x509: certificate signed by unknown authority

graykick · November 16, 2017, 2:50pm

I wanna use my own discovery server. So I set up the server with docker(I reference this article)

So, I use let’s encrypt to get SSL signed CA. And I check through the Chrome browser, the CA certification is successful.

But syncthing is occure x509 error.

`global.go:224: DEBUG: announce POST: Post https://discovery.studygram.kr: x509: certificate signed by unknown authority`

My Environments are

syncthing is built in window 10 (amd64)
run syncthing(version is 0.14.39) in ubuntu Ubuntu 16.04.2 LTS (amd64)

Thank you in advance

AudriusButkevicius · November 16, 2017, 2:56pm

I think Chrome ships it’s own CA bundle. Go uses your OS bundle. I suspect if you try curl, it will fail with the same error. You need to update your OS cert bundle.

graykick · November 16, 2017, 3:01pm

Thank you for your very quick reply. I’ll check this. Thank you so much.

graykick · November 16, 2017, 4:26pm

I checked your advice.
OS cert bundle is not a problem.
https://helloworld.letsencrypt.org/ This site is CA signed by Let’s Encrypt Authority X3.(same as me)
The result of curl https://helloworld.letsencrypt.org is successfully print html.
But, My discovery server url is print
curl: (60) SSL certificate problem: unable to get local issuer certificate

I think that my nginx setting have a problem. But I dont know what is it…
Below is My nginx conf file. please let me know What is problem.

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-SSL-Cert $ssl_client_cert;
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
}
upstream discovery.studygram.kr {
                                ## Can be connect with "sdd_default" network
                        # syncthing_discovery_run
                        server 172.19.0.2:8443;
}
server {
        server_name discovery.studygram.kr;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name discovery.studygram.kr;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_certificate /etc/nginx/certs/discovery.studygram.kr.crt;
        ssl_certificate_key /etc/nginx/certs/discovery.studygram.kr.key;
        ssl_trusted_certificate /etc/nginx/certs/discovery.studygram.kr.chain.pem;
        ssl_dhparam /etc/nginx/certs/discovery.studygram.kr.dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000";
    ssl_verify_client optional_no_ca;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://discovery.studygram.kr;
        }
}

Thank you in abvance

calmh · November 16, 2017, 4:28pm

Make sure you have any intermediate certificates in the file as well.

graykick · November 16, 2017, 4:39pm

// this is fullchain of lets encrypt. It has cert and chain (certificate and intermediate certificates)
ssl_certificate /etc/nginx/certs/discovery.studygram.kr.crt;

// this is key file 
ssl_certificate_key /etc/nginx/certs/discovery.studygram.kr.key;

// this is (intermediate certificates)
ssl_trusted_certificate /etc/nginx/certs/discovery.studygram.kr.chain.pem;

This is my nginx setting. I think that I have intermediate certificates. Is it right? But, not working yet.

calmh · November 16, 2017, 6:21pm

I don’t know, but this seems an nginx or certificate setup issue.

graykick · November 17, 2017, 2:13am

My mistake… I added intermediate certificates to nginx, But I didn’t restart it…

I’m really sorry for I’m too stupid.

Thank you for your kind reply.