Skip to content

Ship a working cert store so ssl works (tailscale updates etc)Β #1096

New issue
New issue
Open
Feature
Open
Ship a working cert store so ssl works (tailscale updates etc)#1096
Feature
@bcomnes

Description

@bcomnes
bcomnes
opened on Dec 23, 2025

A note for the community

Note

Please vote on this issue by adding a πŸ‘ reaction to the original issue to help the community and maintainers prioritize this request.

Disclaimer

  • I have read and understood the disclaimer.
  • I plan to implement the feature myself.

Subsystem

None

Feature description

After installing tailscale following the documented procedure, I noticed that it was unable to run updates on itself with the following error:

fetching latest tailscale version: Get "https://pkgs.tailscale.com/stable/?mode=json&os=linux": tls: failed to verify certificate: x509: certificate signed by unknown authority

The JetKVM was lacking a ssl certificate store in order to interact with https URLs and verify the secure connection.

The workaround here is to ssh into the JetKVM, and install a cert store

wget --no-check-certificate \
  -O /etc/ssl/certs/ca-certificates.crt \
  https://curl.se/ca/cacert.pem

ln -sf /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem

Afterwards, tailscale and anything else trying to use SSL can do so successfully.

# tailscale update
This will update Tailscale from 1.88.1 to 1.92.3. Continue? [y/n] y
Downloading "https://pkgs.tailscale.com/stable/tailscale_1.92.3_arm.tgz"
Download size: 30592717
Downloaded 512/30592717 (0.0%)
Downloaded 6383536/30592717 (20.9%)
Downloaded 13780360/30592717 (45.0%)
Downloaded 20964896/30592717 (68.5%)
Downloaded 28026264/30592717 (91.6%)
Downloaded 30592717/30592717 (100.0%)
Downloading "https://pkgs.tailscale.com/stable/tailscale_1.92.3_arm.tgz.sig"
Signature OK
Extracting "/oem/.cache/tailscale-update/tailscale_1.92.3_arm.tgz"
Updated /userdata/tailscale/tailscale
Updated /userdata/tailscale/tailscaled
Tailscale binaries updated successfully.
Please restart tailscaled to finish the update.

Cert stores require periodic updates however. Would JetKVM be willing to ship a cert store in their firmware so that users don't have maintain the cert store?

Apologies in advance if my understanding of the situation or intention is off.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions