Syncthing on TrueNAS: TLS in GUI does not work

Hi all, I am using Syncthing Plugin 1.22 on TrueNAS 13.1. It works flawlessly so far, but

  • addressing the GUI using https with “tls false” does not connect (although according documentation it should) and
  • setting tls to true make the GUI unreachable for http and https.

This happens with the self created, self signed certificate the installer installed originally as well as with a new one (key + cert) I replaced into etc/syncthing (https-key.pem and https-cert.pem).

The docs mention only the “tls=true/false” parameter in the gui section of config.xml, no way to define the path and name of key and cert.

All in all I am not certain if there is anything at all I could have done wrong. Any help is appreciated. Dirk

6 posts were split to a new topic: Accessing GUI with self signed certs

  • What’s the syntax of the URL you’re using to access Syncthing on TrueNAS?
  • Is the device you’re using a web browser on to access Syncthing on the TrueNAS server on the same subnet?

Ideally, the TLS setting should be set to “true” since your TrueNAS box is likely open to at least the local network. But if you have full control of the LAN, trust every device on it, and aren’t opening anything up to the internet, the risk of using only HTTP should be low.

Hi all, my original post has somewhat been hijacked. My problem is that the WebUI does not start if TLS is activated. How do I troubleshoot that? Any help would be great. Dirk

You were using some sort of plugin on truenas. Are you sure you’re talking directly to syncthing, or are you maybe talking to it through some http proxy? The latter would probably not like a self signed cert and might be configured to use only http. Otherwise, check the syncthing logs, however you access those in that kind of setup (I have no idea, sorry). Enabling/enforcing https in syncthing does quite little under the hood, mostly just makes it refuse/redirect requests over http.

Hi Leo, thanks for your suggestion - I know how to tunnel through ssh, I could also wrap an Stunnel around the connection or use a VPN. There is several possible workarounds, but I would prefer to track the original error situation and solve it. That way I might learn a lot more about how Syncthing works and the way its developpers are thinking. :slight_smile:

Cheers, Dirk

Well, on TrueNAS the plugins are running in FreeBSD-Jails with IP addresses of their own. A httpp proxy could be added, but that is not part of the standard setup. I am sure it is a genuine SyncThing problem, but so far I have found no logs in the jail’s file system. Do logs in Syncthing have to be explicitly enabled?

There seems to be no documentation on the details of certificate handling Syncthing does - does it rely on a cryptographic backend of the base system (here FreeBSD) or provide crypto libs on its own? Does it expect a full certificate chain, and if yes, is the sequence in the pem file important? Does it have to be PEM or are DER or PKCS12 also possible? Stuff like that would be interesting.

They are certs in PEM form, but to be clear they are loaded and used regardless of whether you enable or disable TLS in the config. Syncthing logs to stdout, so it’s up to the service manager (e.g., systemd) to capture that and store it appropriately, you’d have to look into what happens on your system.

You haven’t shown any errors either so we don’t much to go on. You say “doesn’t connect” which to me means “connection refused”, which sounds like an exceedingly unlikely effect of that config option. Perhaps you mean something else.

Literally the only thing the Use HTTPS option does is configure a redirect from HTTP to HTTPS. Nothing else.

So I have to look more deeply into how the jail on TrueNAS is built (I think systemd is not used).
“Connection refused” is the correct term - sorry for being unprecise. My current suspicion is that Syncthing relies on a cryptographic backend but the FreeBSD jail does not contain any. Reasons are:

  • it did not work with the installer provided https-cert.pem right from the beginning.
  • I verified https GUI access on a mac instance of Syncthing and copied the https-cert.pem and https-key.pem from there with no success.

Thanks for your fast answers, calmh. I will turn to the TrueNAS guys to see what they come up with. Cheers, Dirk

Syncthing uses the Go crypto stuff, no platform dependency. And as mentioned a few times, the GUI loads certificates and uses HTTPS regardless of any settings.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.