From 04cc836a64abe414323b3be1d037e01c68ac17a7 Mon Sep 17 00:00:00 2001
From: Nathan Sweet <nathan.sweet@gmail.com>
Date: Mon, 18 Nov 2024 00:46:08 +0100
Subject: [PATCH] Update tls.md to mention using the full cert chain

---
 docs/ref/tls.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/ref/tls.md b/docs/ref/tls.md
index 173399e47c..23bc82a4f2 100644
--- a/docs/ref/tls.md
+++ b/docs/ref/tls.md
@@ -9,6 +9,8 @@ tls_cert_path: ""
 tls_key_path: ""
 ```
 
+The certificate should contain the full chain, else some clients, like the Tailscale Android client, will reject it.
+
 ## Let's Encrypt / ACME
 
 To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.