I was trying to configure relayd for TLS acceleration when I noticed an unusual error.
Here is my /etc/relayd.conf (with actual IPs and domains replaced): ip4="192.0.2.1" ip6="2001:db8::" table <www> { 127.0.0.1 } table <bnc> { 127.0.0.1 } log connection http protocol https { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" # Various TCP options tcp { sack, backlog 128 } tls { keypair example.com } match request header "Host" value "www.example.com" forward to <www> } relay wwwtls { listen on $ip4 port 443 tls listen on $ip6 port 443 tls protocol https forward to <www> port 8001 check icmp } I set up symlinks for the SSL certs as follows: $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key I then start relayd: $ doas relayd -dvv and get the following errors: relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443 I discovered that if I comment out the below line, line 23, relayd works: listen on $ip6 port 443 tls So if I uncomment out the IPv6 listener, relayd works just fine. If I include the IPv6 listener but create symlinks with IPv6 addresses like follows: $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8:::443.key Then it seems relayd also works. So I suspect relayd is ignoring the tls keypair directive for IPv6 addresses. In other words, when IPv6 is enabled, relayd appears to ignore: tls { keypair example.com } Can someone verify if this is correct behavior, if I misconfigured, or if this is a bug? jrmu