Skip to content

NemoClaw + Telegram: Fresh install on existing OpenClaw host — multiple 403 proxy blocks due to missing node in policy binaries #391

Closed
Closed
NemoClaw + Telegram: Fresh install on existing OpenClaw host — multiple 403 proxy blocks due to missing node in policy binaries#391
Labels
Integration: OpenClawSupport for OpenClawIntegration: TelegramUse this label to identify Telegram bot integration issues with NemoClaw.Platform: UbuntuSupport for Linux UbuntubugSomething isn't workingpriority: mediumIssue that should be addressed in upcoming releases
@95256155o

Description

@95256155o
95256155o
opened on Mar 19, 2026

NemoClaw + Telegram: Fresh install on existing OpenClaw host — multiple 403 proxy blocks

Environment

  • Host: Dell laptop (Ubuntu), previously running OpenClaw services
  • Sandbox: OpenShell jl-assistant, OpenClaw 2026.3.11 (29dc654)
  • NemoClaw: 0.1.0 (installed via /opt/nemoclaw)
  • Inference: NVIDIA Cloud API (nvidia/nemotron-3-super-120b-a12b) via inference.local
  • Channel: Telegram plugin (@openclaw/telegram)
  • Proxy: OpenShell sandbox proxy at 10.200.0.1:3128 (TLS termination + binary-path allowlisting)

Summary

After setting up NemoClaw on an existing OpenClaw host, Telegram integration failed with persistent Network request for 'deleteWebhook' failed! errors. The inference endpoint also silently hung (bot shows "typing" forever).

Root cause: The sandbox proxy allowlists outbound traffic by binary path, but openclaw is a Node.js script (#!/usr/bin/env node shebang). The actual binary is /usr/local/bin/node, not /usr/local/bin/openclaw. The default sandbox policy was missing /usr/local/bin/node from the relevant network policy binaries lists.

Two compounding issues had to be fixed:

  1. Telegram policy had NO binaries section at all — every other policy (nvidia, claude_code, github, etc.) had one, but telegram was missing it entirely. The proxy blocked all binaries from reaching api.telegram.org.

  2. NVIDIA policy binaries only listed openclaw and claude — since the gateway runs as node (PID shows /usr/local/bin/node via /proc/<pid>/exe), inference calls to inference.local were also blocked with 403.

Steps to Reproduce

  1. Set up NemoClaw on OpenShell sandbox with NVIDIA API
  2. Enable Telegram plugin: openclaw channels add telegram
  3. Start gateway: openclaw gateway run
  4. Send message to bot → deleteWebhook fails, or bot shows "typing" forever

Diagnosis

Confirming the proxy is the blocker

# Inside sandbox — curl uses /usr/bin/curl, not in any policy's binaries list
curl -sv https://api.telegram.org/bot<TOKEN>/getMe
# → HTTP 403 Forbidden (from proxy at 10.200.0.1:3128)

# Check what binary the gateway actually runs as
readlink /proc/<gateway-pid>/exe
# → /usr/local/bin/node    (NOT /usr/local/bin/openclaw!)

Inspecting the default policy

# On the host (not inside sandbox)
openshell sandbox get <sandbox-name>

The telegram network policy section had endpoints and rules but no binaries list:

# BROKEN — missing binaries section
telegram:
  name: telegram
  endpoints:
  - host: api.telegram.org
    port: 443
    protocol: rest
    tls: terminate
    enforcement: enforce
    rules:
    - allow:
        method: GET
        path: /bot*/**
    - allow:
        method: POST
        path: /bot*/**
  # ← no binaries! proxy blocks everything

Compare with nvidia policy which had binaries but was missing node:

nvidia:
  binaries:
  - path: /usr/local/bin/claude
  - path: /usr/local/bin/openclaw
  # ← missing /usr/local/bin/node — the actual binary that runs

Fix

Export the current policy, add node to the relevant binaries lists, and re-apply:

1. Add binaries to telegram policy

telegram:
  name: telegram
  endpoints:
  - host: api.telegram.org
    port: 443
    protocol: rest
    tls: terminate
    enforcement: enforce
    rules:
    - allow:
        method: GET
        path: /bot*/**
    - allow:
        method: POST
        path: /bot*/**
  binaries:                              # ← ADD THIS
  - path: /usr/local/bin/openclaw
  - path: /usr/local/bin/node

2. Add node to nvidia policy binaries

nvidia:
  binaries:
  - path: /usr/local/bin/claude
  - path: /usr/local/bin/openclaw
  - path: /usr/local/bin/node            # ← ADD THIS

3. Set NODE_EXTRA_CA_CERTS

The proxy does TLS termination using /etc/openshell-tls/openshell-ca.pem. Node.js needs to trust this CA:

# Inside sandbox — add to ~/.bashrc for persistence
export NODE_EXTRA_CA_CERTS=/etc/openshell-tls/openshell-ca.pem

4. Apply and restart

# On host
openshell policy set <sandbox-name> -g <gateway-name> --policy fixed-policy.yaml --wait

# Inside sandbox
kill <gateway-pid>
NODE_EXTRA_CA_CERTS=/etc/openshell-tls/openshell-ca.pem openclaw gateway run

5. Pair your Telegram user

After the first message, the bot responds with a pairing code:

openclaw pairing approve telegram <CODE>

Related Issues

Suggestion

The default NemoClaw sandbox policy template should:

  1. Include a binaries section in the telegram policy (currently missing entirely)
  2. Include /usr/local/bin/node in all policy binaries lists where openclaw is listed, since openclaw resolves to node at runtime via shebang
  3. Consider documenting the NODE_EXTRA_CA_CERTS requirement for TLS-terminating proxies

This would save users from hitting silent 403 failures that are difficult to diagnose (no error in gateway logs for the inference hang — just "typing" forever).

Diagnosed and fixed by @95256155o with assistance from Claude Opus 4.6 (Anthropic).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Integration: OpenClawSupport for OpenClawIntegration: TelegramUse this label to identify Telegram bot integration issues with NemoClaw.Platform: UbuntuSupport for Linux UbuntubugSomething isn't workingpriority: mediumIssue that should be addressed in upcoming releases

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions