Is the tls API definition the only API you’ve loaded into Tyk?
Because I think we have a bug where if that’s the only API then the gateway behaves strangely. As you said the hello and reload endpoints would also require a cert.
Could you try adding another API that is not using mTLS. If that doesn’t work then try removing the mTLS API, add a non-MTLS dummy API and then re-add the mTLS API.
Let us know how it goes.