HTTPS connection with "Warning: Potential Security Risk" or invalid certificate

I use a version of Syncthing written for Synology NAS and installed from third party packages available on Synology NAS.

Normally and without errors, I connect to the Synology NAS from Windows 10 64 bit (updated) via HTTPS:// with a string like: https://MySynoString.synology.xx:numberport/#/signin In this case I am not receiving security warnings from the browser as the Synology security certificate is up to date and valid.

If I try to start Syncthing (installed on the Synology NAS) - setting for HTTPS:// connection - as recommended by Syncthing at the first configuration - using a string IDENTICAL to the one used to access the Synology NAS except the port number: https://MySynoString.synology.xx:8384/#

any 64-bit browser (Chrome, Edge, Firefox, Opera, Yandex - obviously all updated) gives me a warning like: “Warning: Potential Security Risk”, as if the connection was made via http:// or as if the security certificate was invalid.

Sorry for the length, I tried to be as clear as possible. On GitHub they don’t deem it to be a bug. So if it’s not a bug (defect) what is it?

Kindly, could someone help me to understand if I am wrong something?

Greetings…

As far as I know, most browsers have recently updated their security settings in such a way that self-signed certificates and some other certifcate classes are not regarded ‘safe’ but get their warning as you describe. Hence, if you can use an older version of the browser, you can check if this is the issue.

Next step: naming: In certificates, the name of the server is in the certificate. If there are name differences, the certificate mismatch an be triggered. You can check this by selecting investigation links next to the warning message. That opens the certificate and shows the issue details.

1 Like

It has been this way since 1995 :grinning:, not sure if I would call that recently.

But yes this is generally correct.

That’s because that are different webservers. The first UI is your Synology webserver. That is probably configured with a CA-signed certificate.

The other is syncthing’s inbuild webserver. This webserver also supports HTTPS, but it doesn’t have any CA-signed certificate. It instead serves a self-signed certificate by default - this gives browser warnings, as expected for self-signed certificates.

If you have a valid CA-signed certificate, you can replace the self-signed certificate from syncthing with that. In syncthings home folder, there are two files named https-cert.pem and https-key.pem. Those are the certificate and corresponding private key, which you can replace with different ones, if desired.

You can also put syncthing’s web UI behind a reverse proxy, that is configured with valid certificates.

1 Like

Indeed the certificate that the Synology DSM uses for its Web GUI has nothing to do with the one Syncthing presents fit its own Web GUI. But you can copy the system one for use with Syncthing. I do this regularly because I have a Let’s Encrypt issued certificate for the DSM and it gets renewed every few weeks. Then it’s a manual process to copy the renewed cert to the Syncthing app folder and restart it. As that gets tedious, I created a script for it, but it requires logging in through SSH and running as root on the Synology because the system certificates are not accessible for regular users (obviously).

If that’s a procedure you would be comfortable with, I can give you the script. Probably it can be further automated, but I haven’t researched whether it can be run automatically as root.

The proper way forward would be to register the Syncthing package in the official DSM certificate manager UI. That way all the management tools (e.g. automatic creation and renewal of Let’s Encrypt certs) can also apply to Syncthing. I tried to add such integration to the SynoCommunity package, but got stuck because of incomplete or wrong documentation from Synology. Any help is welcome in that regard.

1 Like

thanks @Nummer378, thanks @acolomb you are kind to help me, but what you should do for me is long and boring. . . Since I also have difficulties with English, in addition to publishing the script you should also explain step-by-step how to make it work and how to do it as root. If you feel like it, I thank you and I really appreciate it. Maybe it will be useful to others as well Greeting . . . .

How To Use The DiskStation’s SSL Certificate For Syncthing

Things you need to have working first:

  • In DSM, you need to have an admin account configured. I assume it is called admin.
  • You need access to the DiskStation via SSH. This is only possible for an admin user. Make sure you can log in from your desktop / laptop computer: ssh admin@MySynoString.synology.xx and you know the password. If you’re not using the command line, try logging in with the PuTTY application for example.
  • Root access is required for the admin user. In the SSH connection, try running sudo ls and enter your password again.

