How to know if Tailscale cert integration was attempted? #5041
Description
Trying to work out how caddy interacts with tailscale HTTPS mechanism and it's a bit of a mystery...
I have tailscale running in a kubernetes pod container. Running a tailscale cert works fine and produces cert and key file. Socket is at /tmp/tailscaled.socket by default in the sidecar.
As a test I bring the caddy binary into the container and run this to see if it interacts with socket directly:
caddy reverse-proxy --from REDCATED.REDCATED.ts.net --to localhost:3000
The logs don't indicate that they try to get a certificate via tailscale integration:
2022/09/16 04:50:01.201 WARN admin admin endpoint disabled
2022/09/16 04:50:01.201 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2022/09/16 04:50:01.201 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "proxy"}
2022/09/16 04:50:01.202 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
Caddy proxying https://REDCATED.REDCATED.ts.net -> localhost:3000
2022/09/16 04:50:01.202 INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
2022/09/16 04:50:01.202 INFO tls finished cleaning storage units
2022/09/16 04:50:01.202 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00043df10"}
Trying to access from another machine in the tailnet:
➜ ~ openssl s_client -connect REDCATED.REDCATED.ts.net:443
CONNECTED(00000006)
4486270636:error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error:/System/Volumes/Data/SWE/macOS/BuildRoots/37599d3d49/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 80
4486270636:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/37599d3d49/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1663303835
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
How does one get more verbose info on the tailscale cert integration mechanism to see what it's actually doing?