First of all, I love Syncthing and would like to thank the team behind it.
Now, let’s talk about the issue I’m concerned about.
I have understood that Syncthing automatically generates HTTPS certificates for the GUI, in the https-cert.pem and https-key.pem files of the Syncthing configuration.
As it is generated, the certificate is considered as a self-signed certificate.
Here are the certificate I have for my Syncthing instance:
Therefore, we can see that the Organization (O) is Syncthing and the Common Name (CN) mathismsi, which is the name of my computer.
However, when browsing to https://localhost:8384, the Syncthing GUI address, the browser doesn’t recognize the certificate as it isn’t issued for the correct CN.
Moreover, when making API calls to this GUI address, which is the base URL for Syncthing API, we get the error net::ERR_CERT_COMMON_NAME_INVALID.
To conclude, how could I change the HTTPS certificate to have a valid CN for the localhost domain name ? Is it possible to include it inside the Syncthing HTTPS generation ? And how could I also modify the GUI HTTPS certificate in the Syncthing for Android app ?
Just changing the certificate’s CN won’t do anything for multiple reasons:
The certificate’s common name (CN) is deprecated (since RFC 2818) and typically only included for compatbility. The Subject Alternative Name (SAN) list is what’s used in today’s browsers.
The browser tries to build a trust path to a trust anchor (a trusted “root” certificate). A self-signed certificate that’s not in the trust store will never be trusted.
If you want the certificate to be trusted, you have multiple options:
Roll your own fully-fledged certificate authority, add it’s root to your system trust store and generate a leaf certificate (valid for any names you like, including localhost) and use that within syncthing. There are various tools to do this (including smallstep and friends), but most of them require quite a bit of PKI expertise to be really useful.
Generate a local self-signed certificate valid for localhost (and/or any other names you need) and add that to your system’s trust store.
For a really simple tool I would recommend mkcert. AFAIK it has automatic trust store integrations for Windows, Linux and macOS.
You can replace syncthing’s certificate by just replacing the https-* files with any other certificate and private key files.
In principle it’s the exact same for Android, though I don’t know why you would want to mess with the config there. Adding stuff to Android’s trust store is even more painful, and it doesn’t work in all scenarios.
Firstly, thank you for your reply. As you might noticed, I’m not fully aware of all the details about HTTPS certificates.
I’m exploring the links you’ve provided for creating a self-signed certificate that works with localhost. Do you think that localhost could be included in the Syncthing’s generated HTTPS certificate ? It shouldn’t create any security issue, does it ?
For the Android part, I’m searching a solution to call Syncthing API using HTTPS because I can’t make API calls using node’s feature rejectUnauthorized: false header that lets me work around the problem. It is related to a plugin for Obsidian that I’m developing.
Tricky. You mighg need to roll your own certificate and add localhost as a SAN. And that’s the easy part. You’d need to add the CA to the trust store of Android and hope that Obsidian doesn’t come with its own.
Hi, I have tried on Desktop so far, and I have succeeded making the plugin support HTTPS requests by creating my own certificate.
More information here.
I’ll try soon on Android, the targeted device.
Thanks for your help !
