from that domain we can see "the renewal pattern" is consistently late [or non-existent]:
Maybe someone with adequate Tailscale experience can shed some light.
Not sure I entirely follow you not being familiar with the logs as you are. From my end, I see the certs are getting close to expiry, I try to renew with the tailscale cert command, it downloads certs identical to what I have.
Earlier this week two certs expired, I used the same command and received good certs.
I'll PM the address of a third system that has been doing the same.
Tailscale doesn't work like certbot, all it does is download certs then it's up to the user to install them, any automation is up to the user to sort out.
That third FQDN has similar "pattern" [of NO pattern]:
[already shown above]
The first cert was renewed the day it expired [2023-02-21].
Then renewed seven days prior to expiration [2023-05-15 is before 2023-05-22].
Thanks for your help but I don't understand this. What I have been doing is manually getting the tailscale certs and then uploading them through the web interfaces on Proxmox, Proxmox Backup Server and OMV. Only way I have been able to achieve this, and this was earlier this week on Proxmox and OMV was to wait until after expiry and the get the certs. Your logs indicate that fresh certs have been issued before expiry but this conflicts with my experience.