How to use Tailscale to generate certificate

Use Tailscale to generate certificate.

You can generate certificate by hand using the following command.

$ sudo tailscale cert --cert-file /etc/nginx/desktop.crt --key-file /etc/nginx/desktop.key desktop.virtual-network.ts.net

Public cert unchanged at /etc/nginx/desktop.crt
Private key unchanged at /etc/nginx/desktop.key

Ensure that file ownership is defined.

$ sudo chown www-data:www-data /etc/nginx/desktop.{crt,key}

Reload web server.

$ sudo systemctl reload nginx

Automate this process using shell script and cron service.

$ cat <<'EOF' | sudo tee /etc/cron.monthly/10tailscale
#!/bin/sh
domain="$(tailscale status --self --json | jq --raw-output .Self.DNSName | sed 's/\.$//')"

path="/etc/nginx"
file="$(echo $domain | cut --delimiter . --fields 1)"

certificate="${path}/${file}.crt"
key="${path}/${file}.key"

tailscale cert --cert-file $certificate \
               --key-file  $key         \
               ${domain}             && \
  chown www-data:www-data $certificate $key
systemctl reload nginx
EOF

#!/bin/sh
domain="$(tailscale status --self --json | jq --raw-output .Self.DNSName | sed 's/\.$//')"

path="/etc/nginx"
file="$(echo $domain | cut --delimiter . --fields 1)"

certificate="${path}/${file}.crt"
key="${path}/${file}.key"

tailscale cert --cert-file $certificate \
               --key-file  $key         \
               ${domain}             && \
  chown www-data:www-data $certificate $key
systemctl reload nginx

Ensure that created shell script is executable.

$ sudo chmod +x /etc/cron.monthly/10tailscale

Execute it for the first time.

$ sudo /etc/cron.monthly/10tailscale 

Wrote public cert to /etc/nginx/desktop.crt
Wrote private key to /etc/nginx/desktop.key