SSL error, unknown certificate

Support
1

Unable to establish a https connection, I get the following re-occurring error msgs when connected (not secure) from the GUI browser: Dec 12 18:47:01 vail gnome-shell[4131]: [4171:4178:1212/184701.544771:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202 Dec 12 18:47:01 vail syncthing[1643]: 2022/12/12 18:47:01 http: TLS handshake error from 192.168.50.4:35810: remote error: tls: unknown certificate Dec 12 18:47:01 vail gnome-shell[4131]: [4171:4178:1212/184701.554044:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202 Dec 12 18:47:21 vail syncthing[1643]: 2022/12/12 18:47:21 http: TLS handshake error from 192.168.50.4:50360: remote error: tls: unknown certificate Dec 12 18:47:21 vail gnome-shell[4131]: [4171:4178:1212/184721.546689:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202 Dec 12 18:47:21 vail syncthing[1643]: 2022/12/12 18:47:21 http: TLS handshake error from 192.168.50.4:50370: remote error: tls: unknown certificate Dec 12 18:47:21 vail gnome-shell[4131]: [4171:4178:1212/184721.557656:ERROR:ssl_client_socket_impl.cc(982)] handshake failed; returned -1, SSL error code 1, net_error -202

I remember seeing some warning/error message during install concerning the certificates but unfortunately didnā€™t capture the initial msg.

I also tried un-checking the ā€œUse HTTPS for GUIā€ but still get the errors.

The following files(certificates) reside in ~/.config/syncthing: cert.pem config.xml csrftokens.txt https-cert.pem https-key.pem index-v0.14.0.db key.pem

Iā€™m not very familiar with HTTPS and how it works so reaching out for some help in getting my browser/certificates setup correctly to eliminate the errors. Thanks

2

Those look like a server-side error and not from Syncthing, so Iā€™m not really sure what youā€™ve done. Perhaps you need to explain your setup more closely.

Otherwise, the Syncthing GUI uses a self-signed certificate per default, which will require accepting in your browser when you initially access the GUI.

3

Which syncthing UI client are you using?

4

This Device list Version as ā€œunknown-dev,Linux(64 bit)ā€. This is the only version information I see from the GUI. If there is a way to gather additional version information please let me know.

syncthing
syncthing1259Ɨ888 157 KB

5

Itā€™s probably an old Debian build? They didnā€™t get the versioning right, IIRC. Anyway, it looks like itā€™s working for you.

6

Iā€™m not clear on your response. Yes, it seems to start to scan my disks but I never get a complete scan (folder status goes to Unshared). Also Iā€™d like to get the the https correctly as itā€™s consent output of errors (see above). Iā€™m running this on a 64-bit Ubuntu 20.04LTS system, is there a better/newer release version that I should be using? I just followed the Linux download link from SyncThing website to install. If I need to upgrade, is there instructions how to remove the older version and perform a clean install?

7

HTTPS is working in that screenshot; thereā€™s just a warning because the certificate is not CA-issued.

I donā€™t think youā€™re running a version from syncthing.net, perhaps you also have a system installed version, but that matters less.

8

Iā€™ve removed, purged the current syncthing package and re-installed according to the directions provided here: Debian/Ubuntu Packages

The install shows no errors and now the version shows v1.22.3-rc.1, Linux (64-bit Intel/AMD).

sudo apt-get install syncthing Reading package listsā€¦ Done Building dependency tree
Reading state informationā€¦ Done The following packages were automatically installed and are no longer required: libfprint-2-tod1 libfwupdplugin1 libllvm10 libllvm11 libopenshot-audio7 libopenshot19 libqt5multimedia5 libqt5multimediawidgets5 libqt5sensors5 libqt5webkit5 libxmlb1 python3-pyqt5.qtmultimedia python3-pyqt5.qtwebkit shim Use ā€˜sudo apt autoremoveā€™ to remove them. The following NEW packages will be installed: syncthing 0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Need to get 0 B/10.4 MB of archives. After this operation, 24.9 MB of additional disk space will be used. Selecting previously unselected package syncthing. (Reading database ā€¦ 231583 files and directories currently installed.) Preparing to unpack ā€¦/syncthing_1.22.3~rc.1_amd64.deb ā€¦ Unpacking syncthing (1.22.3~rc.1) ā€¦ Setting up syncthing (1.22.3~rc.1) ā€¦ Processing triggers for mime-support (3.64ubuntu1) ā€¦ Processing triggers for hicolor-icon-theme (0.17-2) ā€¦ Processing triggers for gnome-menus (3.36.0-1ubuntu1) ā€¦ Processing triggers for ufw (0.36-6ubuntu1) ā€¦ Rules updated for profile ā€˜Sambaā€™

Processing triggers for man-db (2.9.1-1) ā€¦ Processing triggers for desktop-file-utils (0.24-1ubuntu3) ā€¦

Iā€™ve also attempted to re-installed the ca-certificates:

sudo apt-get install ca-certificates Reading package listsā€¦ Done Building dependency tree
Reading state informationā€¦ Done ca-certificates is already the newest version (20211016ubuntu0.20.04.1). 0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

However my browser still reports certificate is not valid.

9

And it will continue to do so, because itā€™s a self-signed certificate. This is as expected.

10

With every HTTPS connection, there are parties involved in the connection handshake.

Consider a user visiting Syncthing.net:

  1. The userā€™s web browser visits https://syncthing.net/.
  2. Because a secure connection has been requested, syncthing.net sends its SSL/TLS certificate to the userā€™s web browser.
  3. In order for the userā€™s web browser to trust syncthing.netā€™s site certificate, the web browser contacts a CA (aka., ā€œCertificate Authorityā€) such as Letā€™s Encrypt to ask for validation.
  4. Because all of the major web browsers and operating systems (including Ubuntu 20.04 LTS) are bundled with Letā€™s Encryptā€™s root certificate, thereā€™s implicit trust of Letā€™s Encrypt. So if Letā€™s Encrypt vouches for syncthing.netā€™s site certificate, the userā€™s web browser also trusts the certificate, changing its icon indicator to a lock and saying ā€œconnection secureā€.

Hereā€™s Syncthing.netā€™s transparency log history: https://crt.sh/?q=syncthing.net

The first time you launched Syncthing on your Ubuntu workstation, Syncthing automatically generated a self-signed certificate for connections to its web GUI.

Every time you connect to https://127.0.0.1:8384/, https://localhost:8384/ and so on, your web browser expects you to decide whether or not to accept the self-signed certificate because it cannot be validated by a trusted certificate authority.

There are two ways to eliminate the HTTPS error:

  • Register a public FQDN for your Ubuntu workstation; create a CSR; submit the CSR to a CA; configure Syncthing to use the CA issued certificate; always connect to Syncthing via the hostā€™s public FQDN (e.g., https://myubuntuworkstation.com:8384/).
  • Set up your own private CA and configure your Ubuntu workstation and web browser to trust it.