webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(tsconnect): add getCert, listenTLS, setFunnel + fix TLS cert for WASM

Browse Source 
Enable ACME TLS certificates on js/wasm by dropping the !js build tag from
cert.go and routing storage through the state store. Add getCert, listenTLS,
and setFunnel WASM bindings with a combinedTLSListener that merges Funnel
ingress and direct tailnet connections. Notify the control plane immediately
after serve config changes to accelerate Funnel DNS provisioning.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Codinget
2026-05-06 11:19:25 +00:00
parent a6b286b414
commit 9fd2f3bbf4
5 changed files with 238 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ipn/ipnlocal/cert.go
+17 -1
View File
@@ -1,7 +1,7 @@
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
//go:build !js && !ts_omit_acme
//go:build !ts_omit_acme
package ipnlocal
@@ -302,6 +302,9 @@ var errCertExpired = errors.New("cert expired")
var testX509Roots *x509.CertPool // set non-nil by tests
func (b *LocalBackend) getCertStore() (certStore, error) {
if runtime.GOOS == "js" {
return certStateStore{StateStore: b.store}, nil
}
switch b.store.(type) {
case *store.FileStore:
case *mem.Store:
@@ -333,6 +336,16 @@ func (b *LocalBackend) ConfigureCertsForTest(getCert func(hostname string) (*TLS
b.mu.Unlock()
}
// SetACMEHTTPClient sets a custom HTTP client for ACME certificate operations.
// On js/wasm, this can be used to route requests through the Tailscale network
// stack to bypass browser CORS if Let's Encrypt endpoints fail preflight.
// A nil value (the default) uses the standard http.DefaultClient.
func (b *LocalBackend) SetACMEHTTPClient(c *http.Client) {
b.mu.Lock()
defer b.mu.Unlock()
b.acmeHTTPClient = c
}
// certFileStore implements certStore by storing the cert & key files in the named directory.
type certFileStore struct {
dir string
@@ -550,6 +563,9 @@ var getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf l
if err != nil {
return nil, err
}
b.mu.Lock()
ac.HTTPClient = b.acmeHTTPClient
b.mu.Unlock()
if !isDefaultDirectoryURL(ac.DirectoryURL) {
logf("acme: using Directory URL %q", ac.DirectoryURL)