Skip to content

Relay tunnel TLS certificate never provisions — "Waiting for trusted TLS certificate" indefinitely #503

@eatinhamson

Description

@eatinhamson

Environment

  • hapi version: 0.16.7 (latest)
  • OS: macOS (Apple Silicon)
  • Tunnel binary: tunwg (bundled)

Problem

The hub starts fine with --relay and tunwg successfully connects to relay.hapi.run, receiving a subdomain assignment:

[Tunnel] 2026/04/19 16:29:16 tunwg: http://localhost:3006 <= https://4a2pcn2nq4lay4c4.relay.hapi.run

However, the TLS certificate for the subdomain never provisions. The log loops indefinitely with:

[Tunnel] Waiting for trusted TLS certificate...
[Tunnel] 2026/04/19 16:29:00 tunwg: initiating handshake to server
[Tunnel] Waiting for trusted TLS certificate...

The root domain relay.hapi.run has valid TLS. The subdomain does not — curl confirms:

$ curl -sv https://4a2pcn2nq4lay4c4.relay.hapi.run/health
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 4a2pcn2nq4lay4c4.relay.hapi.run:443

Impact

  • The PWA (phone) shows "Failed to fetch" on every interaction since it can't establish HTTPS to the hub
  • Push notifications still work (they use VAPID/web-push, bypassing the tunnel)
  • Hub is fully functional on localhost — only the relay tunnel is broken
  • Multiple hub restarts produce the same subdomain and the same stuck state

Steps to Reproduce

  1. Install hapi 0.16.7
  2. Run hapi hub --relay
  3. Observe Waiting for trusted TLS certificate... looping in stdout
  4. Attempt to curl the assigned *.relay.hapi.run subdomain — SSL_ERROR_SYSCALL

Expected Behavior

The relay should provision a valid TLS certificate for the assigned subdomain so the PWA can connect over HTTPS.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions