{"slug":"enabling-https","title":"Enabling HTTPS","tags":["tailscale"],"agent_summary":"Last validated: Dec 10, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Enabling HTTPS\r\n\r\nLast validated: Dec 10, 2025\r\n\r\nConnections between Tailscale nodes are secured with end-to-end [encryption](https://tailscale.com/docs/concepts/tailscale-encryption). Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they're not using TLS certificates, which is what those tools are expecting.\r\n\r\nTo protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).\r\n\r\nThis feature uses the active [tailnet name](https://tailscale.com/docs/concepts/tailnet-name) for your tailnet.\r\n\r\n## [Configure HTTPS](https://tailscale.com/docs/how-to/set-up-https-certificates\\#configure-https)\r\n\r\nTo be able to provision TLS certificates for devices in your tailnet, you need to:\r\n\r\n1. Open the [DNS](https://login.tailscale.com/admin/dns) page of the admin console.\r\n2. Enable [MagicDNS](https://tailscale.com/docs/features/magicdns#enabling-magicdns) if not already enabled for your tailnet.\r\n3. Under **HTTPS Certificates**, select **Enable HTTPS**.\r\n4. Acknowledge that your machine names and your tailnet DNS name will be published on a public ledger.\r\n5. For each machine you are provisioning with a TLS certificate, run `tailscale cert` on the machine to obtain a certificate.\r\n\r\n### [Machine names in the public ledger](https://tailscale.com/docs/how-to/set-up-https-certificates\\#machine-names-in-the-public-ledger)\r\n\r\nAll TLS certificates on the web are recorded in the [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) (CT) append-only\r\npublic ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the fully qualified domain name of your devices. To\r\navoid publicizing your organization name, such as your corporate domain, email address, or GitHub username, Tailscale provides you with a [tailnet name](https://tailscale.com/docs/concepts/tailnet-name). Each tailnet has a [tailnet DNS name](https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name) like **`tail*NNNN*.ts.net`** or\r\n**`tailnet-*NNNN*.ts.net`**, but you can also [generate and select a randomized tailnet DNS name](https://tailscale.com/docs/concepts/tailnet-name#generate-a-new-tailnet-dns-name) generated by Tailscale, like **`yak-bebop.ts.net`**.\r\n\r\nTLS certificates are issued based in your tailnet name. Right now, we don't permit changing your tailnet name\r\n(other than between your default tailnet DNS name and your randomly generated tailnet name).\r\n\r\nAlthough the certificate domain obscures the owner of the tailnet, the machine names are still published in the public ledger. **Do not enable the HTTPS feature if any of your machine names contain sensitive information.** You can [edit your machine name](https://tailscale.com/docs/concepts/machine-names#renaming-a-machine) before obtaining a certificate.\r\n\r\nThe public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal.\r\nAdditionally, only devices where you run `tailscale cert` will have their certificate in the public ledger.\r\n\r\nTo summarize, the domain name that gets published on the public ledger is composed as follows:\r\n\r\n![monitoring.yak-bebop.ts.net where 'monitoring' is the machine-name and 'yak-bebop.ts.net' is the tailnet name](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhttps-naming.f9bb79de.png&w=3840&q=75)\r\n\r\n[MagicDNS](https://tailscale.com/docs/features/magicdns) automatically registers DNS names for devices in your network, using their machine name. If the machine name changes, the MagicDNS\r\nentry will change. You can [edit your machine name](https://tailscale.com/docs/concepts/machine-names#renaming-a-machine) to set it to a specific name.\r\n\r\nYou cannot obtain an HTTPS URL to go to a bare hostname, such as `https://machine-name`. If you obtain a TLS certificate for a node using MagicDNS, it will be accessible at both `https://machine-name.tailNNNN.ts.net`, using HTTPS, and also at `http://machine-name`, without HTTPS but using MagicDNS as a DNS nameserver.\r\n\r\n### [Provision TLS certificates for your devices](https://tailscale.com/docs/how-to/set-up-https-certificates\\#provision-tls-certificates-for-your-devices)\r\n\r\nUsing [`tailscale cert`](https://tailscale.com/docs/reference/tailscale-cli#cert) (with `sudo` as needed), Tailscale will automatically request a certificate for this machine on this domain, using [Let's Encrypt](https://letsencrypt.org/).\r\nTailscale creates a `*.ts.net` DNS TXT record for your nodes to complete their [DNS-01 challenges](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge).