OpenBSD and Relayd fixed

I wrote recently about my OpenBSD and Relayd Woes where I was having trouble setting up a simple test page with TLS in preparation for doing the same thing for my blog so that I could relocate it to a new server at home. Well, today I figured out the problem.

tl;dr - it was a "me" error.

I had managed to get a simple "Hello World" website up using relayd and httpd and had even managed to get the acme-client to grab a certificate from LetsEncrypt but for the life of me I could't figure out why I wasn't able to hit the server using HTTPS. I could see the packets arriving using tcpdump but only half a handshake seemed to be happeneing and then the connection fell over.

I spent a few days going round and round in circles trying to figure out what was going on but I was lost. I threw up a quick blog post and posted a link over on Mastodon and had a few quick replies. It took me a week to get back to the problem and I spotted it almost instantly.

Where the config should have read -

relay www6tls {
  listen on ::0 port 443 tls
  protocol https
  forward to <heimdall> port 8084
}

It actually read -

relay www6tls {
  listen on ::0 port 443
  protocol https
  forward to <heimdall> port 8084
}

A small, but rather important keyword was missing... "tls"

It seems if you want relayd to talk TLS, you need to ask it to.

Anyway, problem solved and another roadblock removed from my homelab cleanup project. No more excuses, other than Christmas preparations getting in the way.