SSL error, unknown certificate

jesseh · December 13, 2022, 2:53am

Unable to establish a https connection, I get the following re-occurring error msgs when connected (not secure) from the GUI browser: Dec 12 18:47:01 vail gnome-shell[4131]: [4171:4178:1212/184701.544771:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202 Dec 12 18:47:01 vail syncthing[1643]: 2022/12/12 18:47:01 http: TLS handshake error from 192.168.50.4:35810: remote error: tls: unknown certificate Dec 12 18:47:01 vail gnome-shell[4131]: [4171:4178:1212/184701.554044:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202 Dec 12 18:47:21 vail syncthing[1643]: 2022/12/12 18:47:21 http: TLS handshake error from 192.168.50.4:50360: remote error: tls: unknown certificate Dec 12 18:47:21 vail gnome-shell[4131]: [4171:4178:1212/184721.546689:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202 Dec 12 18:47:21 vail syncthing[1643]: 2022/12/12 18:47:21 http: TLS handshake error from 192.168.50.4:50370: remote error: tls: unknown certificate Dec 12 18:47:21 vail gnome-shell[4131]: [4171:4178:1212/184721.557656:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202

I remember seeing some warning/error message during install concerning the certificates but unfortunately didn’t capture the initial msg.

I also tried un-checking the “Use HTTPS for GUI” but still get the errors.

The following files(certificates) reside in ~/.config/syncthing: cert.pem config.xml csrftokens.txt https-cert.pem https-key.pem index-v0.14.0.db key.pem

I’m not very familiar with HTTPS and how it works so reaching out for some help in getting my browser/certificates setup correctly to eliminate the errors. Thanks

calmh · December 13, 2022, 6:26am

Those look like a server-side error and not from Syncthing, so I’m not really sure what you’ve done. Perhaps you need to explain your setup more closely.

Otherwise, the Syncthing GUI uses a self-signed certificate per default, which will require accepting in your browser when you initially access the GUI.

bt90 · December 13, 2022, 12:11pm

Which syncthing UI client are you using?

jesseh · December 13, 2022, 5:24pm

This Device list Version as “unknown-dev,Linux(64 bit)”. This is the only version information I see from the GUI. If there is a way to gather additional version information please let me know.

calmh · December 13, 2022, 6:12pm

It’s probably an old Debian build? They didn’t get the versioning right, IIRC. Anyway, it looks like it’s working for you.

jesseh · December 13, 2022, 7:20pm

I’m not clear on your response. Yes, it seems to start to scan my disks but I never get a complete scan (folder status goes to Unshared). Also I’d like to get the the https correctly as it’s consent output of errors (see above). I’m running this on a 64-bit Ubuntu 20.04LTS system, is there a better/newer release version that I should be using? I just followed the Linux download link from SyncThing website to install. If I need to upgrade, is there instructions how to remove the older version and perform a clean install?

calmh · December 13, 2022, 7:24pm

HTTPS is working in that screenshot; there’s just a warning because the certificate is not CA-issued.

I don’t think you’re running a version from syncthing.net, perhaps you also have a system installed version, but that matters less.

jesseh · December 13, 2022, 9:28pm

I’ve removed, purged the current syncthing package and re-installed according to the directions provided here: Debian/Ubuntu Packages

The install shows no errors and now the version shows v1.22.3-rc.1, Linux (64-bit Intel/AMD).

sudo apt-get install syncthing Reading package lists… Done Building dependency tree
Reading state information… Done The following packages were automatically installed and are no longer required: libfprint-2-tod1 libfwupdplugin1 libllvm10 libllvm11 libopenshot-audio7 libopenshot19 libqt5multimedia5 libqt5multimediawidgets5 libqt5sensors5 libqt5webkit5 libxmlb1 python3-pyqt5.qtmultimedia python3-pyqt5.qtwebkit shim Use ‘sudo apt autoremove’ to remove them. The following NEW packages will be installed: syncthing 0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Need to get 0 B/10.4 MB of archives. After this operation, 24.9 MB of additional disk space will be used. Selecting previously unselected package syncthing. (Reading database … 231583 files and directories currently installed.) Preparing to unpack …/syncthing_1.22.3~rc.1_amd64.deb … Unpacking syncthing (1.22.3~rc.1) … Setting up syncthing (1.22.3~rc.1) … Processing triggers for mime-support (3.64ubuntu1) … Processing triggers for hicolor-icon-theme (0.17-2) … Processing triggers for gnome-menus (3.36.0-1ubuntu1) … Processing triggers for ufw (0.36-6ubuntu1) … Rules updated for profile ‘Samba’

Processing triggers for man-db (2.9.1-1) … Processing triggers for desktop-file-utils (0.24-1ubuntu3) …

I’ve also attempted to re-installed the ca-certificates:

sudo apt-get install ca-certificates Reading package lists… Done Building dependency tree
Reading state information… Done ca-certificates is already the newest version (20211016ubuntu0.20.04.1). 0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

However my browser still reports certificate is not valid.

calmh · December 13, 2022, 9:56pm

And it will continue to do so, because it’s a self-signed certificate. This is as expected.

gadget · December 13, 2022, 10:44pm

With every HTTPS connection, there are parties involved in the connection handshake.

Consider a user visiting Syncthing.net:

The user’s web browser visits https://syncthing.net/.
Because a secure connection has been requested, syncthing.net sends its SSL/TLS certificate to the user’s web browser.
In order for the user’s web browser to trust syncthing.net’s site certificate, the web browser contacts a CA (aka., “Certificate Authority”) such as Let’s Encrypt to ask for validation.
Because all of the major web browsers and operating systems (including Ubuntu 20.04 LTS) are bundled with Let’s Encrypt’s root certificate, there’s implicit trust of Let’s Encrypt. So if Let’s Encrypt vouches for syncthing.net’s site certificate, the user’s web browser also trusts the certificate, changing its icon indicator to a lock and saying “connection secure”.

Here’s Syncthing.net’s transparency log history: https://crt.sh/?q=syncthing.net

The first time you launched Syncthing on your Ubuntu workstation, Syncthing automatically generated a self-signed certificate for connections to its web GUI.

Every time you connect to https://127.0.0.1:8384/, https://localhost:8384/ and so on, your web browser expects you to decide whether or not to accept the self-signed certificate because it cannot be validated by a trusted certificate authority.

There are two ways to eliminate the HTTPS error:

Register a public FQDN for your Ubuntu workstation; create a CSR; submit the CSR to a CA; configure Syncthing to use the CA issued certificate; always connect to Syncthing via the host’s public FQDN (e.g., https://myubuntuworkstation.com:8384/).
Set up your own private CA and configure your Ubuntu workstation and web browser to trust it.

system · January 12, 2023, 10:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.