From: Mischa <openbsd@mlst.nl>
Subject: Re: relayd w/ ipv6 not loading SNI certs
To: Tech <tech@openbsd.org>
Date: Tue, 28 Apr 2026 22:23:15 +0200

It looks like it has nothing to do with v6, it's the second listen where 
it goes wrong.
When splitting it into two relays, it works:

relay default_tls_v4 {
         listen on $local_v4 port 443 tls
         protocol httpsfilter
         forward to <localhost> port 443
}
relay default_tls_v6 {
         listen on $local_v6 port 443 tls
         protocol httpsfilter
         forward to <localhost> port 443
}

Mischa

On 2026-04-28 15:06, Mischa wrote:
> Hi All,
> 
> When using SNI within relayd and have IPv6 configured, it seems it's 
> still looking for 2a03:6000:xx::xx.crt and 2a03:6000:xx::xx.key.
> 
> # relayd -n -vvv
> relay_load_certfiles: using certificate /etc/ssl/xxx.high5.nl.crt
> relay_load_certfiles: using private key 
> /etc/ssl/private/xxx.high5.nl.key
> /etc/relayd.conf:62: cannot load certificates for relay 
> default_tls2:443
> 
> #
> local_v4 = "46.23.xx.xx"
> local_v6 = "2a03:6000:xx::xx"
> table <localhost> { 127.0.0.1 }
> http protocol httpsfilter {
>   tcp { nodelay, sack }
>   tls keypair xxx.high5.nl
>   tls { ciphers 
> "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384", 
> ecdhe "default", no client-renegotiation }
> 
> relay default_tls {
>   listen on $local_v4 port 443 tls
>   listen on $local_v6 port 443 tls
>   protocol httpsfilter
>   forward to <localhost> port 443
> }
> #
> 
> Without "listen on $local_v6 port 443 tls" everything works like a 
> charm.
> 
> Mischa