Tailscale - Getting "Error[Permission denied]" and receiving no md entries in .log when attempting to get certificate

[bencew]

Hello,

I've followed the instructions to get a certificate for the Tailscale internal domain name on my server, however, it runs into "Error[Permission denied]" as per the server-status page. It keeps on trying and producing the same error.
edit: clarification: I'm able to access the server-status and get the error when I use my current self-signed certificate.

Admittedly, I'm new to this and at this point have no clue where to look further. But I'm sure I've missed something. Could you please help? I'm on Debian 12.

The setup:

<MDomain mydomain.ts.net>
  MDCertificateProtocol tailscale
  MDCertificateAuthority file://localhost/var/run/tailscale/tailscaled.sock
</MDomain>

<VirtualHost *:443>
    ServerName mydomain.ts.net
	MDContactEmail email@address.com
	MDCertificateAgreement accepted
	SSLEngine on
	<Location "/server-status">
    	   SetHandler server-status
        </Location>
</VirtualHost>

The server error log produces the following, with md:notice suspiciously missing. The terminal says md and ssl are already enabled, when I try to enable them.
I can also see the md folder in /etc/apache2/, as well as md.load in etc/apache2/mods-enabled/.

 [Sat Oct 26 22:56:08.692177 2024] [ssl:warn] [pid 1147233:tid 1147233] AH10085: Init: mydomain.ts.net:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Sat Oct 26 22:56:08.695700 2024] [ssl:error] [pid 1147233:tid 1147233] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 74CF31289A7FCEA69A5A183D9CD95CB5ED4E90DD / notbefore: Oct 26 20:53:57 2024 GMT / notafter: Nov  9 20:53:57 2024 GMT]
[Sat Oct 26 22:56:08.695731 2024] [ssl:error] [pid 1147233:tid 1147233] AH02604: Unable to configure certificate mydomain.ts.net:443:0 for stapling
[Sat Oct 26 22:56:08.783796 2024] [ssl:warn] [pid 1147234:tid 1147234] AH10085: Init: mydomain.ts.net:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Sat Oct 26 22:56:08.785842 2024] [ssl:error] [pid 1147234:tid 1147234] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 74CF31289A7FCEA69A5A183D9CD95CB5ED4E90DD / notbefore: Oct 26 20:53:57 2024 GMT / notafter: Nov  9 20:53:57 2024 GMT]
[Sat Oct 26 22:56:08.785853 2024] [ssl:error] [pid 1147234:tid 1147234] AH02604: Unable to configure certificate mydomain.ts.net:443:0 for stapling

I've added the flag to the tailscaled socket with the user Apache ID: www-data.

I've read the GitHub page several times, but I'm out of my depth :(
Thank you for your time!

[bencew]

LogLevel md:trace1 produces the below entries. I don't really see any errors here:

