x509 Cert Error

When trying to connect two servers using their device ID, one of the servers is giving the error: [CKR6B] 2022/06/28 14:10:31 INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get “https://relays.syncthing.net/endpoint”: x509: certificate signed by unknown authority

We had this setup and running on the server under a different user but that user is not longer around, so we are trying to run it under a new user. I’m not sure where to look or what to do as it looks to be an issue with the relay? Any help is appreciated. Thank you!

This is not about the relay but rather the operating system missing the proper certificate. You will find a lot of information on this if you search the forum for “x509”. How to fix will depend on the OS at hand.

Any idea why I would be getting this error if both of these servers were already connected and syncing files? We didn’t get this error before. Same install but being run under a different user. Could that cause this? Do we need to uninstall and re-install on both servers?

Not really sure, but the problem is about the OS certificate. Reinstalling just Syncthing itself probably won’t change anything.


I’m still having this issue and not sure where to look. This is just a normal install on both servers and trying to connect. We are not using certs for the connection and no custom relay servers or anything. How can I track down which cert is throwing the error?! Any assistance would be GREATLY appreciated!

Which OS and OS version is the server running?

It’s a generic problem with your operating system having outdated certificates, not a syncthing problem, suggest you look for guides/help specific to your operating system.

Hi @martinleben IT is a 2012 R2 Version 6.3 (Build 9600). Thank you.

I second what @AudriusButkevicius wrote. And, as confirmation, Windows Server 2012 R2 - Wikipedia says:

Mainstream support ended on October 9, 2018

I guess what my issue is here, we had SyncThing running and working, ON THIS SERVER. The user it was running under is no longer around, so we tried to set it up under a different user on the same system, that is when we started to see the ssl cert error. Why would it just randomly break? and again we are not using certs as part of the connection, just trading the device ID’s. Also, I don’t know what cert it is saying it can’t find the Cert Authority for. So I’ll look for a different solution. Thank you for the help.

I’d assume that normally Syncthing should work in Windows Sever 2012 with no issues, as a) the OS is supported and receives security updates from Microsoft until next year, and b) Syncthing still works perfectly fine under Windows 7, which is older than Server 2012 and has been out of MS support for 2 years already.

Is Windows completely up-to-date? If yes, is there anything recorded, e.g. in the Event Viewer that could possibly be connected with the certificate errors? Is your date and time set correctly?

Edit: You should specifically look up whether your OS has got all the latest root certificate updates installed. Normally, this should be all done automatically through the Windows Update, but the situation may vary (e.g. if you’ve disabled automatic updates or hidden some previously problematic updates, or perhaps the certificate update is listed under “optional”, etc.).

Syncthing needs these certificates to establish relay connections. The same problem happens in older Android versions, where the only solution is to manually install the missing certificates (e.g. using root access). As mentioned above, your OS should already have them, installed through the Windows Update.

Root store updates on Windows are not managed through Windows Update KB’s. There are Microsoft servers involved, but the mechanism employs certificate lazy-loading where the computer fetches new roots on-demand - no update required. This mechanism can get broken for unknown reasons though. It may also require an explicit trigger of the platform verifier - not sure if Go does that by itself. Visiting any Let’s Encrypt secured website with a tool that uses CAPI (Powershell webrequest, schannel, Chrome…) should do the trick.

But even if the system does not have Let’s Encrypts root cert (ISRG Root X1), I guess this only affects the relay pool server? Discovery and all shouldn’t be affected, so unless the system is dependent on relays this should not be a major issue for syncthing.

Thanks for clarification! My knowledge was clearly outdated here. They did used to be managed through Windows Update up to Windows XP and Server 2003 through monthly updates.

Well, it probably depends on the situation. If the computers are on the same network, likely not. In the case of Android, relays not working is kind of a deal-breaker, as without them the phone can’t sync through mobile data. The same could very well be true for desktop computers located in different locations with no public IPs, etc.

I’ve myself got devices located in different countries, which I couldn’t connect without relays.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.