Once these prerequisites are met, you can log in to the DiskStation through SSH and create the updating script:

  1. Find your Syncthing’s API key in the Web GUI under Actions → Settings.

  2. Enter the command cat > syncthing-install-cert.sh.

  3. Paste the following content, replacing the API key with your own value from the first step:

    SYSTEM_CERT_DIR=/usr/syno/etc/certificate/system/default
    SYNCTHING_CONF_DIR=/usr/local/syncthing/var
    
    SYNCTHING_USER=sc-syncthing
    SYNCTHING_GROUP=syncthing
    
    API_KEY=InsertYourAPIKeyHere
    
    sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/cert.pem ${SYNCTHING_CONF_DIR}/https-cert.pem
    sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/privkey.pem ${SYNCTHING_CONF_DIR}/https-key.pem
    sudo chmod 664 ${SYNCTHING_CONF_DIR}/https-cert.pem
    sudo chmod 600 ${SYNCTHING_CONF_DIR}/https-key.pem
    sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-cert.pem
    sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-key.pem
    
    sudo ls -al ${SYNCTHING_CONF_DIR}
    
    curl -k -X POST -H "X-API-Key: ${API_KEY}" https://localhost:8384/rest/system/restart
    
  4. Hit Ctrl-D to finish and write the content to the script.

  5. Make the script executable and restrict permissions: chmod 700 syncthing-install-cert.sh

  6. Try it out: ./syncthing-install-cert.sh

It should output something like this:

‘/usr/syno/etc/certificate/system/default/cert.pem’ -> ‘/usr/local/syncthing/var/https-cert.pem’
‘/usr/syno/etc/certificate/system/default/privkey.pem’ -> ‘/usr/local/syncthing/var/https-key.pem’
total 2200
drwx------ 3 sc-syncthing syncthing    4096 Sep 16 01:20 .
drwxr-xr-x 5 sc-syncthing syncthing    4096 Jul  7 13:41 ..
-rw-rw-r-- 1 sc-syncthing syncthing     619 Jan  1  2019 cert.pem
-rw------- 1 sc-syncthing syncthing   55110 Mar 24  2021 config.xml
-rw------- 1 sc-syncthing syncthing     264 Aug 16 23:08 csrftokens.txt
-rw-rw-r-- 1 sc-syncthing syncthing    1915 Aug 16 23:07 https-cert.pem
-rw------- 1 sc-syncthing syncthing    1675 Aug 16 23:07 https-key.pem
drwxr-xr-x 2 sc-syncthing syncthing    4096 Oct  8 08:03 index-v0.14.0.db
-rw------- 1 sc-syncthing syncthing     288 Jan  1  2019 key.pem
-rw-r--r-- 1 sc-syncthing syncthing     261 Aug  2  2019 options.conf
-rw-r--r-- 1 sc-syncthing syncthing     832 Aug  2  2020 syncthing_install.log
-rw-r--r-- 1 sc-syncthing syncthing 2142587 Oct 11 16:00 syncthing.log
-rw-r--r-- 1 sc-syncthing syncthing       5 Sep 16 01:20 syncthing.pid
{"ok": "restarting"}

In the file listing you can verify the modification date of the https-*.pem files. The last line is Syncthing’s response to the request to restart itself.

When you have it working once, you just need to repeat the last step no. 6 every time the system default certificate is replaced. I assume you already have that part figured out. It’s not really hard to get a certificate from Let’s Encrypt using the DSM Control Panel, once you have configured external access in your router / firewall.

Feel free to ask if you are having trouble with these instructions.

1 Like

Just for reference, integrating Syncthing with DSM’s “Certificate Center” is tracked here:

2 Likes