Lensencrypt Certs name change

okay. it seems that syncthing is using /volume1/@appdata/syncthing as it’s “var” directory. here is a listing of that directory:

sh-4.4# ls -al /volume1/@appdata/syncthing/

total 92

drwx------ 3 sc-syncthing sc-syncthing 4096 Nov 16 06:24 .

drwxr-xr-x 25 root root 4096 Sep 7 07:53 …

-rw-r–r-- 1 sc-syncthing syncthing 794 Nov 16 06:23 cert.pem

-rw-r–r-- 1 sc-syncthing syncthing 794 Nov 16 05:38 cert.pem.bak

-rw------- 1 sc-syncthing syncthing 6409 Nov 16 06:19 config.xml

-rw------- 1 sc-syncthing syncthing 99 Nov 16 06:24 csrftokens.txt

-rw-rw-r-- 1 sc-syncthing syncthing 1557 Nov 16 05:31 https-cert.pem

-rw------- 1 sc-syncthing syncthing 241 Nov 16 05:31 https-key.pem

drwxr-xr-x 2 sc-syncthing syncthing 4096 Nov 16 06:24 index-v0.14.0.db

-rw------- 1 sc-syncthing syncthing 288 Nov 16 06:23 key.pem

-rw------- 1 sc-syncthing syncthing 288 Nov 16 05:38 key.pem.bak

-rw-r–r-- 1 sc-syncthing syncthing 208 Jun 19 13:29 options.conf

  1. when i make setting changes the config.xml is updated.
  2. i have copied the letsencrypt cert and key into the directory as https-…
  3. I renamed the cert.pem and the key.pem with a .bak extension
  4. when i run the cert install script it does restart syncthing so, i have the correct API key
  5. when i restart syncthing it creates cert.pem and key.pem.
  6. But, it is now using the letsencrypt key for the browser window
  7. success i think!

one weird behavior: When I make changes in the settings and restart the changes are gone and I can’t view the api key (the box is gray). However, if I look in Advanced, I can find the api key and the changed settings.

So your certificate problem is solved?

Just for the record, the three paths we tried all point to the same on my Synology. I just tend to use one which doesn’t depend on the install location (volume3 instead of volume1 for me), but in your case they seem to have been disconnected somehow.

admin@box:~$ sudo ls -l /var/packages/syncthing/target/var
Password: 
total 1408
-rw-rw-r-- 1 sc-syncthing syncthing     619 Jan  1  2019 cert.pem
-rw------- 1 sc-syncthing syncthing   58599 Oct 18 22:07 config.xml
-rw------- 1 sc-syncthing syncthing     297 Oct 17 19:36 csrftokens.txt
-rw-rw-r-- 1 sc-syncthing syncthing    1915 Aug 16 23:07 https-cert.pem
-rw------- 1 sc-syncthing syncthing    1675 Aug 16 23:07 https-key.pem
drwxr-xr-x 2 sc-syncthing syncthing    4096 Nov  2 18:42 index-v0.14.0.db
-rw------- 1 sc-syncthing syncthing     288 Jan  1  2019 key.pem
-rw-r--r-- 1 sc-syncthing syncthing     261 Aug  2  2019 options.conf
-rw-r--r-- 1 sc-syncthing syncthing     832 Aug  2  2020 syncthing_install.log
-rw-r--r-- 1 sc-syncthing syncthing 1338995 Nov 16 14:09 syncthing.log
-rw-r--r-- 1 sc-syncthing syncthing       6 Nov  2 00:26 syncthing.pid
admin@box:~$ sudo ls -l /usr/local/syncthing/var
total 1408
-rw-rw-r-- 1 sc-syncthing syncthing     619 Jan  1  2019 cert.pem
-rw------- 1 sc-syncthing syncthing   58599 Oct 18 22:07 config.xml
-rw------- 1 sc-syncthing syncthing     297 Oct 17 19:36 csrftokens.txt
-rw-rw-r-- 1 sc-syncthing syncthing    1915 Aug 16 23:07 https-cert.pem
-rw------- 1 sc-syncthing syncthing    1675 Aug 16 23:07 https-key.pem
drwxr-xr-x 2 sc-syncthing syncthing    4096 Nov  2 18:42 index-v0.14.0.db
-rw------- 1 sc-syncthing syncthing     288 Jan  1  2019 key.pem
-rw-r--r-- 1 sc-syncthing syncthing     261 Aug  2  2019 options.conf
-rw-r--r-- 1 sc-syncthing syncthing     832 Aug  2  2020 syncthing_install.log
-rw-r--r-- 1 sc-syncthing syncthing 1338995 Nov 16 14:09 syncthing.log
-rw-r--r-- 1 sc-syncthing syncthing       6 Nov  2 00:26 syncthing.pid
admin@box:~$ sudo ls -l /volume3/@appstore/syncthing/var
total 1408
-rw-rw-r-- 1 sc-syncthing syncthing     619 Jan  1  2019 cert.pem
-rw------- 1 sc-syncthing syncthing   58599 Oct 18 22:07 config.xml
-rw------- 1 sc-syncthing syncthing     297 Oct 17 19:36 csrftokens.txt
-rw-rw-r-- 1 sc-syncthing syncthing    1915 Aug 16 23:07 https-cert.pem
-rw------- 1 sc-syncthing syncthing    1675 Aug 16 23:07 https-key.pem
drwxr-xr-x 2 sc-syncthing syncthing    4096 Nov  2 18:42 index-v0.14.0.db
-rw------- 1 sc-syncthing syncthing     288 Jan  1  2019 key.pem
-rw-r--r-- 1 sc-syncthing syncthing     261 Aug  2  2019 options.conf
-rw-r--r-- 1 sc-syncthing syncthing     832 Aug  2  2020 syncthing_install.log
-rw-r--r-- 1 sc-syncthing syncthing 1338995 Nov 16 14:09 syncthing.log
-rw-r--r-- 1 sc-syncthing syncthing       6 Nov  2 00:26 syncthing.pid

