Provision TLS certificates for internal Tailscale services

Tailscale, built on WireGuard, provides secure end-to-end encryption for connections between nodes on its network, known as a tailnet, but browsers require TLS certificates to verify the authenticity of HTTPS URLs. To address this, Tailscale now facilitates the provisioning of TLS certificates for internal services within a tailnet using Let's Encrypt, allowing users to avoid browser warnings about unsecure connections despite the underlying encryption. This feature is implemented by generating a certificate private key and a Let's Encrypt account private key on each node, with the Tailscale client handling the DNS-01 challenges through API calls. Users can enable this feature on Tailscale v1.14 or later by configuring settings in the admin console and executing specific commands on nodes needing certificates, effectively streamlining the process of validating internal services with TLS certificates.