BACK TO THE WEEKLY ARCHIVE

openbsd relayd challenge

AUTHOR: Tiziano Gasparet DATE: February 26, 2026

Origin

I spent three hours staring at a syntax error.

Line 17. relayd.conf. syntax error.

I was trying to configure relayd on OpenBSD 7.8 to handle TLS and reverse proxy to my Astro site and Node.js API. On paper, simple. In practice, a nightmare of rigid parser and obscure certificate paths.

Every time I ran doas relayd -n, I got different errors. protocol defined twice. listen * inside location. last octet invalid.

I realised I was not just configuring a service. I was negotiating with an operating system that does not forgive approximations.

The Connection

Why does the Monolith archive this? Because digital sovereignty has a cost: technical complexity.

Using Vercel or Cloudflare would have been easier. One click and TLS is active. But I would have handed over traffic control to a black box.

With relayd, every byte entering port 443 passes through a configuration I wrote. I know exactly how the TLS handshake is handled. I know where the logs are. I know who can access.

The connection is structural: if I want to own my digital space, I must own the transport layer too. I cannot delegate security to third parties.

This configuration is not just code. It is a declaration of independence.

The Challenge

The inner doubt was: “Is it worth it? I could use httpd directly.”

The answer: no. httpd does not do reverse proxy to Node.js for webmentions. I need relayd.

The technical challenge was twofold:

  1. Syntax: OpenBSD 7.8 has an extremely sensitive relayd.conf parser. Wrong quotes, extra spaces, directive order.
  2. Certificates: relayd looks for certificates in specific paths. Symbolic links did not work. Permissions were too lax.

The solution came by eliminating abstractions:

  • No tls keypair in the config.
  • Physical copy of certificates to /etc/ssl/0.0.0.0.crt.
  • 600 permissions on the private key.
  • Debug with relayd -vn instead of relayd -n.

When finally netstat showed *.443 LISTEN, I understood: the difficulty was the filter. If it were easy, it would not be secure.

Peace of Mind

Now that I have written this, I have accepted the pact with OpenBSD:

  • Complexity is the price of sovereignty.
  • Syntax errors are not failures, they are course corrections.
  • The system is stable because every component was understood, not copied.

Peace of Mind comes from knowing that if the site goes down, I can bring it back up. I do not have to open a ticket. I do not have to wait for technical support.

The Monolith is not just a site. It is an operating system for my digital presence. And relayd is the gatekeeper.

Technical Note:

  • OpenBSD 7.8 requires physical certificates, not symlinks for relayd
  • Key path: /etc/ssl/private/0.0.0.0.key (permissions 600)
  • Cert path: /etc/ssl/0.0.0.0.crt (permissions 644)
  • Debug: doas relayd -vn (verbose check)
  • Reload: doas rcctl restart relayd
  • Trigger: if relayd fails, check private key permissions before syntax
TG

Who I Am

Sovereign systems architect. I write about technology, pastry, chess, and discipline.

Did you like this article? Let's talk.

Email me: tiziano@tizianogasparet.com Contact me on Signal: @tizianogasparet.06 (Signal) BIOGRAPHY

The Monolith is an invitation to conversation, not a monologue.