[Sun Oct 27 21:09:58.550719 2024] [md:trace1] [pid 1336695:tid 1336695] mod_md.c(1245): hook ssl_add_cert_files for mydomain.com.ts.net
[Sun Oct 27 21:09:58.550798 2024] [md:debug] [pid 1336695:tid 1336695] mod_md.c(1129): AH10113: get_certificates called for vhost mydomain.com.ts.net.
[Sun Oct 27 21:09:58.550814 2024] [md:debug] [pid 1336695:tid 1336695] mod_md.c(1223): AH10077: mydomain.com.ts.net[state=0]: providing certificates for server mydomain.com.ts.net
[Sun Oct 27 21:09:58.550823 2024] [md:trace1] [pid 1336695:tid 1336695] mod_md.c(1277): hook ssl_add_fallback_cert_files for mydomain.com.ts.net
[Sun Oct 27 21:09:58.550829 2024] [md:debug] [pid 1336695:tid 1336695] mod_md.c(1129): AH10113: get_certificates called for vhost mydomain.com.ts.net.
[Sun Oct 27 21:09:58.550844 2024] [md:debug] [pid 1336695:tid 1336695] mod_md.c(1212): AH10116: mydomain.com.ts.net: providing rsa fallback certificate for server mydomain.com.ts.net
[Sun Oct 27 21:09:58.550851 2024] [ssl:warn] [pid 1336695:tid 1336695] AH10085: Init: mydomain.com.ts.net:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Sun Oct 27 21:09:58.553614 2024] [ssl:error] [pid 1336695:tid 1336695] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 74CF31289A7FCEA69A5A183D9CD95CB5ED4E90DD / notbefore: Oct 26 20:53:57 2024 GMT / notafter: Nov  9 20:53:57 2024 GMT]
[Sun Oct 27 21:09:58.553637 2024] [ssl:error] [pid 1336695:tid 1336695] AH02604: Unable to configure certificate mydomain.com.ts.net:443:0 for stapling
[Sun Oct 27 21:09:58.616370 2024] [md:trace1] [pid 1336697:tid 1336697] mod_md.c(1245): hook ssl_add_cert_files for mydomain.com.ts.net
[Sun Oct 27 21:09:58.616402 2024] [md:debug] [pid 1336697:tid 1336697] mod_md.c(1129): AH10113: get_certificates called for vhost mydomain.com.ts.net.
[Sun Oct 27 21:09:58.616418 2024] [md:debug] [pid 1336697:tid 1336697] mod_md.c(1223): AH10077: mydomain.com.ts.net[state=0]: providing certificates for server mydomain.com.ts.net
[Sun Oct 27 21:09:58.616424 2024] [md:trace1] [pid 1336697:tid 1336697] mod_md.c(1277): hook ssl_add_fallback_cert_files for mydomain.com.ts.net
[Sun Oct 27 21:09:58.616429 2024] [md:debug] [pid 1336697:tid 1336697] mod_md.c(1129): AH10113: get_certificates called for vhost mydomain.com.ts.net.
[Sun Oct 27 21:09:58.616443 2024] [md:debug] [pid 1336697:tid 1336697] mod_md.c(1212): AH10116: mydomain.com.ts.net: providing rsa fallback certificate for server mydomain.com.ts.net
[Sun Oct 27 21:09:58.616449 2024] [ssl:warn] [pid 1336697:tid 1336697] AH10085: Init: mydomain.com.ts.net:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Sun Oct 27 21:09:58.618467 2024] [ssl:error] [pid 1336697:tid 1336697] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 74CF31289A7FCEA69A5A183D9CD95CB5ED4E90DD / notbefore: Oct 26 20:53:57 2024 GMT / notafter: Nov  9 20:53:57 2024 GMT]
[Sun Oct 27 21:09:58.618493 2024] [ssl:error] [pid 1336697:tid 1336697] AH02604: Unable to configure certificate mydomain.com.ts.net:443:0 for stapling
[Sun Oct 27 21:09:58.618519 2024] [md:trace1] [pid 1336697:tid 1336697] mod_md.c(396): md[mydomain.com.ts.net]: auto add, covers name mydomain.com.ts.net

[bencew]

I've checked the permissions on the etc/apache2/md/ folder:

drwxr-xr-x 2 root     root 4096 okt   26 21.13 accounts
drwxr-xr-x 2 www-data root 4096 okt   26 21.13 challenges
drwxr-xr-x 3 root     root 4096 okt   26 21.48 domains
-rw-rw-rw- 1 root     root  116 okt   26 21.13 md_store.json
drwxr-xr-x 2 www-data root 4096 okt   26 21.13 ocsp
drwxr-xr-x 3 www-data root 4096 okt   27 21.10 staging

It looks strange that some folders are owned by root, and some by www-data, don't know if that's normal. I've tested making all of them owned by root and www-data each, but it didn't change anything.

[icing]

@bencew I believe tailscale changed their API for this. I did not have the time to follow this.

I should update the documentation on this, I guess.

[icing]

Updated the README.md to state that the described setup is now historical and no longer working.

[bencew]

Hey @icing ,
thanks for the quick reply! That's a bummer, I was hoping it was something on my end, thus fixable.