The settings dialog not reflecting changes sounds like a browser problem to me. Have you tried force-reloading the page (Ctrl-F5 for me in Firefox)?

1 Like

so yes it is solved.

However it seems that the directory that my instance of syncthing is using is different than the 3 you describe above, /volume1/@appdata/syncthing. These seem to be real directories and not links as far as I can tell. When I check the 3 directories in your reply above:

  1. /usr/local/syncthing/var does not exist.
  2. The other two have not changed.

Is this okay? BTW, on the last go round I uninstalled syncthing (removing all files), rebooted the NAS, reinstalled syncthing. That’s when I found the “working” directory.

In terms of settings, it seems that settings will be saved, config.xml changes, only if I’m connected by http://. Updating the advanced will work all the time.

Very strange

I have exactly the same problem as you had and still not saved. Can you tell me where to find the cert install script?

If you’re on DSM version 7 at least, that would be expected. I found some info indicating that /usr/local/syncthing structure is no longer used. So the script needs to be adjusted to use /var/packages/syncthing/target/var instead.

The post explaining it is still at HTTPS connection with "Warning: Potential Security Risk" or invalid certificate - #6 by acolomb. However, you should use an updated version that uses different paths to access the needed directories. Just the new script content listed again here in modified form, read the original post for the explanation.

SYSTEM_CERT_DIR=/usr/syno/etc/certificate/system/default
SYNCTHING_CONF_DIR=/var/packages/syncthing/target/var

SYNCTHING_USER=sc-syncthing
SYNCTHING_GROUP=syncthing

API_KEY=InsertYourAPIKeyHere

sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/cert.pem ${SYNCTHING_CONF_DIR}/https-cert.pem
sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/privkey.pem ${SYNCTHING_CONF_DIR}/https-key.pem
sudo chmod 664 ${SYNCTHING_CONF_DIR}/https-cert.pem
sudo chmod 600 ${SYNCTHING_CONF_DIR}/https-key.pem
sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-cert.pem
sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-key.pem

sudo ls -l ${SYNCTHING_CONF_DIR}

curl -k -X POST -H "X-API-Key: ${API_KEY}" https://localhost:8384/rest/system/restart

Hope that helps, feel free to ask if anything is unclear @elfzweik.

My experience that the correct syncthing target directory (SYNCTHING_CONF_DIR above)is /volume1/@appdata/syncthing.

That is what worked for me. Using /var/packages/syncthing/target/var did not work.

Hal

Well /volume1/@appdata/syncthing is definitely 100 % wrong on my DiskStation. It depends on which volume you choose during installation. Of course you can hard-code that path in your copy of the script, but for a generic script / example, I will always prefer paths that are not installation-dependent.

What i was trying to say is on my synology NAS, syncthing won’t read/use the certificate in /var/packages/syncthing/target/var. it will only use the a cert that has been placed in /volume1/@appdata/syncthing. Of course, the volume will vary depending on your installation.

hal

Thanks a lot for your help. Unfortunately this script doesn’t work for me. As @halteach pointed out, the var dir is /volume1/@appdata/syncthing in my case. There exists /var/packages/syncthing/target/var, but it is not a link of the /volume1/@appdata/syncthing, which confused me a lot. Finally I can use https connection. It is more comfortable without the warning.

By the way, the certification and key filenames may vary. I have 2 synology NAS devices, both runing DSM7. However, on one device the certification and key filenames are cert.pem and privkey.pem, while on the other they are ECC-cert.pem and ECC-privkey.pem or RSA-cert.pem and RSA-privkey.pem.

So the better alternative regarding paths which are independent from the installation volume would be /var/packages/syncthing/var (without the target part). At least on DSM 7 that seems to be different from the target/var counterpart. Sorry I have no DiskStation already running version 7 so can only guess about that.

If both your DiskStations are on DSM 7, but use different .pem file names, it might have to do with when these certificates were generated? I guess there was a time when ECC keys were not yet included, so there was only one defined name.

Whatever, use the file name that works in your case. The script was written mainly to record the necessary steps and minimize the effort every time the Let’s Encrypt certificate expires.

So I changed my install script to use /var/packages/syncthing/var and that works. I am running dsm 7. This all started when I renewed my cert in in early November. I had not previously seen the ECC and RSA certs.

@acolomb thanks for all your help.

Hal

Hi @halteach, same issue for me here, can you please share with me the updated script for DSM7.x that you are using right now? I have the same issue that you have for the ‘@ appdata’ folder and the ECC certificates if compared to the @acolomb one!

Also, since I’m new to Linux SSH, in which folder should I launch the cat > syncthing-install-cert.sh command?

Thanks for your help!

SYSTEM_CERT_DIR=/usr/syno/etc/certificate/system/default SYNCTHING_CONF_DIR=/var/packages/syncthing/var

SYNCTHING_USER=sc-syncthing SYNCTHING_GROUP=syncthing

API_KEY=[your key]

sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/ECC-cert.pem ${SYNCTHING_CONF_DIR}/https-cert.pem sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/ECC-privkey.pem ${SYNCTHING_CONF_DIR}/https-key.pem sudo chmod 664 ${SYNCTHING_CONF_DIR}/https-cert.pem sudo chmod 600 ${SYNCTHING_CONF_DIR}/https-key.pem sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-cert.pem sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-key.pem

sudo ls -al ${SYNCTHING_CONF_DIR}

curl -k -X POST -H “X-API-Key: ${API_KEY}” https://localhost:8384/rest/system/restart

which folder? as the paths are explicit i guess anywhere. I do it in the target var directory because i like to check the results. BTW, to get to the directory /var/packages/syncthing/var, you may have to be root, sudo -i.

hal

@halteach thanks for trying to help me! As I told you, I’m quite new to Linux, as I told you, and I thought that I had to save the script that I’m going to create with the cert command in a particular folder.

Anyway, I did try to launch the cat > syncthing-install-cert.sh command using my admin user but I get a “permission denied” message. If I send the sudo -i command first, it does not seem to work at all.

I don’t know if I’m few steps away from the solution or if I need to study Linux first

you do the sudo -i by itself. you’ll then be the root user. then execute the cat command

hal

In my experience, it’s easiest to save the script in your admin user’s $HOME directory. Just enter the cat command right after logging in through SSH, then you are already in the correct directory. No need to use sudo for becoming root before saving or executing the script. The relevant commands already have sudo prepended so all you have to do is enter your admin password when asked during execution.

Here is a new script version, with correct formatting:

SYSTEM_CERT_DIR=/usr/syno/etc/certificate/system/default
SYNCTHING_CONF_DIR=/var/packages/syncthing/var
# Before DSM 7.0, use the following instead:
#SYNCTHING_CONF_DIR=/var/packages/syncthing/target/var

SYNCTHING_USER=sc-syncthing
SYNCTHING_GROUP=syncthing

API_KEY=InsertYourAPIKeyHere

sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/cert.pem ${SYNCTHING_CONF_DIR}/https-cert.pem
sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/privkey.pem ${SYNCTHING_CONF_DIR}/https-key.pem
sudo chmod 664 ${SYNCTHING_CONF_DIR}/https-cert.pem
sudo chmod 600 ${SYNCTHING_CONF_DIR}/https-key.pem
sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-cert.pem
sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-key.pem

sudo ls -l ${SYNCTHING_CONF_DIR}

curl -k -X POST -H "X-API-Key: ${API_KEY}" https://localhost:8384/rest/system/restart

@halteach could you please try to use code formatting when pasting scripts or commands? Discourse almost certainly breaks the content otherwise, so it won’t work when copy-pasted.

How do I do code formatting?

Hal

This one.

1 Like