OpenBSD and Relayd woes

This is not a helpfull post by any means, it's just me complaining about my inability to get something working that at face value appears to be simple.

As I recently mentioned here on the blog, I've been trying to cleanup and simplify my homelab setup so that it's easier to document and maintain. I recently posted (Cut Yourself Some Slack) about me having been overthinking things and that I should just get a move on, and I have been slowly in the background. I have a few internal services migrated to their new streamlined host behind my reverse proxy and they are working well so I decided yesterday it was time to turn my attention to my one and only public facing service, this blog.

Now, I knew I would some new things to learn and on the face of it they all looked really simple but, dear reader, having spent about 5 hours last night going round and round in circles I am currently stumped.

In a broad stroke, here's what I have, with relayd and httpd running on the same OpenBSD host machine.

Public Internet >>> Home Firewall >>> OpenBSD relayd >>> OpenBSD httpd

I've setup a new temporary subdomain to test with so I can get my bearings before migrgating my blog over. I only have a single public legacy IP so for the moment my test domain is only accessible over IPv6. I created a new listener in httpd.conf, added a "Hello World" web page, created a relay in relayd.conf, tested the syntax for both and restarted them and they worked for a regular http served page with a client on my LAN and using my phone on 4G. "OK, we have some progress" I thought to myself. Next up, lets get a certificate up and running. After a couple of false starts, thanks to finger trouble, the acme-client succesfully downloaded a LetsEncrypt certificate and cert chain for the test domain.

Now we're talking. I grabbed one of the many example TLS sections for relayd.conf and plugged it in. The syntax check passed and I restarted relayd. A quick check from my phone on 4G and..... nothing...... "OK, what have I forgotten?" Ahhhh, yes, the web server also has a local firewall and no rule for TCP/443 traffic. OK, fixed that and retry, this time a new error.. "That's progress" I told myself, but this is where I am currently stuck.

If I run tcpdump on the server I can see the connections arriving and what looks like a TCP three way handshake and then....FIN.

This is when I started going round in circles. I've check the certificates look OK using OpenSSL. I checked they are in the right path and with the right names as far as every example I can find is concerned. I've rechecked the config files for both relayd and httpd and both pass with flying colours but I get nothing, nada.

Firefox throws a "really usefull" error (Error code: PR_END_OF_FILE_ERROR) but none of the Mozilla examples for the cause or how to fix it match my situation.

It's going to be something really stupid that I've either missed or misread but 5 hours last night was enough. I threw in the towel, posted a quick toot on Mastodon in the hopes someone spots it and goes "ahhh, that's because your sprocket linkage needs colouring blue".

In the meantime, it's back to another work day at $dayjob and maybe, just maybe, thinking about something else for a while will help fix the problem.