iPhone cannot establish secure connection to Tailscale Serve *.ts.net HTTPS endpoints

[felipematos]

Title: iPhone cannot establish secure connection to Tailscale Serve *.ts.net HTTPS endpoints, while same endpoints work from host/server side

Summary

On an iPhone connected to our tailnet, all HTTPS endpoints served via Tailscale Serve on a single node fail with a secure-connection / SSL protocol error. The same endpoints are reachable from the host itself and show a valid certificate and successful TLS handshake server-side.

This appears to affect all served HTTPS ports on the same node, not just one app.

What we're serving

Node hostname:

• max3.tail4f12c7.ts.net

Current tailscale serve status includes routes like:

• https://max3.tail4f12c7.ts.net -> 127.0.0.1:18789
• https://max3.tail4f12c7.ts.net:4174 -> 127.0.0.1:4174
• https://max3.tail4f12c7.ts.net:4200 -> 127.0.0.1:4200
• https://max3.tail4f12c7.ts.net:4201 -> 127.0.0.1:4201
• https://max3.tail4f12c7.ts.net:6080 -> 127.0.0.1:6080
• https://max3.tail4f12c7.ts.net:8443 -> 127.0.0.1:8443
• https://max3.tail4f12c7.ts.net:9867 -> 127.0.0.1:9867
• plus a Funnel route on :4100

Symptoms

On iPhone:

• Safari and Chrome both fail
• error presented as secure connection failure / ERR_SSL_PROTOCOL_ERROR
• all tested https://max3.tail4f12c7.ts.net[:port] endpoints fail similarly
• not limited to /auth or to a single backend service

What works

From the server/host side:

• curl to https://max3.tail4f12c7.ts.net/auth returns HTTP/2 200
• certificate validates successfully
• TLS handshake completes
• cert CN/SAN matches max3.tail4f12c7.ts.net
• issuer is Let's Encrypt

Sample server-side observations:

• /auth -> 200
• :4174 -> 200
• :4200/health -> 200
• :6080 -> 200

So the issue does not appear to be that the serve config is entirely broken or that the certificate is invalid on the server.

Troubleshooting already attempted

On the iPhone, we tried all of the following and the problem persisted:

• confirmed the device is connected to the tailnet
• disabled iCloud Private Relay
• disabled IP address tracking / IP privacy features
• tested both Safari and Chrome
• disconnected and reconnected Tailscale
• removed the iPhone from the tailnet and re-added it
• reinstalled Tailscale
• rebooted the iPhone

Also tested against multiple served ports, all failing in the same way.

Why this seems Tailscale-client-specific

• the host/server side sees valid TLS and healthy responses
• the problem reproduces across all served HTTPS endpoints on the same node from the iPhone
• re-adding the iPhone to the tailnet did not help

Question

Is there a known iPhone/iOS issue with Tailscale Serve HTTPS endpoints on *.ts.net hostnames that can produce SSL protocol / secure connection failures even when the server-side certificate and handshake are valid?

Any guidance on additional diagnostics we should gather from the iPhone/Tailscale client side would be appreciated.

[Pojay-hcz]

Same issue:

• iPhone 16 Pro with iOS 26.4.1. Ping from iPhone and to iPhone within Tailnet working.
• no subnets, ACL not touched (standard since installation)
• all you troubleshooting steps listed above done already without success
• iPadOS 26.4.1 works flawless with HTTPS

[GNSPS]

Same issue on my side.

• iPhone 17 Pro with iOS 26.4.1. Ping from iPhone and to iPhone within Tailnet working.
• no subnets, ACL not touched (standard since installation)
• all you troubleshooting steps listed above done already without success

[Pojay-hcz]

• no change after updating to iOS 26.4.2
• no difference in trying Firefox as default browser
• trying now to debug the iPhone in using the console app on MacOS 26.4.1. but even with a filter set to "error" the console window is flooded immediately with a bunch of errors. Being under-qualified I don't know what to look for. If anyone could direct me how to better set the filter criteria to narrow down what I should look for is much appreciated.

[Pojay-hcz]

Solution for my situation was

• in short: I had to uninstall another app named DNSecure (my aim with it was to send my DNS queries with DoH to a specific server)

• long version, I made several more tests for troubleshooting:

• Brave: This site can’t be reached

• Firefox: A server with the specified hostname could not be found

• ping IPv4 within Tailnet from iPhone (a-Shell app): works, no packets lost

• ping IPv4 within Tailnet to iPhone (MacOS Terminal): works, no packets lost

• ping Magic DNS within Tailnet from iPhone (a-Shell app): cannot resolve my-device.my-tailnet.ts.net: Unknown host

• ping Magic DNS within Tailnet to iPhone (MacOS Terminal): works, no packets lost

• taildrop from and to iPhone works

• iOS reboot

• tailscale app re-install

• reset keychain done

• uninstall VyprVPN app

• iPadOS 26.4.2 all tests above and connections within Tailnet working well as expected

• iOS 26.4.2 (a-Shell app): -> no cert answer

[Documents]$ curl --insecure -vvI https://my-device.my-tailnet.ts.net 2>&1 | awk ' BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
[Documents]$

• iPadOS 26.4.2 (a-Shell app): -> with cert answer

[Documents]$ curl --insecure -vvI https://my-device.my-tailnet.ts.net 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
*   SSL connection using TLSV1.3 / TLS_AES_128_GCM_SHA256
*   ALPN: server accepted http/1.1
*   Server certificate:
*   subject: CN=my-device.my-tailnet.ts.net
*   start date: Apr 2 01:22:49 2026 GMT
*   expire date: Jul 1 01:22:48 2026 GMT
*   issuer: C=US: O=Let's Encrypt: CN=E8
*   SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   using HTTP/1.1
*   TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
*   Connection #0 to host my-device.my-tailnet.ts.net left intact

The fact that I could use the ping-CMD to another IPv4 address within tailnet but not to the MagicDNS of my home server told me that it is likely a DNS problem. From here I asked Google Gemini how packet routing in iOS works with tailnet. One of the first steps was the advice to look for apps which might block the functionality named Split-DNS (which I understand as a kind of a railway switch). Since I have tried (without success) to uninstall VyprVPN my next candidate was DNSecure. Voilá!

From here onwards I will end my participation in this thread. Good luck to you to solve your problems. Cheers.