How to modify the HTTPS GUI certificate ?

Hi the community !

First of all, I love Syncthing and would like to thank the team behind it. Now, let’s talk about the issue I’m concerned about.

I have understood that Syncthing automatically generates HTTPS certificates for the GUI, in the https-cert.pem and https-key.pem files of the Syncthing configuration.

As it is generated, the certificate is considered as a self-signed certificate. Here are the certificate I have for my Syncthing instance:

Therefore, we can see that the Organization (O) is Syncthing and the Common Name (CN) mathismsi, which is the name of my computer.

However, when browsing to https://localhost:8384, the Syncthing GUI address, the browser doesn’t recognize the certificate as it isn’t issued for the correct CN.

Moreover, when making API calls to this GUI address, which is the base URL for Syncthing API, we get the error net::ERR_CERT_COMMON_NAME_INVALID.

To conclude, how could I change the HTTPS certificate to have a valid CN for the localhost domain name ? Is it possible to include it inside the Syncthing HTTPS generation ? And how could I also modify the GUI HTTPS certificate in the Syncthing for Android app ?

Thanks in advance for your help !


1 Like

Just changing the certificate’s CN won’t do anything for multiple reasons:

  • The certificate’s common name (CN) is deprecated (since RFC 2818) and typically only included for compatbility. The Subject Alternative Name (SAN) list is what’s used in today’s browsers.
  • The browser tries to build a trust path to a trust anchor (a trusted “root” certificate). A self-signed certificate that’s not in the trust store will never be trusted.

If you want the certificate to be trusted, you have multiple options:

  • Roll your own fully-fledged certificate authority, add it’s root to your system trust store and generate a leaf certificate (valid for any names you like, including localhost) and use that within syncthing. There are various tools to do this (including smallstep and friends), but most of them require quite a bit of PKI expertise to be really useful.
  • Generate a local self-signed certificate valid for localhost (and/or any other names you need) and add that to your system’s trust store.

Let’s Encrypt has also written a guide about this, which mentions more details: Certificates for localhost - Let's Encrypt

For a really simple tool I would recommend mkcert. AFAIK it has automatic trust store integrations for Windows, Linux and macOS.

You can replace syncthing’s certificate by just replacing the https-* files with any other certificate and private key files.

In principle it’s the exact same for Android, though I don’t know why you would want to mess with the config there. Adding stuff to Android’s trust store is even more painful, and it doesn’t work in all scenarios.


Firstly, thank you for your reply. As you might noticed, I’m not fully aware of all the details about HTTPS certificates.

I’m exploring the links you’ve provided for creating a self-signed certificate that works with localhost. Do you think that localhost could be included in the Syncthing’s generated HTTPS certificate ? It shouldn’t create any security issue, does it ?

For the Android part, I’m searching a solution to call Syncthing API using HTTPS because I can’t make API calls using node’s feature rejectUnauthorized: false header that lets me work around the problem. It is related to a plugin for Obsidian that I’m developing.

For more information on the issue I’m having with HTTPS, please see here: [BUG] HTTPS API request not supported - net::ERR_CERT_AUTHORITY_INVALID · Issue #102 · LBF38/obsidian-syncthing-integration · GitHub

Thanks for your help !

Tricky. You mighg need to roll your own certificate and add localhost as a SAN. And that’s the easy part. You’d need to add the CA to the trust store of Android and hope that Obsidian doesn’t come with its own.

1 Like

Thanks for the reply, I’ll try the solution when I have more time.

Hi, I have tried on Desktop so far, and I have succeeded making the plugin support HTTPS requests by creating my own certificate. More information here.

I’ll try soon on Android, the targeted device. Thanks for your help !

Hi, I have tried on my Android phone. It seems that I can install the custom certificate from my computer via USB connection to my phone.

The good news is that I can easily add manually the custom certificate to my trusted store.

However, Syncthing doesn’t care about the new custom one and directly recreates one.

Do you know any methods that I can use to change the config or to replace the HTTPS certificate on Android plz ?

Thx in advance for the help !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.