By 管理员 
Please refer to the relevant article for the process of configuring the Tencent Cloud Tailscale Derper service.
Due to the shortened validity period of Let’s Encrypt’s certificate to three months, the certificate and key of the derper are also prone to expiration. In order to avoid manual configuration, we are now further improving the previously configured tailscale derper service.
Firstly, try to add the operation of restarting and re copying certificates and keys directly in the startup file of Derper. However, since the root user was not used to start and the website files belong to the root user, restarting Derper after configuring the copy operation will result in permission errors. Even if the replication operation is moved to before configuring the user, this issue cannot be avoided.
For security reasons, we do not directly designate the user of the permission remover as root, nor do we consider changing the owner and permissions of website files. Based on this premise, we will prepare a new script in the personal user path to perform the operation of copying certificates and keys.
sudo vim 自己的路径/derperCertSync.sh并添加更新操作。
sudo vim 自己的路径/derper-cert-sync.sh
#!/bin/bash
sudo cp "自己的路径/fullchain.pem" "自己的路径/derper/自己域名.crt"
sudo cp "自己的路径/privkey.pem" "自己的路径/derper/自己域名.key"
sudo chown 具体用户: 具体用户 "自己的路径/derper/自己域名.crt" "自己的路径/derper/自己域名.key"Please note that the path in the script must start from the root directory/home!!!! Cannot use relative paths or paths starting with~instead!!!
Change script permissions after completion.
sudo chmod +x 自己的路径/derper-cert-sync.shNext, we will configure the startup file for the Derper service.
sudo vim /etc/systemd/system/derper.serviceAdd a script to run certificate replication before specifying the user
ExecStartPre=自己的路径/derper-cert-sync.sh
This way, every time the dermer service restarts, it will automatically call the script update. But in order to prevent the certificate and key from expiring due to the server not updating for a long time, we have added timeout restart logic for the Derper service, which only takes about 30 days. We can easily add the logic of restarting after a startup failure.
Restart=on-failure
RestartSec=5
RuntimeMaxSec=2592000After the changes are completed, it is necessary to manually update the configuration of the derper.
sudo systemctl daemon-reloadFinally, restart the Derper service.
sudo systemctl restart derperIn the state of the derper, you can see the logic of calling the script to update with root, and after the update is completed, it exits. The session opened and closed here are the processes of entering and exiting the script.
systemctl status derper
At this point, errors such as “Permission denied” will no longer be seen in the logs of the derper service. The script can be successfully called to handle update operations, achieving the separation of different user permissions and enhancing security.
Finally, check if the timeout logic is successful. It can be seen that the timeout period is over 4 weeks and has been successfully configured.
systemctl show derper -p RuntimeMaxUSec -p ExecMainStartTimestamp
By accessing the website’s derper page through a browser, clicking on encryption, secure connection, valid certificate, you can see that the certificate’s validity time has also been successfully updated.
Published on July 27, 2025.