tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Lytvynov	e7bf6e716b	cmd/tailscale: add --min-validity flag to the cert command (#12822 ) Some users run "tailscale cert" in a cron job to renew their certificates on disk. The time until the next cron job run may be long enough for the old cert to expire with our default heristics. Add a `--min-validity` flag which ensures that the returned cert is valid for at least the provided duration (unless it's longer than the cert lifetime set by Let's Encrypt). Updates #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Maisem Ali	24f322bc43	ipn/ipnlocal: do unexpired cert renewals in the background We were eagerly doing a synchronous renewal of the cert while trying to serve traffic. Instead of that, just do the cert renewal in the background and continue serving traffic as long as the cert is still valid. This regressed in `c1ecae13ab` when we introduced ARI support and were trying to make the experience of `tailscale cert` better. However, that ended up regressing the experience for tsnet as it would not always doing the renewal synchronously. Fixes #9783 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Lytvynov	c1ecae13ab	ipn/{ipnlocal,localapi}: actually renew certs before expiry (#8731 ) While our `shouldStartDomainRenewal` check is correct, `getCertPEM` would always bail if the existing cert is not expired. Add the same `shouldStartDomainRenewal` check to `getCertPEM` to make it proceed with renewal when existing certs are still valid but should be renewed. The extra check is expensive (ARI request towards LetsEncrypt), so cache the last check result for 1hr to not degrade `tailscale serve` performance. Also, asynchronous renewal is great for `tailscale serve` but confusing for `tailscale cert`. Add an explicit flag to `GetCertPEM` to force a synchronous renewal for `tailscale cert`. Fixes #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Brad Fitzpatrick	b1248442c3	all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork Updates #7123 Updates #5309 Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Brad Fitzpatrick	6d8320a6e9	ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	9be8d15979	ipn/localapi: refactor some cert code in prep for a move I want to move the guts (after the HTTP layer) of the certificate fetching into the ipnlocal package, out of localapi. As prep, refactor a bit: * add a method to do the fetch-from-cert-or-as-needed-with-refresh, rather than doing it in the HTTP hander * convert two methods to funcs, taking the one extra field (LocalBackend) then needed from their method receiver. One of the methods needed nothing from its receiver. This will make a future change easier to reason about. Change-Id: I2a7811e5d7246139927bb86e7db8009bf09b3be3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	da8def8e13	all: remove old +build tags The //go:build syntax was introduced in Go 1.17: https://go.dev/doc/go1.17#build-lines gofmt has kept the +build and go:build lines in sync since then, but enough time has passed. Time to remove them. Done with: perl -i -npe 's,^// \+build.*\n,,' $(git grep -l -F '+build') Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	4a82b317b7	ipn/{ipnlocal,localapi}: use strs.CutPrefix, add more domain validation The GitHub CodeQL scanner flagged the localapi's cert domain usage as a problem because user input in the URL made it to disk stat checks. The domain is validated against the ipnstate.Status later, and only authenticated root/configured users can hit this, but add some paranoia anyway. Change-Id: I373ef23832f1d8b3a27208bc811b6588ae5a1ddd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Brad Fitzpatrick	74674b110d	envknob: support changing envknobs post-init Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	1ac4a26fee	ipn/localapi: send Tailscale version in ACME User-Agent (#5499 ) Requested by a friend at Let's Encrypt. Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Brad Fitzpatrick	469c30c33b	ipn/localapi: define a cert dir for Synology DSM6 Fixes #4060 Change-Id: I5f145d4f56f6edb14825268e858d419c55918673 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	27a1ad6a70	wasm: exclude code that's not used on iOS for Wasm too It has similar size constraints. Saves ~1.9MB from the Wasm build. Updates #3157 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	d19a63ddf6	ipn/localapi: treat ACME "invalid" state as terminal, log more Fixes #3975 Change-Id: Idb2cc8d4730e140939898c7dcc15c2014acca142 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ca774c3249	ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access So you can run Caddy etc as a non-root user and let it have access to get certs. Updates caddyserver/caddy#4541 Change-Id: Iecc5922274530e2b00ba107d4b536580f374109b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	41fd4eab5c	envknob: add new package for all the strconv.ParseBool(os.Getenv(..)) A new package can also later record/report which knobs are checked and set. It also makes the code cleaner & easier to grep for env knobs. Change-Id: Id8a123ab7539f1fadbd27e0cbeac79c2e4f09751 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3b3994f0db	ipn{,/localapi,ipnlocal}: infer cert dir from state file location This fixes "tailscale cert" on Synology where the var directory is typically like /volume2/@appdata/Tailscale, or any other tailscaled user who specifies a non-standard state file location. This is a interim fix on the way to #2932. Fixes #2927 Updates #2932 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	56db3e2548	ipn/localapi: refresh ACME certs in background two weeks in advance Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	57b794c338	ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago

21 Commits (1cecc43522c4b3bb9beb3e3fbe42741cccdbcb1d)