Certificate error when connecting to wss URL over Tailscale serve

[joshp123]

See screenshot.

Seems like a certificate issue. Got the clanker to diagnose, some Codex-slop is below; hopefully it helps your clanker.

Yep. Smoking gun is connection.rs (line 1041): remote WSS goes straight into RemoteAppServerClient::connect(args.clone()) at connection.rs (line 1045), but the iOS CA bundle only gets created in the local/in-process path via connection.rs (line 205), which writes cacert.pem at connection.rs (line 266) and sets SSL_CERT_FILE at connection.rs (line 277).

The exact error text in your screenshot comes from the TLS deps, not the app UI:

SSL_CERT_FILE is read at lib.rs (line 198)
the PEM file is opened at lib.rs (line 292)
"failed to read PEM from file" is attached at lib.rs (line 159)
"no native root CA certificates found" is raised at config.rs (line 88)
Pasteable version:

I tracked the iOS WSS failure to the remote-connect path: litter calls RemoteAppServerClient::connect in codex-mobile-client/src/session/connection.rs:1045, but the iOS CA bundle only gets created/set in init_ios_tls_roots in the local-only path (connection.rs:205, :266, :277). The screenshot error strings come from rustls-native-certs/lib.rs:159, :198, :292 and hyper-rustls/config.rs:88.

One caveat: current repo head does call LitterApp.swift (line 24) -> LLog.swift (line 13) to set CODEX_HOME, so the exact /Documents/cacert.pem path in the App Store build may be from an older shipped binary or a slightly different release path.