What happens when the certificate expires?

I have read the docs regarding how the SHA256 hash of the certificate is used to generate the ID. Looking at my certificate that Syncthing generated (cert.pem not https-cert.pem), I noticed that it will expire in 20 years. What happens after? Will this stop my clients from syncing, or does Syncthing not check the expiry date of the certificate?

While 20 years is ways away, I would rather not have to worry about a ticking timebomb breaking my sync and forcing me to reconnect all my devices.

You will have to generate a new certificate and get a new device ID in 20 years.

1 Like

Unless, of course, the Syncthing developers devise a genius zero-effort upgrade strategy well before Syncthing’s 20th anniversary. And you stay updated with new versions until then. :wink:

Oh well, 10 years to go :joy:. I’m sure a solution can be found by then. I imagine something like having two certificates and telling every peer that connects that you have a new ID. As long as every device can be reached before the certificate expires this should work.

I’m pretty sure that the current code does not validate the certificate expiry date and will work just fine with expired certs.

This may change in the future though. Suitable key algorithms may also change in the future, so I wouldn’t rely on the ID remaining stable forever. Don’t worry about the expiry for now, but “plan for change” anyway.

1 Like

Is the default validity period 30 years? I’ve just checked one of my certificates which was generated in 2019, and it is supposedly valid until 2049. Still a long way to go :slight_smile:.

No, 20 years. You might have generated that yourself perhaps?

That certainly appears to be the case. :+1:

1 Like

That’s strange. I’ve checked all my devices, and two of them have certificates that are valid until 2049-12-31T23:59:59.000Z (while the rest are valid for 20 years). Both of them were generated by Syncthing, and especially the first one from 2019 was generated using the official (not self-compiled) binary, as this is the certificate that was generated when I started using Syncthing for the very first time.

1 Like

Indeed, we had that hardcoded until v1.3.2 sometime in 2019, apparently, then we switched to now + 20 years for the device certificate. This was when we changed to a short(er) lifetime for the HTTPS certs.

1 Like