replace the key.pem and cert.pem

hugo4546 · August 19, 2020, 10:58am

Continuing the discussion from how to replace the key.pem and cert.pem?:

i pre-create the directory and certificate+key , specified the home diectory .but it doesn’t work, the CA still will be replace by syncthing. my version is |v1.2.2, Linux (64 bit)|

AudriusButkevicius · August 19, 2020, 11:42am

I’d be better if you explained what you’re trying to do.

hugo4546 · August 19, 2020, 12:16pm

like the before topic, i want to replace the key.pem and cert.pem with my certificate. but after i restart the syncthing. these two files will be replace by syncthing , they are not my certificate any more .so i pre-create the directory and certificate+key before the first start syncthing . but it doesn’t work

AudriusButkevicius · August 19, 2020, 12:35pm

Why do you want to replace it?

Those files are not used for https, they are used for the device id.

calmh · August 19, 2020, 12:57pm

If Syncthing is replacing them then that’s because it thinks they are broken. It will say so during startup. Show logs.

hugo4546 · August 19, 2020, 1:29pm

[start] 2020/08/20 05:11:38 main.go:557: INFO: syncthing v1.2.2 "Fermium Flea" (go1.12.9 linux-amd64) teamcity@build.syncthing.net
2019-08-15 13:51:09 UTC
[start] 2020/08/20 05:11:38 utils.go:32: INFO: Generating ECDSA key and certificate for syncthing...
[start] 2020/08/20 05:11:39 utils.go:54: INFO: Default folder created and/or linked to new config
[start] 2020/08/20 05:11:39 utils.go:74: INFO: Default config saved. Edit /share/syncthing/config/syncthing/config.xml to taste (wi
th Syncthing stopped) or use the GUI
[JMX2J] 2020/08/20 05:11:39 syncthing.go:147: INFO: My ID: JMX2JZZ-WWBVSIX-KFNGIIB-PHBJ5HI-46YL23K-WSVELGU-NC6UP5W-SPO3QA4
[JMX2J] 2020/08/20 05:11:39 upgrade_supported.go:92: INFO: Couldn't fetch release information: Get https://upgrades.syncthing.net/m
eta.json: dial tcp: lookup upgrades.syncthing.net on [::1]:53: read udp [::1]:49923->[::1]:53: read: connection refused
[JMX2J] 2020/08/20 05:11:39 main.go:807: INFO: Automatic upgrade: no version to select
[JMX2J] 2020/08/20 05:11:39 sha256.go:92: INFO: Single thread SHA256 performance is 338 MB/s using minio/sha256-simd (293 MB/s usin
g crypto/sha256).
[JMX2J] 2020/08/20 05:11:40 syncthing.go:179: INFO: Hashing performance is 279.16 MB/s
[JMX2J] 2020/08/20 05:11:40 set.go:81: INFO: No stored folder metadata for "default": recalculating
[JMX2J] 2020/08/20 05:11:40 model.go:246: INFO: Ready to synchronize "Default Folder" (default) (sendreceive)
[JMX2J] 2020/08/20 05:11:40 limiter.go:161: INFO: Overall send rate is unlimited, receive rate is unlimited
[JMX2J] 2020/08/20 05:11:40 syncthing.go:273: INFO: Using discovery server https://discovery.syncthing.net/v2/?noannounce&id=LYXKCH
X-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:59: INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[JMX2J] 2020/08/20 05:11:40 tcp_listen.go:59: INFO: TCP listener ([::]:22000) starting
[JMX2J] 2020/08/20 05:11:40 syncthing.go:273: INFO: Using discovery server https://discovery-v4.syncthing.net/v2/?nolookup&id=LYXKC
HX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW
[JMX2J] 2020/08/20 05:11:40 syncthing.go:273: INFO: Using discovery server https://discovery-v6.syncthing.net/v2/?nolookup&id=LYXKC
HX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW
[JMX2J] 2020/08/20 05:11:40 quic_listen.go:105: INFO: QUIC listener ([::]:22000) starting
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:67: INFO: Listen (BEP/relay): Get https://relays.syncthing.net/endpoint: dial tcp: look
up relays.syncthing.net on [::1]:53: read udp [::1]:45842->[::1]:53: read: connection refused
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:69: INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[JMX2J] 2020/08/20 05:11:40 service.go:137: INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endp
oint' (1.000000 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://rel
ays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:59: INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:67: INFO: Listen (BEP/relay): Get https://relays.syncthing.net/endpoint: dial tcp: look
up relays.syncthing.net on [::1]:53: read udp [::1]:60592->[::1]:53: read: connection refused
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:69: INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[JMX2J] 2020/08/20 05:11:40 service.go:137: INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endp
oint' (1.999991 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://rel
ays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:59: INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:67: INFO: Listen (BEP/relay): Get https://relays.syncthing.net/endpoint: dial tcp: look
up relays.syncthing.net on [::1]:53: read udp [::1]:60469->[::1]:53: read: connection refused
[JMX2J] 2020/08/20 05:11:40 relay_listen.go:69: INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[JMX2J] 2020/08/20 05:11:40 service.go:162: INFO: Entering the backoff state.
[JMX2J] 2020/08/20 05:11:40 service.go:137: INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endp
oint' (2.999976 failures of 2.000000), restarting: false, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://re
lays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]
[JMX2J] 2020/08/20 05:11:40 folder.go:560: INFO: Completed initial scan of sendreceive folder "Default Folder" (default)
[JMX2J] 2020/08/20 05:11:40 api.go:147: INFO: Loading HTTPS certificate: open /share/syncthing/config/syncthing/https-cert.pem: no
such file or directory
[JMX2J] 2020/08/20 05:11:40 api.go:148: INFO: Creating new HTTPS certificate
[JMX2J] 2020/08/20 05:11:40 api.go:346: INFO: GUI and API listening on 127.0.0.1:8384
[JMX2J] 2020/08/20 05:11:40 api.go:347: INFO: Access the GUI via the following URL: http://127.0.0.1:8384/
[JMX2J] 2020/08/20 05:11:40 syncthing.go:334: INFO: My name is "MGTFS1A"
[JMX2J] 2020/08/20 05:11:51 service.go:66: INFO: Detected 0 NAT services
[JMX2J] 2020/08/20 05:12:10 service.go:252: INFO: Failed to exchange Hello messages with FAYEE5H-MNF2ECC-FGBEPMM-DWLVSED-DJZKB4L-X3
DLU6X-KBAEK2I-ZU5EDQJ at 192.168.102.110:22000-192.168.102.12:60630/tcp-server/TLS1.2-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: EOF
[JMX2J] 2020/08/20 05:12:12 service.go:252: INFO: Failed to exchange Hello messages with EUA3C2R-J4MOM7J-KAGHJUP-RR6DNRC-V32ORNP-KT
6FTDR-MXDRTOP-UDOUJAT at 192.168.102.110:22000-192.168.102.53:22000/tcp-server/TLS1.2-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: EOF
[JMX2J] 2020/08/20 05:13:10 service.go:252: INFO: Failed to exchange Hello messages with FAYEE5H-MNF2ECC-FGBEPMM-DWLVSED-DJZKB4L-X3
DLU6X-KBAEK2I-ZU5EDQJ at 192.168.102.110:22000-192.168.102.12:60634/tcp-server/TLS1.2-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: EOF
[JMX2J] 2020/08/20 05:13:12 service.go:252: INFO: Failed to exchange Hello messages with EUA3C2R-J4MOM7J-KAGHJUP-RR6DNRC-V32ORNP-KT
6FTDR-MXDRTOP-UDOUJAT at 192.168.102.110:22000-192.168.102.53:22000/tcp-server/TLS1.2-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: EOF
[JMX2J] 2020/08/20 05:14:10 service.go:252: INFO: Failed to exchange Hello messages with FAYEE5H-MNF2ECC-FGBEPMM-DWLVSED-DJZKB4L-X3
DLU6X-KBAEK2I-ZU5EDQJ at 192.168.102.110:22000-192.168.102.12:60640/tcp-server/TLS1.2-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: EOF
[JMX2J] 2020/08/20 05:14:12 service.go:252: INFO: Failed to exchange Hello messages with EUA3C2R-J4MOM7J-KAGHJUP-RR6DNRC-V32ORNP-KT
6FTDR-MXDRTOP-UDOUJAT at 192.168.102.110:22000-192.168.102.53:22000/tcp-server/TLS1.2-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: EOF

