NTFY self-hosted connects is OK but Telegram/Molly do not receive notifications

ifman13

Hello, I am writing to you because I have been stuck for many hours and I am desperate.

Here is a brief description of my configuration:
• Ntfy running on Docker on my QNAP NAS
• Port forwarding 8888 443 in openwrt
• Server published on the internet with the URL https://domain:8888 and that same URL configured in ntfy.
• “ip_router domain” in /etc/hosts
• Server.yml from ntfy:

base-url: "https://domain:8888"
auth-default-access: "write-only"
listen-https: ":443"
key-file: "/etc/stunnel/backup.key"
cert-file: "/etc/stunnel/backup.cert"
cache-file: "/var/cache/ntfy/cache.db"
visitor-request-limit: 0
auth-default-access: "rw"
default-visibility: "public"
keepalive-interval: "60s"
manager-interval: "5m"
log-level: debug

The topics are created by Telegram/Molly and correctly connected in Ntfy. If I create a topic and enter https://dominio:8888/topic from the browser, I can send messages and Ntfy receives them, but Ntfy never receives messages from Telegram or Molly (in the UP configuration status it indicates Status: Accept).
UnifiedPush configured in Telegram and Molly, with https://dominio:8888 and unrestricted background activity.

Evidence.
• The logs show that the topics are active and the recipients are listening:

INFO Server stats (emails_received=0, emails_received_failure=0, emails_received_success=0, emails_sent=0, emails_sent_failure=0, emails_sent_success
=0, messages_cached=5, messages_published=36, subscribers=4, tag=manager, topics_active=7, users=0, visitors=2)
• curl -k https://hostname:port/json | grep -i subscriber -> get 0
• curl -k -N -H "Authorization: Bearer tu_token_si_usas" https://hostname:port/topic/json -> show json correctly
• Some suspicious traces:
INFO WebSocket error: read tcp 10.0.3.2:443-> ip_ntfy:48798: read: connection reset by peer (error=read tcp 10.0.3.2:443->ip_ntfy:48798: read: connection reset by peer, http_method=GET, http_path=/telegr/ws?since=topic, tag=websocket, visitor_auth_limiter_limit=0.016666666666666666, visitor_auth_limiter _tokens=30, visitor_id=ip:ip_ntfy, visitor_ip= ip_ntfy, visitor_messages=1, visitor_messages_limit=17280, visitor_messages_remaining=17279, visitor_request_limite r_limit=0.2, visitor_request_limiter_tokens=38.952726460400015, visitor_seen=2026-02-02T07:49:01.647Z) 2026/02/02 07:49:01 http: response.WriteHeader on hijacked connection from heckel.io/ntfy/v2/server.(*Server).handleError (server.go:437)

I don't know what else to do. The AI suggests that I configure WebSocket headers in openwrt or qnap nas, but I find it confusing and don't know if it will work.
Thank you very much for your attention and help.

de0u

ifman13 The AI suggests [...]

https://discuss.grapheneos.org/d/11951-ai-generated-text-is-forbidden-with-the-exception-of-automated-translation

Seriously, don't post LLM output (even in outline form) because you don't know whether or not it's true. People come to this forum for information that is affirmatively believed to be true; people who want LLM output of uncertain veracity can generate it in private.

ifman13

de0u However, I have not published AI-generated content. I have written it myself, attempting to summarize important information and using part of the logs obtained from the console, which I have edited to remove the most sensitive data from the network.

Nevertheless, I apologize if the content is inappropriate. I have tried to modify the thread, but I do not see how to do so.

Oggyo

de0u

ifman13 Now there is a web page, that LLMs will be trained on, suggesting something that may or may not be true, thus increasing the likelihood of LLMs making that suggestion in the future, whether or not it's true. If it's not true, then it's harmful that more LLMs will suggest it more going forward. It's not super dangerous, but it is definitely not a best practice.

ifman13 I have tried to modify the thread, but I do not see how to do so.

Unfortunately, allowing unbounded-time edits supports spammers, who can retroactively add spam to threads that have become popular.

MetropleX

I host ntfy and mollysocket and don't have any issues, just got a Signal contact to message me and I havent even opened Molly since rebooting and it arrived fine.

I run it on a VPS and behind a reverse proxy. ntfy and mollysocket containers and reverse proxy native.

What versions of everything are you running?

ifman13

MetropleX

Thank you for your reply. As I read many threads from the last few weeks with complaints about mollysocket, I thought that perhaps there was something wrong with ntfy globally.

I use the latest image of the docker container binwiederhier/ntfy hosted on my qnap nas.
I have the domain published on the internet.
Ntfy app version 1.22.2
Molly app version 7.68.5-1
Forkgram 12.3.2.0
Nagram 12.2.10
Momogram 12.2.10
(I am testing with 3 simultaneous Telegram clients with different configurations).

I think it may be some kind of network or port block. I have been testing with the Openwrt firewall, but my knowledge is more limited in this area and I have not found the solution.

MetropleX

ifman13 yeah if you were hosting elsewhere I'd have a better idea on how to help, I will say the Ntfy discord was helpful and responsive when I had a config issue baffling me when setting up.

eggy

ifman13 the only meaningful debugging you can do here is to change log levels to debug for your services and see what's going on.

ifman13

I tried to configure unified push in Element X and in the notification test, I get the following error in the Gateway field:

Fail to check the gateway https://mi_dominio:puerto/_matrix/push/v1/notify: java.security.cert.CertPathValidationException: Trust anchor for certification path not found

My certificate was generated with Let's Encrypt and the browser trusts it, but Android apps may not. Perhaps it is a problem with the intermediate certificate.

I will continue investigating tomorrow...

Translated with DeepL.com (free version)