Providing Custom TLS Certificates

Hey all!

I’m putting together a Syncthing container image which accepts custom certificates as environment variables and writes them to the https-key.pem and https-cert.pem files in the config directory. The entry-point for this image is a script which writes the certificates and handles a few other configuration tasks before launching Syncthing.

The problem I’m facing is that Syncthing generates its own TLS certificates and overwrites the existing https-*.pem files upon startup. I would like to be able to override this functionality to have it read from the existing files.

I saw in cmd/usrv/main.go that UR_CERT_FILE and UR_KEY_FILE environment variables could be provided, but I don’t see anything similar for the GUI/REST API HTTPS endpoint.

Please let me know what I could do in order to get this working.


They are only generated if they don’t exist, aren’t readable/usable, or seem Syncthing-generated and have expired. If they exist, my guess is on “not readable” or in the wrong format.

Yeah, I’m seeing that now in the tsutils lib. Looks like Syncthing is failing to find PEM data in the certificate input:

[QIUJC] 17:19:51 INFO: Loading HTTPS certificate: tls: failed to find any PEM data in certificate input
[QIUJC] 17:19:51 INFO: Creating new HTTPS certificate

It must be related to the TLS1.2 config that Syncthing is using because I’m able to generate ECDSA signatures and have them validate on a local HTTPS server/client that I’m using to test this whole setup.

Certificates don’t really have a relationship to the TLS version (or any other TLS parameter). Are you maybe accidentally using DER-encoding instead of PEM? How do your certificate files look like?

The generation process is roughly described by this gist.

If you run that code, interaction between the client and server work; the keys themselves are saved and loaded into a docker image here.

So you write the entire pem-structures via environment variables to file? Does this work correctly, including line breaks and whatnot? Have you tried reading the files from the container after writing them?

I just checked the environment variables within the container and they do not have linebreaks. I didn’t realize that this would be an issue since every certificate and key has a ----BEGIN/END CERTIFICATE/KEY----- string.

I wanted to follow up as I ended up resolving this issue.

I ended up getting it to run by using the -v flag with the Docker CLI to provide the generated certificates in my host machine to the config directory where Syncthing was reading from: -v /path/to/server-key.pem:/config/https-key.pem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.