ipn/ipnlocal: add c2n method to check on TLS cert fetch status

So the control plane can delete TXT records more aggressively
after client's done with ACME fetch.

Updates tailscale/corp#15848

Change-Id: I4f1140305bee11ee3eee93d4fec3aef2bd6c5a7e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

tailcfg/c2ntypes.go

@@ -75,3 +75,26 @@ type C2NAppConnectorDomainRoutesResponse struct {
 	// to a list of resolved IP addresses.
 	Domains map[string][]netip.Addr
 }
+
+// C2NTLSCertInfo describes the state of a cached TLS certificate.
+type C2NTLSCertInfo struct {
+	// Valid means that the node has a cached and valid (not expired)
+	// certificate.
+	Valid bool `json:",omitempty"`
+	// Error is the error string if the certificate is not valid. If error is
+	// non-empty, the other booleans below might say why.
+	Error string `json:",omitempty"`
+
+	// Missing is whether the error string indicates a missing certificate
+	// that's never been fetched or isn't on disk.
+	Missing bool `json:",omitempty"`
+
+	// Expired is whether the error string indicates an expired certificate.
+	Expired bool `json:",omitempty"`
+
+	NotBefore string `json:",omitempty"` // RFC3339, if Valid
+	NotAfter  string `json:",omitempty"` // RFC3339, if Valid
+
+	// TODO(bradfitz): add fields for whether an ACME fetch is currently in
+	// process and when it started, etc.
+}

tailcfg/tailcfg.go

@@ -120,7 +120,8 @@ type CapabilityVersion int
 //   - 77: 2023-10-03: Client understands Peers[].SelfNodeV6MasqAddrForThisPeer
 //   - 78: 2023-10-05: can handle c2n Wake-on-LAN sending
 //   - 79: 2023-10-05: Client understands UrgentSecurityUpdate in ClientVersion
-const CurrentCapabilityVersion CapabilityVersion = 79
+//   - 80: 2023-11-16: can handle c2n GET /tls-cert-status
+const CurrentCapabilityVersion CapabilityVersion = 80
 
 type StableID string