Search code examples
dockerportainertailscale

Tailscale serve with Portainer

I recently watched this video about running Tailscale client in a Docker container along side another service, which allows me to access the service using my Tailscale DNS.

When I tried to use the same method with Portainer, I just get an error on the Tailscale container

"proxy error: tls: failed to verify certificate: x509: certificate is valid for 0.0.0.0, not 127.0.0.1"

When I changed the IP in the config to 0.0.0.0 I got this error instead

"proxy error: tls: failed to verify certificate: x509: certificate signed by unknown authority"

This is my docker-compose.yml

version: '3.8'

services:
  portainer-ts:
    image: tailscale/tailscale:latest
    container_name: portainer-ts
    cap_add:
      - net_admin
      - sys_module
    volumes:
      - /home/sagiziv3/portainer/tailscale/state:/var/lib/tailscale
      - /home/sagiziv3/portainer/tailscale/serveconfig:/config
      - /dev/net/tun:/dev/net/tun
    environment:
      - TS_AUTHKEY=tskey-client-XXXXX-XXXXX?ephemeral=false
      - TS_EXTRA_ARGS=--advertise-tags=tag:container --reset
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_SERVE_CONFIG=/config/serve-config.json
      - TS_USERSPACE=false
    hostname: portainer
    restart: unless-stopped
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    network_mode: "service:portainer-ts"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    restart: always

volumes:
  portainer_data:

And this is the config file I use:

{
    "TCP": {
      "443": {
        "HTTPS": true
      }
    },
    "Web": {
      "${TS_CERT_DOMAIN}:443": {
        "Handlers": {
          "/": {
            "Proxy": "https://127.0.0.1:9443"
          }
        }
      }
    }
}

My only guess is that the issue is the fact Portainer uses HTTPS with its own certificates and that is why Tailscale fails to create a valid certificate.

But I wasn't able to find how to disable HTTPS on Portainer...

Solution

  • I found that Portainer also listens to HTTP requests on port 9000, so updating the config to forward the HTTPS calls to http://127.0.0.1:9000 solved the issue.

    This is the final config file:

    {
    "TCP": {
      "443": {
        "HTTPS": true
      }
    },
    "Web": {
      "${TS_CERT_DOMAIN}:443": {
        "Handlers": {
          "/": {
            "Proxy": "http://0.0.0.0:9000"
          }
        }
      }
    }
}