\r\nIf you're using Go, the [`tailscale.com/client/tailscale.LocalClient.GetCertificate`](https://pkg.go.dev/tailscale.com/client/tailscale#LocalClient.GetCertificate) method implements the\r\n[`tls.Config.GetCertificate`](https://pkg.go.dev/crypto/tls#Config.GetCertificate) callback to [do it all automatically](https://github.com/tailscale/tailscale/blob/main/client/tailscale/example/servetls/servetls.go).\r\nYour certificate's private key and your Let's Encrypt (ACME) account's private key are generated and stored locally on your machine and Tailscale never sees them.\r\n\r\nIt is possible to frequently request a new certificate and exceed Let's Encrypt's rate limits. As a result, you may find yourself waiting 34 hours until you can try again. For more information, refer to Let's Encrypt's [rate limits documentation](https://letsencrypt.org/docs/rate-limits/).\r\n\r\nThe certificates provided by Let's Encrypt have a 90 day expiry and require periodic renewal. When a certificate is delivered as files on disk which you then move to an install location, such as when using `tailscale cert`, the [`tailscaled` daemon](https://tailscale.com/docs/reference/tailscaled) doesn't know where to place a renewed certificate nor how to install it. So for any certificates that you create using `tailscale cert`, you are responsible for renewing the certificate.\r\n\r\nIf a certificate is handled without the user initiating any file-based certificate installation, such as when using the [Caddy integration of Tailscale](https://github.com/tailscale/caddy-tailscale), then the certificate will automatically be renewed without the user doing anything.\r\n\r\n### [Using other TLS certificates](https://tailscale.com/docs/how-to/set-up-https-certificates\\#using-other-tls-certificates)\r\n\r\nIn addition to Let's Encrypt, [Caddy](https://caddyserver.com/) provides a way to use certificates for your tailnet machines. For details, refer to [Caddy certificates on Tailscale](https://tailscale.com/docs/integrations/web-servers/caddy/caddy-certificates).\r\n\r\nIf you are manually installing a certificate from another certificate provider, consult their documentation for how to configure the machine and how to renew the certificate.\r\n\r\n## [Disable HTTPS](https://tailscale.com/docs/how-to/set-up-https-certificates\\#disable-https)\r\n\r\nYou can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.\r\n\r\nTo disable HTTPS for your tailnet:\r\n\r\n1. Open the [DNS](https://login.tailscale.com/admin/dns) page of the admin console.\r\n2. Under **HTTPS Certificates**, select **Disable HTTPS**.\r\n\r\nIf HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.\r\n\r\nIf you want to re-enable HTTPS, it will be enabled with the active [tailnet DNS name](https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name) for your tailnet.\r\n\r\n## [Check certificate status](https://tailscale.com/docs/how-to/set-up-https-certificates\\#check-certificate-status)\r\n\r\nWithin the Tailscale admin console, you can check the TLS certificate status for any machine in your network, provided the machine is:\r\n\r\n- online for your tailnet\r\n- running Tailscale v1.56 or later\r\n\r\nTo check the certificate status:\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\n2. Find the machine whose certificate status you want to check. You can use the [search bar](https://tailscale.com/docs/features/access-control/device-management/how-to/filter#filter-with-the-search-bar) or [filters](https://tailscale.com/docs/features/access-control/device-management/how-to/filter) to find a machine.\r\n3. Select the machine.\r\n4. Check the certificate status in the **TLS certificate** section of the machine page.\r\n\r\nIf a machine is offline, Tailscale will not be able to report its certificate status.\r\n\r\nThe following statuses can be reported for a machine's certificate:\r\n\r\n- Valid\r\n- Invalid\r\n- Certificate expired\r\n- No certificate found\r\n- Upgrade client to check status\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Enabling HTTPS</h1>\n<p>Last validated: Dec 10, 2025</p>\n<p>Connections between Tailscale nodes are secured with end-to-end <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a>. Browsers, web APIs, and products like Visual Studio Code are not aware of that, however, and can warn users or disable features based on the fact that HTTP URLs to your tailnet services look unencrypted since they're not using TLS certificates, which is what those tools are expecting.