Syncthing-inotify and CA-signed certificates


(shadeless) #1

Hi there,

I’ve got a problem when using custom CA-signed certificates with syncthing-inotify on Windows. When starting, I get “Cannot connect to Syncthing: Get https://127.0.0.1:8384/rest/404: x509: certificate signed by unknown authority” from syncthing-inotify.

If I use the self-signed certificate, that syncthing generates on first startup, inotify is able to connect. As soon as I switch back to my signed certs, I get the error again. The CA that signed the certificates is in the certificate store of windows. Syncthing itself starts up fine also and is able to use the certificate.

Is this a known problem, am I missing something?

Thanks


(Zillode) #2

Hi,

Syncthing-inotify typically fetches the server certificate from the Syncthing home folder. If you use a custom Syncthing configuration, you can use the -cert commandline option of Syncthing-inotify to correct the path.


(shadeless) #3

Thanks for the reply, Zillode! The issue is not, that inotify doesn’t find the certificate. It finds it fine (in the default home folder) but fails to validate it for some reason.


(Juul) #4

I have the same problem. Under Windows, I’m using a self-signed certificate. The HTTPS certificate is signed by a root CA (mine) which is added to the windows cert store as trusted. Sadly, syncthing-inotify throws up X509 errors saying the certificate is signed by an unknown authority. On Ubuntu 16.04, it seems to work just fine.


(Juul) #5

After searching for a bit, I found that this may be related to https://github.com/golang/go/issues/18609. Apparently the X509 library in Golang has an issue that prevents it from using the system cert store in a correct manner.

This would essentially mean that it is not currently possible to use Syncthing’s HTTPS without browser warnings on Windows in combination with syncthing-inotify, since there is no way to use a self-signed certificate that can be verified by syncthing-inotify’s Golang X509 with a (self-signed) Windows CA Root certificate. Syncthing-inotify on Windows is still usable, but only with either HTTPS disabled or browsers screaming security warnings in agony.

Or perhaps I misunderstood something fundamental and I’m totally wrong :wink: If anybody has any suggestions I’m really interested in finding a solution!


(system) #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.