certificate issue again

thob · September 23, 2025, 4:05pm

Hi, can’t update from 2.0.8 to 2.0.9. I reinstalled ca-certificates already - still getting the error. Before I got an error regarding false hash values.

error: Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.

Any recipe what to do? I’m on LM and Pop_OS

calmh · September 23, 2025, 5:50pm

What command is giving you that error? Give more context, please.

thob · September 23, 2025, 7:14pm

Oh sorry forgot to mention this: I simply wanted to update with the package manager, added syncthing to sources as described in the documentation. Worked till 2.0.8.

bt90 · September 23, 2025, 8:35pm

Please post your source file and the output of

sudo apt update

thob · September 23, 2025, 8:58pm

deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable-v2 ## X-Repolib-Name: syncthing # X-Repolib-ID: syncthing

apt update Get:13 ``https://apt.syncthing.net`` syncthing InRelease [24,2 kB]

w/ - -upgradeable I get syncthing/syncthing 2.0.9 amd64 [upgradable from: 2.0.8]

thob · September 24, 2025, 11:45am

I set also this preference - maybe that’s related?

printf “Package: *\nPin: origin ``apt.syncthing.net``\nPin-Priority: 990\n” | sudo tee /etc/apt/preferences.d/syncthing.pref

thob · September 26, 2025, 10:50am

Any idea what I could do, I’m still facing the issue. Thanks!

calmh · September 26, 2025, 4:10pm

You haven’t posted the output you were asked for, at least not in a way I can make sense of. That said, I would guess you just have old or lacking certificates installed. Make sure you’re running the latest version of whatever Debian/Ubuntu it is you’re running?

thob · September 26, 2025, 4:25pm

oh sorry, could you explain how to get what you need? I’m on Pop!_OS 22.04 LTS – everything is updated to the latest afaik. I reinstalled ca-certificates as well

basiliscos · September 26, 2025, 4:39pm

@thob you can try to check in command line something like

curl --tlsv1.3 -v https://discovery-lookup.syncthing.net:443/

if system certificates are OK, it should answer with 404.

thob · September 26, 2025, 7:15pm

getting

Trying 5.9.87.175:443...
* Connected to discovery-lookup.syncthing.net (5.9.87.175) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=discovery-lookup.syncthing.net
*  start date: Aug 10 11:30:30 2025 GMT
*  expire date: Nov  8 11:30:29 2025 GMT
*  subjectAltName: host "discovery-lookup.syncthing.net" matched cert's "discovery-lookup.syncthing.net"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x59dca5fd69f0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: discovery-lookup.syncthing.net
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< date: Fri, 26 Sep 2025 19:14:30 GMT
< retry-after: 970
< x-content-type-options: nosniff
< content-length: 10
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
Not Found
* Connection #0 to host discovery-lookup.syncthing.net left intact