</p>\n<p>To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority (CA).</p>\n<p>This feature uses the active <a href=\"https://tailscale.com/docs/concepts/tailnet-name\">tailnet name</a> for your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates#configure-https\">Configure HTTPS</a></h2>\n<p>To be able to provision TLS certificates for devices in your tailnet, you need to:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/dns\">DNS</a> page of the admin console.</li>\n<li>Enable <a href=\"https://tailscale.com/docs/features/magicdns#enabling-magicdns\">MagicDNS</a> if not already enabled for your tailnet.</li>\n<li>Under <strong>HTTPS Certificates</strong>, select <strong>Enable HTTPS</strong>.</li>\n<li>Acknowledge that your machine names and your tailnet DNS name will be published on a public ledger.</li>\n<li>For each machine you are provisioning with a TLS certificate, run <code>tailscale cert</code> on the machine to obtain a certificate.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates#machine-names-in-the-public-ledger\">Machine names in the public ledger</a></h3>\n<p>All TLS certificates on the web are recorded in the <a href=\"https://en.wikipedia.org/wiki/Certificate_Transparency\">Certificate Transparency</a> (CT) append-only\r\npublic ledger, which anyone can access to verify the validity of public certificates. Notably, this includes the fully qualified domain name of your devices. To\r\navoid publicizing your organization name, such as your corporate domain, email address, or GitHub username, Tailscale provides you with a <a href=\"https://tailscale.com/docs/concepts/tailnet-name\">tailnet name</a>. Each tailnet has a <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name\">tailnet DNS name</a> like <strong><code>tail*NNNN*.ts.net</code></strong> or\r\n<strong><code>tailnet-*NNNN*.ts.net</code></strong>, but you can also <a href=\"https://tailscale.com/docs/concepts/tailnet-name#generate-a-new-tailnet-dns-name\">generate and select a randomized tailnet DNS name</a> generated by Tailscale, like <strong><code>yak-bebop.ts.net</code></strong>.</p>\n<p>TLS certificates are issued based in your tailnet name. Right now, we don't permit changing your tailnet name\r\n(other than between your default tailnet DNS name and your randomly generated tailnet name).</p>\n<p>Although the certificate domain obscures the owner of the tailnet, the machine names are still published in the public ledger. <strong>Do not enable the HTTPS feature if any of your machine names contain sensitive information.</strong> You can <a href=\"https://tailscale.com/docs/concepts/machine-names#renaming-a-machine\">edit your machine name</a> before obtaining a certificate.</p>\n<p>The public ledger only provides information about the names of the TLS certificates; access to your devices is still restricted by Tailscale as normal.\r\nAdditionally, only devices where you run <code>tailscale cert</code> will have their certificate in the public ledger.</p>\n<p>To summarize, the domain name that gets published on the public ledger is composed as follows:</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhttps-naming.f9bb79de.png&#x26;w=3840&#x26;q=75\" alt=\"monitoring.yak-bebop.ts.net where &#x27;monitoring&#x27; is the machine-name and &#x27;yak-bebop.ts.net&#x27; is the tailnet name\"></p>\n<p><a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> automatically registers DNS names for devices in your network, using their machine name. If the machine name changes, the MagicDNS\r\nentry will change. You can <a href=\"https://tailscale.com/docs/concepts/machine-names#renaming-a-machine\">edit your machine name</a> to set it to a specific name.</p>\n<p>You cannot obtain an HTTPS URL to go to a bare hostname, such as <code>https://machine-name</code>. If you obtain a TLS certificate for a node using MagicDNS, it will be accessible at both <code>https://machine-name.tailNNNN.ts.net</code>, using HTTPS, and also at <code>http://machine-name</code>, without HTTPS but using MagicDNS as a DNS nameserver.</p>\n<h3><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates#provision-tls-certificates-for-your-devices\">Provision TLS certificates for your devices</a></h3>\n<p>Using <a href=\"https://tailscale.com/docs/reference/tailscale-cli#cert\"><code>tailscale cert</code></a> (with <code>sudo</code> as needed), Tailscale will automatically request a certificate for this machine on this domain, using <a href=\"https://letsencrypt.org/\">Let's Encrypt</a>.