I think I’m still confused here about the implementation of certificates with Syncthing. I understand that the https-cert.pem and https-key.pem files are used for the web GUI but I’m not sure if that plays any other role.
Assuming that the cert.pem and key.pem files are only used for Syncthing-to-Syncthing and Syncthing-to-web-servers (like discovery servers), I’m finding conflicting information.
In the documentation for Discovery Servers, I can use a CA-signed certificate. In the documentation for Syncthing, it just mentions the key must be kept private.
In this forum post, wweich said
The
cert.pemandkey.pemare the ones used for the sync protocol and should not be replaced.
All this to say and ask:
- A certificate bundle as the
https-cert.pemfile seems to work properly for the web GUI and I can see my entire cert chain when I browse to my Syncthing instance. - What is the purpose of the
cert.pemand thekey.pemfiles for Syncthing and the Syncthing Discovery Servers? - Given that the device ID is supposed to be tied to the certificate (not mentioned which one), is the ability for these certs to be CA-signed not working properly or am I incorrectly implementing certificates in the Syncthing solution?