tech@,

relayd with trivial config:

table <httpd>           { 127.0.0.1 }

http protocol https {
	tls keypair test

        pass forward to <httpd>
}

relay https {
        listen on egress port 443 tls
        listen on egress port 444 tls
        protocol https

        forward to <httpd> port http
}

fails as:

relayd.conf:18: cannot load keypair test for relay https

A but seems to be in relay_inherit() which runs only
relay_load_certfiles(conf, rb, NULL) unconditionally which isn't alligned
with logic in parser when it parse relay block, where multiple certificates
are load as relay_load_certfiles(conf, rb, NULL) only if here no tlscerts
(for default host) and otherwise it loads keypairs.

Tested with and without keypair in protocol block with one and many listen.

Thoughts? OK?

Index: usr.sbin/relayd/parse.y
===================================================================
RCS file: /home/cvs/src/usr.sbin/relayd/parse.y,v
diff -u -p -r1.261 parse.y
--- usr.sbin/relayd/parse.y	3 Mar 2026 19:51:41 -0000	1.261
+++ usr.sbin/relayd/parse.y	29 Mar 2026 20:30:33 -0000
@@ -3409,6 +3409,7 @@ struct relay *
 relay_inherit(struct relay *ra, struct relay *rb)
 {
 	struct relay_config	 rc;
+	struct keyname		*name;
 	struct relay_table	*rta, *rtb;
 
 	bcopy(&rb->rl_conf, &rc, sizeof(rc));
@@ -3444,10 +3445,18 @@ relay_inherit(struct relay *ra, struct r
 		goto err;
 	}
 
-	if (relay_load_certfiles(conf, rb, NULL) == -1) {
+	if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) &&
+	    relay_load_certfiles(conf, rb, NULL) == -1) {
 		yyerror("cannot load certificates for relay %s",
 		    rb->rl_conf.name);
 		goto err;
+	}
+	TAILQ_FOREACH(name, &rb->rl_proto->tlscerts, entry) {
+		if (relay_load_certfiles(conf, rb, name->name) == -1) {
+			yyerror("cannot load keypair %s for relay %s",
+			    name->name, rb->rl_conf.name);
+			goto err;
+		}
 	}
 
 	TAILQ_FOREACH(rta, &ra->rl_tables, rlt_entry) {



-- 
wbr, Kirill