Hi all,
I have setup syncthing on two devices:
- Device 1 - ASUSTOR 6604T via a Docker configuration
- Device 2 - HP N54L Microserver via the Windows install package.
The devices are in two seperate locations, both on the same ISP - BT (UK).
However the Windows Server shows that only 2/3 relays are connected.
When investigating, I see the error below:
dynamic+https://relays.syncthing.net/endpoint: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
I have setup port forwarding on both routers and uPNP is enabled.
On the Windows server, via a web browser I can get to the URL without any certificate warnings etc:
https://relays.syncthing.net/endpoint
Any ideas why the certificate is not validating?
Thanks in advance!
This is possibly a side effect of how Microsoft Windows handles certificate loading. Out of the box, Windows ships with only a handful of preselected Certificate Authorities (CAs). Additional CAs are loaded on-demand by the Cryptography API (CAPI) into the Windows Certificate Store, when a chain is requested that needs an additional CA.
Modern web browsers (Chrome, Firefox, maybe Edge) unfortunately nowadays all use their own cryptography stacks and as such do not trigger the lazy-loading of new CAs in the Windows Certificate Store. However, syncthing’s cryptography library looks in that store to find the cert (but also isn’t capable of triggering the lazy-loading of CAs).
A possible fix is to invoke a tool that does use CAPI and should trigger the lazy-loading. This powershell command might do the trick:
powershell invoke-webrequest -usebasicparsing https://relays.syncthing.net
If this doesn’t work, the Windows Server may have other problems in fetching certificates, often due Windows Update servers being filtered or blocked.
4 Likes