// ERR_NGROK_4007
ngrok ERR_NGROK_4007 — TLS handshake failed: how to fix
ERR_NGROK_4007 fires when the TLS handshake between the visitor and the ngrok edge fails — usually a cert / SNI mismatch.
What it means
The visitor's client (browser, mobile app, curl) couldn't complete the TLS handshake with ngrok's edge. The cause is almost always SNI mismatch or a cert your account no longer has rights to.
Common causes
- You're using a custom domain whose cert needs renewing.
- Mobile app pinned a cert that ngrok rotated.
- Outbound network strips SNI (rare; corporate proxies sometimes).
How to fix it on ngrok
1. Test from a clean network
Try from your phone on cellular. If it works there, the corporate proxy is the culprit.
2. Re-issue the cert for your custom domain
ngrok dashboard → Domains → Renew.
3. Check pinned-cert apps
Update any mobile apps that pinned the previous cert.
// the same workflow on lrok
lrok terminates real Let's Encrypt certs at the edge for both *.lrok.io and verified custom domains. Cert rotation is automated; we publish current and next-up cert chains so pinned-cert apps have a renewal window.
1. Bring your own domain
lrok.io/dashboard/domains → Add domain → DNS verify (TXT + CNAME).
2. Cert is auto-issued
Let's Encrypt issues within ~90 seconds of DNS resolving. Renewals run unattended.