x509: certificate signed by unknown authority

I wanna use my own discovery server. So I set up the server with docker(I reference this article)

So, I use let’s encrypt to get SSL signed CA. And I check through the Chrome browser, the CA certification is successful.

But syncthing is occure x509 error.

`global.go:224: DEBUG: announce POST: Post https://discovery.studygram.kr: x509: certificate signed by unknown authority`

My Environments are

  • syncthing is built in window 10 (amd64)
  • run syncthing(version is 0.14.39) in ubuntu Ubuntu 16.04.2 LTS (amd64)

Thank you in advance

I think Chrome ships it’s own CA bundle. Go uses your OS bundle. I suspect if you try curl, it will fail with the same error. You need to update your OS cert bundle.


Thank you for your very quick reply. I’ll check this. Thank you so much.

I checked your advice.
OS cert bundle is not a problem.
https://helloworld.letsencrypt.org/ This site is CA signed by Let’s Encrypt Authority X3.(same as me)
The result of curl https://helloworld.letsencrypt.org is successfully print html.
But, My discovery server url is print
curl: (60) SSL certificate problem: unable to get local issuer certificate

I think that my nginx setting have a problem. But I dont know what is it…
Below is My nginx conf file. please let me know What is problem.

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-SSL-Cert $ssl_client_cert;
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
upstream discovery.studygram.kr {
                                ## Can be connect with "sdd_default" network
                        # syncthing_discovery_run
server {
        server_name discovery.studygram.kr;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
server {
        server_name discovery.studygram.kr;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_certificate /etc/nginx/certs/discovery.studygram.kr.crt;
        ssl_certificate_key /etc/nginx/certs/discovery.studygram.kr.key;
        ssl_trusted_certificate /etc/nginx/certs/discovery.studygram.kr.chain.pem;
        ssl_dhparam /etc/nginx/certs/discovery.studygram.kr.dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000";
    ssl_verify_client optional_no_ca;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://discovery.studygram.kr;

Thank you in abvance

Make sure you have any intermediate certificates in the file as well.

1 Like
// this is fullchain of lets encrypt. It has cert and chain (certificate and intermediate certificates)
ssl_certificate /etc/nginx/certs/discovery.studygram.kr.crt;

// this is key file 
ssl_certificate_key /etc/nginx/certs/discovery.studygram.kr.key;

// this is (intermediate certificates)
ssl_trusted_certificate /etc/nginx/certs/discovery.studygram.kr.chain.pem;

This is my nginx setting. I think that I have intermediate certificates. Is it right? But, not working yet.

I don’t know, but this seems an nginx or certificate setup issue.

1 Like

My mistake… I added intermediate certificates to nginx, But I didn’t restart it…

I’m really sorry for I’m too stupid.

Thank you for your kind reply.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.