0

I just setup MagicDNS and HTTPS on my tailscale account. Then I ssh'ed into my nas and issued a tls certificate with

sudo tailscale cert "machinename.tailnetalias.ts.net"

Response was:

Wrote private key to machinename.tailnetalias.ts.net.crt
Wrote private key to machinename.tailnetalias.ts.net.key

Now when I try to access the web interface of my nas via https:// in a browser, I get an error. Firefox for example says "SSL_ERROR_RX_RECORD_TOO_LONG".

What can I do about this?

schmiddl
  • 97
  • 10

1 Answers1

0

The tailscale cert command doesn't know where the certificate files should be installed (it doesn't even know what you were planning to do with them). So the first question is: did you move those files somewhere to install them? If not, the certificate getting SSL_ERROR_RX_RECORD_TOO_LONG is likely some other cert file which was already there.

If the tailscale cert files did get installed, I think the next step would be to click on the lock icon in Firefox on the left side of the URL. It will have a bunch of information about the TLS connection, in particular:

  • if the certificate had something wrong with it
  • in the Technical Details section, it will say what TLS version was used (SSL2, SSL3, TLS1.0, TLS1.1, TLS1.2, TLS1.3).

The SSL_ERROR_RX_RECORD_TOO_LONG error was mostly a problem in older versions of TLS like 1.1 and before. If the TLS version is one of those, it may be necessary to figure out how to get the NAS to stop offering the older versions and only offer 1.2 and 1.3.

DGentry
  • 16,111
  • 8
  • 50
  • 66
  • I wasn't aware that I had to install the certificate. I thought this was done by the tailscale cert script. Thank you! In the tailscale TLS tutorial it does not state where to put the certificates. What do I have to do after getting the certificate and how can I find its location? – schmiddl Feb 13 '22 at 07:22
  • The NAS is from QNAP and I installed the tailscale package from the qnapclub repo. – schmiddl Feb 13 '22 at 07:32
  • Okay, found the certificate via ssh: `find . -name machinename.tailnetalias.ts.net`. It was saved to my user directory on the nas. – schmiddl Feb 13 '22 at 12:38
  • So I tried to import the certificate via the QNAP browser interface. Opened the security tab in the control panel and clicked on "Replace Certificate". Then on import certificate. It asks vor the certificate and the private key, which I entered both. But it says that the key is wrong. When I create the certificate and key again via the tailscale cert command, the error comes up again. – schmiddl Feb 13 '22 at 13:08
  • I found a way to make the NAS stop offering older TLS versions as you suggested:[link](https://www.qnap.com/de-de/how-to/knowledge-base/article/wish-to-disable-tls-v1-0-and-v1-1-https). But ofcourse this doesn't solve the problem that the key generated by tailscale seems to be wrong. – schmiddl Feb 13 '22 at 14:19
  • I think the issue is QNAP only verifies RSA certificates < 2048 bits. There are various articles of how to install modern certs, like: https://forum.qnap.com/viewtopic.php?t=110557 – DGentry Feb 14 '22 at 08:12
  • Where should the cert be moved on a home server to allow access of all docker containers over HTTPS? (I just access docker containers on my NixOS box over Tailscale) – Ricky Kresslein Aug 16 '23 at 20:23