The Tailscale daemon only refreshed TLS certs as a side effect of
inbound TLS handshakes or "tailscale cert" CLI calls. A node that
doesn't see inbound traffic during the renewal window silently rolls
past expiry. (e.g. some of my emergency IPMI HTTPS proxies I use like
every 6 months, and they always have expired certs)
Add a once-per-hour background loop on LocalBackend that enumerates Serve
and Funnel HTTPS hostnames (filtered against the netmap's CertDomains so
we don't poke ACME for other nodes' service hostnames) and calls the
existing GetCertPEM path. The renewal decision (ARI window, then 2/3
expiry fallback) is unchanged; the loop just guarantees it runs.
For visibility during initial issuance or restart with a long-expired
cached cert, add a "tls-cert-pending" health Warnable that's set while
ACME is in flight and no usable cached cert exists. Async renewal of a
still-valid cert intentionally doesn't fire it. And then monitor that
health warnable in the "tailscale cert" CLI command.
Fixes#19911Fixes#19912
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Change-Id: I144e46c40e957b2e879587decace32a523a6eade
cccff0d4cb