SSL certificate setup

Hi all,

I have a VPS with digitalocean, running Ubuntu 14.04. I have just set up syncthing on it… however I’ve already been using it for another service (owncloud) before, where an external SSL certificate (startssl) has been successfully set up and is being used.

My problem is: now I can’t access my server. Error message: “This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.”

I’m pretty sure this only shows that my server is OK, and the SSL is just doing it’s job, and blocking the self-signed certificate generated by the syncthing setup. Not sure if it’s relevant: syncthing is running on the server as it’s own user, other services under apache, normally.

Question: what config changes do I need to make so that syncthing uses the external certificate (not it’s self-signed one)?

Thanks in advance. kzs

inside the config directory (usually ~/.config/syncthing) you have the https-cert.pem and https-key.pem which you can probably replace with your existing cert and key.

The cert.pem and key.pem are the ones used for the sync protocol and should not be replaced.

Perfect, working now. Thanks a lot

This should probably be added to the FAQ…

1 Like

Hey you all and sorry to get this thread alive after that time. It’s my first intervention in this forum so I think it’s worth it to thank people who are involved in having Syncthing running. I installed it some time ago and I could not be more satisfied.

So here is my question: I have Syncthing running on my OpenMediaVault Server at home. I have a free Let’s Encrypt certificate to secure my HTTPS connections to my server (running also an OpenVPN Access Server and an FTPS among other things). Looking for advice on how to change the default SSL certificates to connect to the WebGUI on my server, I found this thread. As @wweich suggests, I changed https-cert.pem and https-key.pem on my Syncthing config directory but it seems like the Server does not use them since when I connect via HTTPS, I get an HSTS warning from Firefox because the issuer if the SSL cert is not trusted (because it’s using a self-signed one, not the Let’s Encrypt one, which is trusted).

Do you have any clue on how to get it working with custom SSL certs?

Thanks in advance. Guillem

Did you restart syncthing? Also, are you sure you’ve put the certs in the right location?

Thanks for the fast response! Yep, restarted Syncthing, rebooted server… Location of my certs is /bin/.config/syncthing since it is installed as an Open Media Vault plugin. But I’m sure it is right because there is not anywhere where the files https-key.pem and https-cert.pem exist. In this directory are also the cert.pem and key.pem (suposing they are used to encrypt transfers). What is strange is that I changed the certs and Syncthing is still using the old ones, but, how can it work with them if they have changed? Any other idea?

Thanks for your time. Guillem

Verify that the files are the same as you copied them in, perhaps syncthing simply regenerated them at some point?

No. The files are the ones I put at some time… I will ask on OpenMediaVault forums; maybe they have changed something when implementing the plugin…

Any idea where the certificate files are stored in the Windows version?


$ syncthing -paths
Configuration file:

Database directory:

Device private key & certificate files:

HTTPS private key & certificate files:

Log file:

GUI override directory:

Default sync folder directory:

He asked for the Windows version.

He can issue this command syncthing -paths on his machine.

Thanks. So the answer is, as always, in the fine manual… :slight_smile:

In case of working with a server behind my home NAT, does it make sense to leave the https certificates as is, or should i create self-signed ones for it?

If you don’t know that you have a particular reason to replace them it’s much simpler to let them be.