Docs / Self-hosted / TLS, VPN, and Tailscale

Self-hosted networking

The hostname is part of the security model.

For self-hosted Cloud, the URL is not just a route. It is also the name the TLS certificate proves.

If your server uses Tailscale HTTPS, a .ts.net hostname may be both the reachable address and the TLS identity.

DNS Can macOS resolve the hostname?
Route Can the Mac reach the server and port?
TLS Does the certificate match the hostname?

Use the certificate name

Do not silently swap a TLS hostname for a raw Tailscale IP address. The IP might route, but the certificate usually proves the hostname, not the IP.

If the certificate is for hive.example.ts.net, configure Contextify with https://hive.example.ts.net, not https://100.x.y.z.

Check the layers separately

Layer Command What it tells you
DNS host hive.example.ts.net Whether the hostname resolves on this Mac.
Tailscale state tailscale status Whether the Mac is connected to the tailnet.
HTTP health curl -i https://hive.example.ts.net/api/v1/health Whether the full URL is reachable and TLS succeeds.
Client config contextify cloud status --json What Contextify thinks the configured target is.

MagicDNS can break while the server is fine

VPN clients and DNS security tools can change macOS resolver state. You may be able to browse the public web while .ts.net names fail for local apps.

If Tailscale shows a DNS error such as no resolvers found, flushing the macOS DNS cache may not be enough. Reconnecting Tailscale or resetting its VPN configuration can rebuild the resolver hook. 

tailscale set --accept-dns=false
tailscale set --accept-dns=true
host hive.example.ts.net

If you used a separate VPN shortly before the failure, suspect DNS resolver state before suspecting Contextify sync.

Ports and proxies

Self-hosted deployments often run the API on a loopback port such as 8443, then put HTTPS in front with Caddy or another proxy.

In that shape, clients use the HTTPS hostname without the loopback port. HTTP-only validation mode may include a port like 8444, but that is a temporary trusted-network path.

What to send support

Send the configured server URL, the sanitized latest error, whether host resolves the name, whether curl /api/v1/health works, and whether a VPN or DNS tool recently changed.

Do not send raw API keys, setup tokens, auth links, cookies, or OTP codes.

Last updated: May 30, 2026