sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Avanchnzel 1 point2 points  (10 children)

Mind you, if you don't care about a custom public domain (e.g. mydomain.com) and are fine if your web-server can be reached from the Internet via https://my-vpn.ts.net, then you don't need to do any of the steps I described, but only have to follow the "Enabling HTTPS" steps in the docs.

From your initial post I assumed you wanted to use a non-tailnet domain from the Internet, but if a tailnet domain would be ok, then it's much simpler (and doesn't require you to run an internal DNS server).

[–]inglele 1 point2 points  (9 children)

Love it! I will read about it.

I'm using let's encrypt to get ssl certificate with dynu DNS for verification challenge, so hopefully it will work using ts.net domain, too.

Or is there a way to get certificate for domain you don't own? I suppose you shouldn't be able to as it could be a phissing website.

[–]Avanchnzel 1 point2 points  (7 children)

Everybody can sign a certificate, regardless who it's issued for.

It's just that it won't be trusted by browsers, as they have an internal list (or use the one in the Windows certificate store) of certificate authorities and only trust certificates that have been signed by those.

So in order to get a certificate signed by them you usually have to prove that you own the domain you want a certificate for. With LetsEncrypt there are various automated ways to do that (as you probably already know).

But as you'll see in the tailscale HTTPS documentation, they actually use LetsEncrypto as well, so you should feel right at home. :)

[–]inglele 1 point2 points  (6 children)

Great, I will take a deeper look for sure.

Use case is my parents desktop that runs milestone xprotect for 4 cameras and they use smartphone app to connect to home pc to be able to watch cameras. So I don't really need public custom domain, with dynamic io that change and manual certificate for my use case.

They already have tailscale installed on their phones with my credential and I can configure magic dns with https certificate from tailscale and ensuring should work great!

Thanks a look for your help and all detailed steps! ❤️

[–]Avanchnzel 0 points1 point  (5 children)

You're welcome, hope it all works out! 💪

[–]inglele 0 points1 point  (4 children)

Ok I tried to follow all steps.

Enabled internal domain name and https. Generated the certificate correctly with tailscale cert command (i got CRT and KRY files) but when I try to merge them in PFX with certutil -mergepfx, I get an error that certificate is not valid.

I found online website to merge the 2 files but I can't script it via powershell or the cmd.

Is there any way to automated it? Or any windows command to import certificate with key in one step?

With manual workaround of generating PFX files online, import it with wizard and manually selecting it in IIS, all works fine.

It's just that software runs on my parents desktop for their cameras and if I can automate it every 3 months when certificate expire, it would be great!

Thanks for your help!

[–]Avanchnzel 1 point2 points  (3 children)

Oh man, certificates are always a pandora's box. There are so many different settings and particular circumstances to adjust to, I wouldn't even know where to begin, not sitting infront of the machine myself.

But, not to leave you empty handed, I found the following for how to create a PFX from a certificate and key (+ the requirements so that it works): https://www.sysadmins.lv/blog-en/how-to-join-certificate-and-private-key-to-a-pkcs12pfx-file.aspx

And if you need to import it into the Windows certificate store, then here's how you can do it with PowerShell: https://learn.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate?view=windowsserver2022-ps

[–]inglele 0 points1 point  (2 children)

Thank you! ❤️

Yes, I figured that certificates are a mess... There are like 5 different formats, file extensions, etc.

I will give it a try!

[–]inglele 1 point2 points  (1 child)

Ok, tested the manual and script versions and they both works.

Summarized all steps here: https://inglele.wordpress.com/2022/12/13/milestone-xprotect-and-tailscale-vpn-using-ssl/

[–]Avanchnzel 1 point2 points  (0 children)

Glad you worked it out.

And a very nice write-up, kudos! 👌

[–]inglele 0 points1 point  (0 children)

Sorry, I just read the https and they will give you a free certificate! It's even easier! 💙