From 6275399327b2a00422aeb9399ea825c6258adcb6 Mon Sep 17 00:00:00 2001
From: Nathan Sweet <nathan.sweet@gmail.com>
Date: Mon, 18 Nov 2024 07:12:12 +0100
Subject: [PATCH] Update tls.md to mention using the full cert chain (#2243)

---
 docs/ref/tls.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/ref/tls.md b/docs/ref/tls.md
index 173399e4..23bc82a4 100644
--- a/docs/ref/tls.md
+++ b/docs/ref/tls.md
@@ -9,6 +9,8 @@ tls_cert_path: ""
 tls_key_path: ""
 ```
 
+The certificate should contain the full chain, else some clients, like the Tailscale Android client, will reject it.
+
 ## Let's Encrypt / ACME
 
 To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.