\r\nTailscale creates a <code>*.ts.net</code> DNS TXT record for your nodes to complete their <a href=\"https://letsencrypt.org/docs/challenge-types/#dns-01-challenge\">DNS-01 challenges</a>.\r\nIf you're using Go, the <a href=\"https://pkg.go.dev/tailscale.com/client/tailscale#LocalClient.GetCertificate\"><code>tailscale.com/client/tailscale.LocalClient.GetCertificate</code></a> method implements the\r\n<a href=\"https://pkg.go.dev/crypto/tls#Config.GetCertificate\"><code>tls.Config.GetCertificate</code></a> callback to <a href=\"https://github.com/tailscale/tailscale/blob/main/client/tailscale/example/servetls/servetls.go\">do it all automatically</a>.\r\nYour certificate's private key and your Let's Encrypt (ACME) account's private key are generated and stored locally on your machine and Tailscale never sees them.</p>\n<p>It is possible to frequently request a new certificate and exceed Let's Encrypt's rate limits. As a result, you may find yourself waiting 34 hours until you can try again. For more information, refer to Let's Encrypt's <a href=\"https://letsencrypt.org/docs/rate-limits/\">rate limits documentation</a>.</p>\n<p>The certificates provided by Let's Encrypt have a 90 day expiry and require periodic renewal. When a certificate is delivered as files on disk which you then move to an install location, such as when using <code>tailscale cert</code>, the <a href=\"https://tailscale.com/docs/reference/tailscaled\"><code>tailscaled</code> daemon</a> doesn't know where to place a renewed certificate nor how to install it. So for any certificates that you create using <code>tailscale cert</code>, you are responsible for renewing the certificate.</p>\n<p>If a certificate is handled without the user initiating any file-based certificate installation, such as when using the <a href=\"https://github.com/tailscale/caddy-tailscale\">Caddy integration of Tailscale</a>, then the certificate will automatically be renewed without the user doing anything.</p>\n<h3><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates#using-other-tls-certificates\">Using other TLS certificates</a></h3>\n<p>In addition to Let's Encrypt, <a href=\"https://caddyserver.com/\">Caddy</a> provides a way to use certificates for your tailnet machines. For details, refer to <a href=\"https://tailscale.com/docs/integrations/web-servers/caddy/caddy-certificates\">Caddy certificates on Tailscale</a>.</p>\n<p>If you are manually installing a certificate from another certificate provider, consult their documentation for how to configure the machine and how to renew the certificate.</p>\n<h2><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates#disable-https\">Disable HTTPS</a></h2>\n<p>You can disable HTTPS for your tailnet, but this will break all links and connections that relied on HTTPS.</p>\n<p>To disable HTTPS for your tailnet:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/dns\">DNS</a> page of the admin console.</li>\n<li>Under <strong>HTTPS Certificates</strong>, select <strong>Disable HTTPS</strong>.</li>\n</ol>\n<p>If HTTPS is disabled, the certificates for your machines are not revoked. This is so that you can re-enable the feature again for your tailnet if needed. You also cannot invalidate a certificate for a single machine.</p>\n<p>If you want to re-enable HTTPS, it will be enabled with the active <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name\">tailnet DNS name</a> for your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates#check-certificate-status\">Check certificate status</a></h2>\n<p>Within the Tailscale admin console, you can check the TLS certificate status for any machine in your network, provided the machine is:</p>\n<ul>\n<li>online for your tailnet</li>\n<li>running Tailscale v1.56 or later</li>\n</ul>\n<p>To check the certificate status:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.</li>\n<li>Find the machine whose certificate status you want to check. You can use the <a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/filter#filter-with-the-search-bar\">search bar</a> or <a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/filter\">filters</a> to find a machine.</li>\n<li>Select the machine.</li>\n<li>Check the certificate status in the <strong>TLS certificate</strong> section of the machine page.</li>\n</ol>\n<p>If a machine is offline, Tailscale will not be able to report its certificate status.</p>\n<p>The following statuses can be reported for a machine's certificate:</p>\n<ul>\n<li>Valid</li>\n<li>Invalid</li>\n<li>Certificate expired</li>\n<li>No certificate found</li>\n<li>Upgrade client to check status</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}