hugo4546 · August 19, 2020, 1:31pm

it seems it can’t provide useful information

hugo4546 · August 19, 2020, 1:35pm

as demand, in order to more safe. we can’t provide the certificate by programe itslef. we need let customer replace it . that’s why we need find a way to replace them.

calmh · August 19, 2020, 1:55pm

My bad, we don’t show that error for the device certificate, only for the HTTPs ones.

Best guess? It’s the wrong format, or password protected? (Or just in the wrong place, maybe.)

hugo4546 · August 20, 2020, 12:18pm

yea . i am not sure .as you can see my certificate is used for other product. i am apply another certificate for this and named it syncthing.

Certificate: Data: Version: 3 (0x2) Serial Number: 5882382832048286178 (0x51a26c05011829e2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, O=xx, CN=xx Software Product CA Validity Not Before: Aug 7 01:59:20 2020 GMT Not After : Aug 5 01:59:20 2030 GMT Subject: C=CN, O=XX, CN=DatasyncServer Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:

hugo4546 · August 21, 2020, 12:28pm

Thanks first of all . After i delete the password for the private key. it’s work. does syncthing not support add password when generate certificate?

AudriusButkevicius · August 21, 2020, 12:35pm

No, because it has no way to ask for the password, especially when running as a service or as it restarts.

hugo4546 · August 24, 2020, 2:04am

Thank you for your reply. Maybe someone can add this function in the future, that’s a very important for enhance service. and i replace the certificate for both node . syncthing genereate the same device id . and it ouccure “connected to self”. Actually, i am not familly with certificate, i try to apply anothercertificate . and test it again. i am not sure whether it is work. sad…

calmh · August 24, 2020, 6:12am

The certificate is used for identity. Having the same on two or more devices is wrong.

hugo4546 · August 24, 2020, 8:02am

Yes. you are right. after i apply another centificate , the connection is normal. but we have not encrypt the private key , i am not sure whether we can use it in live network

calmh · August 24, 2020, 8:22am

Assuming you could encrypt the private key, where would you store the password for decrypting it?

Or, put differently, what kind of attack are you expecting that would be prevented by this encryption?

hugo4546 · August 24, 2020, 11:51am

if attacker get the plaintex of priviate key ,he can analysis the package by Wireshark and get the information it contains

Nummer378 · August 24, 2020, 12:06pm

The private key is never transferred over the wire and remains on the local computer at all times.

hugo4546 · August 24, 2020, 12:41pm

thank you for your reply .if the private key wouldn’t be transferred over the network. how does syncthing finish the TLS handshake. as i know , the device id base on the certificate , so remote server get the certificate from it? if possble , please give me more details. becaude it’s hard for me to read the resource code.

calmh · August 24, 2020, 12:42pm

You can read about TLS handshakes anywhere on the internet, Syncthing does nothing non-standard here. A password or not on the private key makes no difference at all to the protocol. It just means the program needs to know the password when loading the key from disk.