Traefik and Tailscale https-Certs

Hi guys,
I would like to use https-Certs from Tailscale in Traefik. Unfortunately, Traefik is giving me this error log:

ERR Unable to fetch certificate for domain "raspi5.XXXXXX.ts.net" error="Get \"http://local-tailscaled.sock/localapi/v0/cert/raspi5.XXXXXX.ts.net?type=pair\": dial unix /var/run/tailscale/tailscaled.sock: connect: connection refused" providerName=myresolver.tailscale

My setup:
Raspberry Pi OS (= Debian): latest
Docker: latest
Tailscale VPN: latest, running as a Docker container in the Docker host network. Machine name is raspi5.
Traefik: latest, running as a container in the Docker default bridge network. This is also the network all the other containers that are getting proxied are running in.
Both the Tailscale and the Traefik containers are running with root privileges.

Tailscale configuration / Docker run:

docker run -d --name=tailscaled --network host --restart unless-stopped \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
-e TS_AUTHKEY=tskey-auth-XXXXXX \
-e TS_STATE_DIR=/var/lib/tailscale \
-e TS_EXTRA_ARGS=--advertise-exit-node \
-v /home/jan_reinhardt/docker/volumes/tailscale:/var/lib/tailscale \
-v /dev/net/tun:/dev/net/tun \
tailscale/tailscale:latest

Traefik configuration / Docker compose, no extra config.yaml used:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    network_mode: bridge
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --log.level=INFO
      - --certificatesresolvers.myresolver.tailscale=true
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - TZ=Europe/Berlin
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
networks: {}

What am I doing wrong? Is this a Tailscale error? Or a Traefik error?
(Or a Docker networking error? I think I can rule that out since I tried running Traefik in the Docker host network also, didn’t make a difference.)
Thank you for your help!

Containers are for isolation. Not sure how Traefik should access the socket, that is created by another container probably inside itself.

If this was the case I think the Traefik documents (or FAQ) should mention this in their Tailscale section. Because using both products via their official Docker containers is a standard use case.

Solved this shit myself! :mechanical_arm:
Running Tailscale like this now:

docker run -d --name=tailscaled --network host --restart unless-stopped \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
-e TS_AUTHKEY=tskey-auth-123NOTAREALAUTHKEY678 \
-e TS_STATE_DIR=/var/lib/tailscale \
-e TS_SOCKET=/var/run/tailscale/tailscaled.sock \
-e TS_EXTRA_ARGS=--advertise-exit-node \
-v /dev/net/tun:/dev/net/tun \
-v /home/jan_reinhardt/docker/volumes/tailscale/lib:/var/lib/tailscale \
-v /home/jan_reinhardt/docker/volumes/tailscale/run:/var/run/tailscale \
tailscale/tailscale:latest

and Traefik this way:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    network_mode: bridge
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --log.level=INFO
      - --certificatesresolvers.myresolver.tailscale=true
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - TZ=Europe/Berlin
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/jan_reinhardt/docker/volumes/tailscale/run/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
      - /home/jan_reinhardt/docker/volumes/tailscale/lib:/var/lib/tailscale
networks: {}

And valid Tailscale https-Certs are working like a charm.
Peace out, JAN

1 Like