Tailscale ssl certs and Security Spy
I'm prepping for transition to Starlink. Configured a simple tailscale network with my mac and an iPad. The mac is running SecSpy.
I enabled HTTPS Certificates in the Tailscale console, then generated certs for the mac.
tailscale cert --cert-file=server.crt --key-file=server.key machinename.tail123456.ts.net
I placed those certs in:
~/Library/Application Support/SecuritySpy/server.crt
~/Library/Application Support/SecuritySpy/server.key
I removed the viewcam.me certs, and also deleted:
securityspy.crt
selfsigneddata
I launch SecSpy and access the server from the iPad browser over cellular:
https://machinename.tail123456.ts.net:8080
The login page loads on the iPad, but I get an untrusted certificate error.
When I view the cert in the browser from the iPad, the host/common name is my Mac's LAN IPv4 address, ie 10.0.xxx.xxx and it shows Ben Software Ltd as the organization etc.
So it seems like SecSpy isn't loading/accessing the cert files, it's falling back to the SecSpy self-signed cert?
Permissions on the server cert files are good. 644 username:staff
Current list of cert related files in:
/Users/username/Library/Application Support/SecuritySpy
remotepatrol.crt
remotepatrolhd.crt
securityspy.crt
selfsigneddata
sentinelpro.crt
server.crt <<<
server.key <<<
spyglass.crt
user-trust-ca.pem
le_ca.crt
idogcam.crt
Why isn't this working? ๐ค
It's killing me. I can't figure it out. And I can't find any logs that help explain what might be happening.
Comments
-
Nevermind...I figured it out. RSA vs ECDSA etc etc. I made it work with caddy.
Ben, add me to the list of folks requesting SecSpy ECDSA support. Thank you!
-
With a virtual network solution like Tailscale and ZeroTier, the virtual network software itself does all the encryption in the background. From the client that you are using to connect to your SecuritySpy server (e.g. the web interface in Safari, or the SecuritySpy iSO app), you use the virtual IP address provided by Tailscale/ZeroTier and port 8000, which looks like an insecure connection to the client. However, when the data is actually transferred over the Internet, Tailscale/ZeroTier will encrypt it invisibly in the background, so it's safe.
Therefore, you don't need to do what you just did above, obtaining the certificates and providing them to SecuritySpy! This results in double-encryption, which is not harmful (beyond a bit of additional processing load on the Mac), but it is unnecessary and redundant.
For anyone else implementing this solution, follow our instructions here: Remote Access Without Port Forwarding
-
I understand everything you wrote and yes, I'm aware that the encryption is covered by Tailscale. Nevertheless, the browser cert warning is very annoying...and...I'm paranoid. ๐
-
Are you sure that you're seeing a browser warning when connecting to the HTTP interface on port 8000 via the TailScale IP? I would be surprised by this - normally you would only see a browser warning when attempting an HTTPS connection on port 8001 (since the certificate won't be valid in this case).
-
My initial config after getting Tailscale up and running and certs generated was that I was still hitting SecSpy via https. That's when I wrote the first post above. I thought I could just use the Tailscale certs, throw them in the SecSpy folder, and be good to go. Then I read about SecSpy only allowing RSA certs. [๐ข๐ผ]
Then I read up on Caddy. Caddy can handle the https connection, pointing to the tailscale certs, and relay to SecSpy on an http port. I realize this adds some technically unnecessary overhead, but I wanted to learn that anyway, having gone down this road. It works well. I used to hit SecSpy on https:8069. Now I hit Caddy on https:8069, and it relays to SecSpy on http:8070 (on the SecSpy server Mac).
I realize I could dispense with the certs and Caddy and access SecSpy on an http port across Tailscale, but I'm not there yet in terms of my experience and trust in Tailscale. I want the video feeds SSL encrypted everywhere the moment they leave the camera independent of the VPN. Tailscale initially only came on to my radar as a solution in relation to solving the IPv6 issues now that I have Starlink as backup internet (but of course now I realize there's a ton of other cool use cases for Tailscale).
I'm a bit slow, but I'm getting there... ๐
