Add --certmode=gcp for using Google Cloud Certificate Manager's
public CA instead of Let's Encrypt. GCP requires External Account
Binding (EAB) credentials for ACME registration, so this adds
--acme-eab-kid and --acme-eab-key flags.
The EAB key accepts both base64url and standard base64 encoding
to support both ACME spec format and gcloud output.
Fixestailscale/corp#34881
Signed-off-by: Raj Singh <raj@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 8eda947530)
Updates #18122
(cherry picked from commit 7bc25f77f4)
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com>
If a packet arrives while WireGuard is being reconfigured with b.mu held, such as during a profile switch,
calling back into (*LocalBackend).GetPeerAPIPort from (*Wrapper).filterPacketInboundFromWireGuard
may deadlock when it tries to acquire b.mu.
This occurs because a peer cannot be removed while an inbound packet is being processed.
The reconfig and profile switch wait for (*Peer).RoutineSequentialReceiver to return, but it never finishes
because GetPeerAPIPort needs b.mu, which the waiting goroutine already holds.
In this PR, we make peerAPIPorts a new syncs.AtomicValue field that is written with b.mu held
but can be read by GetPeerAPIPort without holding the mutex, which fixes the deadlock.
There might be other long-term ways to address the issue, such as moving peer API listeners
from LocalBackend to nodeBackend so they can be accessed without holding b.mu,
but these changes are too large and risky at this stage in the v1.92 release cycle.
Updates #18124
Signed-off-by: Nick Khyl <nickk@tailscale.com>
(cherry picked from commit 557457f3c2)
httpPort=flag.Int("http-port",80,"The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
stunPort=flag.Int("stun-port",3478,"The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
configPath=flag.String("c","","config file path")
certMode=flag.String("certmode","letsencrypt","mode for getting a cert. possible options: manual, letsencrypt")
certDir=flag.String("certdir",tsweb.DefaultCertDir("derper-certs"),"directory to store LetsEncrypt certs, if addr's port is :443")
hostname=flag.String("hostname","derp.tailscale.com","LetsEncrypt host name, if addr's port is :443. When --certmode=manual, this can be an IP address to avoid SNI checks")
certMode=flag.String("certmode","letsencrypt","mode for getting a cert. possible options: manual, letsencrypt, gcp")
certDir=flag.String("certdir",tsweb.DefaultCertDir("derper-certs"),"directory to store ACME (e.g. LetsEncrypt) certs, if addr's port is :443")
hostname=flag.String("hostname","derp.tailscale.com","TLS host name for certs, if addr's port is :443. When --certmode=manual, this can be an IP address to avoid SNI checks")
acmeEABKid=flag.String("acme-eab-kid","","ACME External Account Binding (EAB) Key ID (required for --certmode=gcp)")
runSTUN=flag.Bool("stun",true,"whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
runDERP=flag.Bool("derp",true,"whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
flagHome=flag.String("home","","what to serve at the root path. It may be left empty (the default, for a default homepage), \"blank\" for a blank page, or a URL to redirect to")
@ -343,7 +345,7 @@ func main() {
ifserveTLS{
log.Printf("derper: serving on %s with TLS",*addr)
Jonathan Nobels