Reverse proxy stopped working after initially working fine on NetBird Cloud — ERR_SSL_PROTOCOL_ERROR

[Ari-03]

Describe the problem

I am using NetBird Cloud and the new reverse proxy feature. When it was first released, my reverse proxies worked fine for about the first week or so. After that, they started failing without any intentional changes on my side.

Now, when I try to access the proxied service in the browser, I get ERR_SSL_PROTOCOL_ERROR.

The browser shows: “This site can’t provide a secure connection” and says the host sent an invalid response.

I did not change the reverse proxy configuration, certificates, DNS, or the backend service after it was working. It appears something changed over time, but I am not sure what.

Can you help me figure out what might have caused this and how to fix it?

To Reproduce

1. Set up a reverse proxy using NetBird Cloud
2. Access the proxied service through the configured public hostname
3. Open the site in the browser
4. See ERR_SSL_PROTOCOL_ERROR

Expected behavior

The reverse proxied service should load normally over HTTPS, as it did previously when the reverse proxy was first set up.

Are you using NetBird Cloud?

Yes, NetBird Cloud.

NetBird version

0.66.4

Is any other VPN software installed?

No.

Is any other VPN software installed?

If yes, which one?

Debug output

netbird status -dA
Peers detail:
 google-tv.netbird.cloud:
  NetBird IP: 100.110.8.45
  Public key: HaIruEBd814DSgthlPWZwlUiF9VrXepeZR8YUh60WgA=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 aritras-macbook-pro.netbird.cloud:
  NetBird IP: 100.110.99.94
  Public key: AS4rj4p/Vx4xNTFFxsK+SIMtGqR20kmWJJiLnNg2mmE=
  Status: Connecting
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: 6 hours, 42 minutes ago
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 amazon-fire-tv-4k-max.netbird.cloud:
  NetBird IP: 100.110.127.214
  Public key: gDpZT/d57p8/w10wneFp7QvMzPddPwBQnm9GThoGclA=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 ipad-d.netbird.cloud:
  NetBird IP: 100.110.132.18
  Public key: I6jX/tDNPewbtbKcWkuiHDFa/0iI/3j4PiaNt0pXGgw=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 iphone-esa.netbird.cloud:
  NetBird IP: 100.110.173.152
  Public key: vR37EPLopehbpM7JULOXfZ6oI8Xies874PXtP/v/PnE=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 iphone-d.netbird.cloud:
  NetBird IP: 100.110.179.0
  Public key: qaw2F3nHsVqzxxdTh1HS6jb/FutSIYM7cT199OnTKC4=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 iphone-angs75.netbird.cloud:
  NetBird IP: 100.110.195.132
  Public key: fNQ5XuiAraR/8PC1u2eut6BU03JvomRwOXc1reesGgo=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 proxy-d6so9v3l0ubs738vklrg-201-219.netbird.cloud:
  NetBird IP: 100.110.201.219
  Public key: d9w1KI1FoN4XWG4wbk+ioChmQMxhn25UEhGFBKRpRzw=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 proxy-d6so9uqfadhs73avc6ag-203-222.netbird.cloud:
  NetBird IP: 100.110.203.222
  Public key: O3Go6QAtjwHN7MY1PJubzubh1iFFS0BNVXD3+Huj7nw=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

Events:
  [INFO] SYSTEM (f41b3919-80e9-4386-8f9f-f95f7a732efd)
    Message: Network map updated
    Time: 8 hours, 14 minutes ago
  [INFO] SYSTEM (eaf3ad3b-6262-4b9c-8514-5af91987ce9b)
    Message: Network map updated
    Time: 4 hours, 51 minutes ago
  [INFO] SYSTEM (b730ec3b-c48d-4cfd-adb4-264c39ca7a81)
    Message: Network map updated
    Time: 1 hour, 12 minutes ago
  [INFO] SYSTEM (c2464705-d722-42d3-ae6e-3af8e873e7e8)
    Message: Network map updated
    Time: 26 minutes, 36 seconds ago
  [INFO] SYSTEM (1ca7d1f7-f6c7-4139-9658-135f36410d77)
    Message: Network map updated
    Time: 26 minutes, 35 seconds ago
  [INFO] SYSTEM (0d1c4d2d-5e6d-49d2-976a-b5d96b9584f7)
    Message: Network map updated
    Time: 26 minutes, 33 seconds ago
  [INFO] SYSTEM (e5e1357d-a656-4537-ae59-5bd6360876e6)
    Message: Network map updated
    Time: 16 minutes, 33 seconds ago
  [INFO] SYSTEM (044f250a-1081-4166-bc4f-820b3f64e3c8)
    Message: Network map updated
    Time: 16 minutes, 13 seconds ago
OS: linux/amd64
Daemon version: 0.66.4
CLI version: 0.66.4
Profile: default
Management: Connected to https://api.netbird.io:443
Signal: Connected to https://signal.netbird.io:443
Relays: 
  [stun:stun.netbird.io:443] is Available
  [stun:stun.netbird.io:5555] is Available
  [turns:turn.netbird.io:443?transport=tcp] is Available
  [rels://streamline-us-sjo1-1.relay.netbird.io:443] is Available
Nameservers: 
FQDN: pve-routing-peer.netbird.cloud
NetBird IP: 100.110.125.225/16
Interface type: Kernel
Quantum resistance: false
Lazy connection: true
SSH Server: Disabled
Networks: 192.168.4.0/22
Peers count: 0/9 Connected

Screenshots

Additional context

Add any other context about the problem here.

Have you tried these troubleshooting steps?

• Reviewed client troubleshooting (if applicable)
• Checked for newer NetBird versions
• Searched for similar issues on GitHub (including closed ones)
• Restarted the NetBird client
• Disabled other VPN software
• Checked firewall settings

[glitchsys]

On the Reverse Proxy/Services section, what do you see for the status of the certificate? Did it actually issue or maybe recently renew an SSL certificate from Letsencrypt?

[Ari-03]

It is strange, I did nothing but the issue is gone