Why does setWebhook return HTTP 409?

Usually the bot token already has a webhook registered elsewhere, or a previous setWebhook was not cleared. Use getWebhookInfo to confirm the URL, deleteWebhook on idle environments, then retry setWebhook from a single entry point—avoid sharing one token across multiple active nodes.

How do I debug TLS handshake timeouts when Telegram validates HTTPS?

From the public internet, run openssl s_client and time curl against your domain; verify SNI, full certificate chain, and that the edge terminates TLS correctly. After fixes, wait a few minutes and recheck getWebhookInfo.last_error_message.

Why keep long polling on a remote Mac?

No public hostname or port-443 certificate is required for a quick path—useful for PoC, strict NAT, or when you cannot yet meet Telegram-trusted TLS quality. Tradeoff: persistent outbound connections and sensitivity to RTT jitter.

Where should secret_token be validated?

At the gateway or OpenClaw ingress: reject mismatches with 401, not only log warnings. Rotate together in setWebhook and config.

Deployment Guide 2026-04-20

2026 OpenClaw Telegram: Long Polling vs Webhook on a Remote Physical Mac—HTTPS Reverse Proxy, Registration & 409/TLS Timeout Runbook (openclaw.json + FAQ)

Teams connecting OpenClaw to a Telegram Bot on a ZoneMac remote physical Mac often hesitate between long polling (getUpdates) and webhooks: the former skips public TLS; the latter is lower latency and better for 7×24. This guide gives a decision matrix, HTTPS reverse-proxy essentials, a safe setWebhook sequence, and reproducible triage for HTTP 409 and TLS handshake timeouts, with paste-ready openclaw.json structure and FAQ. For webhook auth paths and token edges, see also OpenClaw webhooks & hooks on a remote Mac gateway.

OpenClaw Telegram webhook HTTPS reverse proxy on a remote Mac

1. Introduction & scope

The Telegram Bot API delivers inbound updates via two main paths: long polling (your client calls getUpdates and holds the connection) and webhooks (Telegram POSTs to your HTTPS URL). OpenClaw needs predictable transport semantics and observable failure modes—especially when a reverse proxy fronts a remote physical Mac, where TLS, SNI, and certificate chains show up in getWebhookInfo as last_error_* fields.

This article assumes SSH access and edits to openclaw.json. Before you change transport and gateway version in the same window, align release discipline with OpenClaw global deployment comparison (2026).

2. Pain points

Underestimating public HTTPS for webhooks. Telegram expects a verifiable chain and a reachable HTTPS endpoint (commonly port 443). Self-signed certs, missing intermediates, or DNS only visible inside your LAN surface as TLS errors or silent non-delivery.
HTTP 409 is not random noise. Staging and prod sharing one bot token, or an old node never calling deleteWebhook, causes setWebhook conflicts—the root cause is registration state, not OpenClaw business logic.
Long polling is not free. Cross-border RTT and long-held connections amplify jitter; carriers may throttle. Fine for PoC; production usually returns to webhook plus a healthy edge.

3. Decision matrix: long polling vs webhook

Use this as a lightweight “architecture sign-off” for ZoneMac remote nodes.

Dimension	Long polling (getUpdates)	Webhook (HTTPS)
Public DNS & certs	Outbound-only path; usually no public hostname cert required	Requires resolvable domain + trusted chain
Latency & backpressure	Polling interval + network jitter	Event-driven; usually lower latency if the edge is stable
Connection shape	Persistent outbound, long-held	Inbound POST—pairs well with proxy timeouts & rate limits
Debug signals	Client logs, `getUpdates` errors	`getWebhookInfo` (`last_error_date`, etc.)
Typical fit	PoC, strict NAT, short experiments	Production 7×24, multiple workers, predictable latency

4. openclaw.json snippets (illustrative)

Structural example only—key names and nesting must match your OpenClaw version. Back up production files and merge manually with existing gateway and credential sections.

4.1 Telegram channel: webhook + local listener

{
  "channels": {
    "telegram": {
      "enabled": true,
      "botTokenRef": "env:TELEGRAM_BOT_TOKEN",
      "transport": "webhook",
      "webhook": {
        "publicUrl": "https://bot.example.com/openclaw/telegram/webhook",
        "path": "/openclaw/telegram/webhook",
        "secretTokenRef": "env:TELEGRAM_WEBHOOK_SECRET",
        "maxConnections": 40,
        "dropPendingUpdates": false
      },
      "localServer": {
        "bind": "127.0.0.1",
        "port": 18789,
        "readTimeoutSeconds": 30,
        "writeTimeoutSeconds": 30
      }
    }
  },
  "gateway": {
    "reverseProxy": {
      "trustedProxies": ["10.0.0.0/8"],
      "forwardedHeaders": ["X-Forwarded-For", "X-Forwarded-Proto"]
    }
  }
}

For long polling, set transport to "longPolling" (or your release’s equivalent) and supply getUpdates options such as timeout / allowed_updates; ensure Telegram no longer points a webhook at an old URL.

4.2 Reverse proxy (Caddy sketch)

# TLS terminates at the edge; proxy to 127.0.0.1:18789 on the Mac.
# Preserve Host/path consistency with OpenClaw; tune body limits per gateway guidance.

bot.example.com {
  reverse_proxy 127.0.0.1:18789 {
    header_up X-Forwarded-Proto {scheme}
    header_up X-Forwarded-For {remote_host}
  }
}

5. Seven-step runbook (remote physical Mac)

Freeze transport mode. Confirm only one active path. When switching from long polling to webhook, stop the polling process first to avoid double delivery.
Validate TLS end-to-end. From the internet, test port 443: full chain, correct SNI, and firewall rules for Telegram source ranges (per current Telegram docs).
Merge openclaw.json. cp openclaw.json openclaw.json.bak.$(date +%Y%m%d%H%M); set publicUrl, secret references, and local bind.
Clean old webhook state. getWebhookInfo → if URL is wrong, deleteWebhook → setWebhook from one place to reduce 409s.
Reload and verify process health. Reload per your distro; confirm listen port and launchd logs show no crash loops.
Positive and negative tests. Send a test message; requests with a wrong secret_token should fail fast; watch pending_update_count.
Archive. Record domain, cert renewal owner, setWebhook parameters, and rollback to long polling.

6. 409 & TLS timeout triage

Symptom	Likely cause	Action
`setWebhook` 409	Webhook already set for this token or concurrent registration	`getWebhookInfo` → retire stray entry → `deleteWebhook` → single retry
`last_error_message` mentions TLS / certificate	Incomplete chain, wrong SNI, or HTTP-only edge	`openssl s_client -connect`; fix intermediates; force HTTPS
Slow handshake, intermittent success	Cross-border RTT; short `proxy_read_timeout`	Raise edge→origin read timeout; move edge closer; avoid blocking workers
401 / 403 on webhook path	`secret_token` mismatch vs gateway	Align env vars and `setWebhook`; rotate both sides together
Delayed messages, no TLS error	Queue buildup or gateway overload	Inspect `pending_update_count`; scale workers; throttle upstream model calls

7. Citable numbers & checklist items

getUpdates long poll: timeout is typically 0–50 seconds per Bot API docs; start conservative on high-RTT links.
Local HTTP: Example 127.0.0.1:18789 stays on-loopback; the proxy owns TLS and the public face—matches SSH-first ZoneMac nodes.
Webhook concurrency: Budget maxConnections with gateway workers and upstream model QPS so the ingress does not accept faster than the core can drain.

8. FAQ

Q: Why does setWebhook return 409?
Usually another webhook is already registered for that bot token, or cleanup was skipped. Check getWebhookInfo, deleteWebhook on idle stacks, then retry setWebhook from one entry point.

Q: How do I chase TLS handshake timeouts?
Time openssl s_client and curl from outside; verify SNI and intermediates; watch HTTP/2 or edge cuts. Re-check getWebhookInfo.last_error_message after a few minutes.

Q: When is long polling still justified on a remote Mac?
When you cannot yet present Telegram-trusted TLS on a public hostname—PoC, strict NAT, or immature cert automation. You pay in persistent outbound traffic and RTT sensitivity.

Q: Where does secret_token get enforced?
At the gateway or OpenClaw ingress: mismatch → 401. Rotate in lockstep with setWebhook and config.

9. Summary & why Mac mini fits this stack

Long polling vs webhook is not about which is “newer”—it is whether you accept production-grade HTTPS and a single registration source of truth. Webhooks push observability into getWebhookInfo; long polling keeps complexity in outbound paths and process babysitting.

Running this on a ZoneMac remote physical Mac, a Mac mini M4-class node pairs low idle power (on the order of a few watts), Unix-native services, and launchd-friendly daemons with the same machine hosting reverse proxies and OpenClaw—ideal for unattended gateways. macOS hardening (Gatekeeper, SIP, FileVault) also reduces long-lived exposure angst versus a typical Windows utility host.

If you want Telegram ingress, TLS, and OpenClaw on quiet, predictable hardware, Mac mini M4 remains a strong price-to-stability entry point—get a remote physical Mac through ZoneMac and rehearse this runbook on real metal.

Limited Time Offer

Need a remote physical Mac to run OpenClaw Telegram webhooks?

ZoneMac offers high-performance Mac mini cloud rental—local listener, reverse proxy, and gateway on one box so you can reproduce openclaw.json and HTTPS runbooks end to end.

On demand Physical hardware SSH direct