{"slug":"caddy-certificates-on-tailscale","title":"Caddy certificates on Tailscale","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Caddy certificates on Tailscale\r\n\r\nLast validated: Jan 5, 2026\r\n\r\n[Caddy](https://caddyserver.com/) is a web server that makes HTTPS easy. Starting with the beta release of\r\n[Caddy 2.5](https://github.com/caddyserver/caddy/releases/tag/v2.5.0-beta.1), Caddy supports Tailscale. When Caddy gets an HTTPS request for a `*.ts.net`\r\nsite, it gets the HTTPS certificate from the machine's local Tailscale daemon. There's no\r\nconfiguration required for the certificate. For example, you can use a [Caddyfile](https://caddyserver.com/docs/caddyfile/patterns) for a\r\nstatic file server, and it automatically enables HTTPS:\r\n\r\n```markup\r\nmachine-name.domain-alias.ts.net\r\n\r\nroot * /var/www\r\nfile_server\r\n```\r\n\r\n## [Provide non-root users with access to fetch certificate](https://tailscale.com/docs/integrations/web-servers/caddy/caddy-certificates\\#provide-non-root-users-with-access-to-fetch-certificate)\r\n\r\nIf Caddy is running as a non-root user, such as when it runs on Debian as `caddy`, you need to\r\nmodify `/etc/default/tailscaled` to grant the user access to fetch the certificate.\r\nIn `/etc/default/tailscaled`, set the `TS_PERMIT_CERT_UID` environment variable to the name or ID\r\nof the non-root user:\r\n\r\n```markup\r\nTS_PERMIT_CERT_UID=caddy\r\n```\r\n\r\nFor more information about Caddy, refer to [Get started with Caddy](https://caddyserver.com/docs/getting-started).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Caddy certificates on Tailscale</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p><a href=\"https://caddyserver.com/\">Caddy</a> is a web server that makes HTTPS easy. Starting with the beta release of\r\n<a href=\"https://github.com/caddyserver/caddy/releases/tag/v2.5.0-beta.1\">Caddy 2.5</a>, Caddy supports Tailscale. When Caddy gets an HTTPS request for a <code>*.ts.net</code>\r\nsite, it gets the HTTPS certificate from the machine's local Tailscale daemon. There's no\r\nconfiguration required for the certificate. For example, you can use a <a href=\"https://caddyserver.com/docs/caddyfile/patterns\">Caddyfile</a> for a\r\nstatic file server, and it automatically enables HTTPS:</p>\n<pre><code class=\"language-markup\">machine-name.domain-alias.ts.net\r\n\r\nroot * /var/www\r\nfile_server\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/integrations/web-servers/caddy/caddy-certificates#provide-non-root-users-with-access-to-fetch-certificate\">Provide non-root users with access to fetch certificate</a></h2>\n<p>If Caddy is running as a non-root user, such as when it runs on Debian as <code>caddy</code>, you need to\r\nmodify <code>/etc/default/tailscaled</code> to grant the user access to fetch the certificate.\r\nIn <code>/etc/default/tailscaled</code>, set the <code>TS_PERMIT_CERT_UID</code> environment variable to the name or ID\r\nof the non-root user:</p>\n<pre><code class=\"language-markup\">TS_PERMIT_CERT_UID=caddy\n</code></pre>\n<p>For more information about Caddy, refer to <a href=\"https://caddyserver.com/docs/getting-started\">Get started with Caddy</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}