Error: TLS error: The host name did not match any of the valid hosts

[aerusso]

Hello,

I upgraded syncthing to 1.29, which moved the default configuration files from ~/.config/syncthing to ~/.local/state/syncthing . Perhaps foolishly, I moved that directory over. Syncthing itself seems to be working excellently, but syncthingctl is having trouble finding the certificate for the control endpoint. I'd like to get syncthingctl working, so I'd like to know if there were an easy way to troubleshoot where syncthinctl is looking for the certificate.

Caveats:
This is a debian trixie headless server, running syncthingtray 1.7.5-1.
I cannot remember if this was working pre-move.
This works on another debian (gui) machine with the same version of everything.

The only major difference I can see between the functioning machine and the nonfunctioning one is that the working one has a ~/.config/syncthingtray.ini file. But that file has an explicitly empty httpsCertPath:

[tray]
connections\1\syncthingUrl=http://127.0.0.1:8384
connections\1\httpsCertPath=

(obviously redacting most of that section). It seems unlikely that I would need to create a similar file on the headless server, since it already seems to be finding the syncthing port just fine (the error message shows the syncthing-generated certificate, it just doesn't like it: Error: TLS error: The certificate is self-signed, and untrusted (9)).

[Martchus]

This is a debian trixie headless server, running syncthingtray 1.7.5-1.

Please file only tickets against the latest release¹. I don't have the time to support older versions. I can still give a few general hints:

• ~/.config/syncthingtray.ini is not used by syncthingctl at all; it is only used by syncthingtray and the Plasmoid for KDE.
• Probably syncthingctl doesn't find the cert under the other location. Maybe that has already been improved in the current release but I would have to test this myself.
• You can use --cert [path] or the env variable SYNCTHING_CTL_CERTIFICATE to specify the cert path manually, see syncthingctl --help.

---

¹ I just see that this is actually just a "discussion". I'd still recommend using the latest version.

[Martchus]

Maybe you accidentally set one of the mentioned env variables?

I don't think there's currently a way to log the cert path. You could actually try to specify the path explicitly via --cert [path] to see whether loading the cert works at all. If not you'll get Error: Unable to load specified certificate "…". If it works then the problem is really just locating the cert.

It also needs to locate the Syncthing config to determine the URL and API key. Does this work?

[aerusso]

I checked the environment variables, and nothing is set. There's something screwy going on though: when I set url even on the healthy machine, it just hangs: strace syncthingctl --url https://127.0.0.1:8385

read(4, "-----BEGIN CERTIFICATE-----\nMIIC"..., 16384) = 782
read(4, "", 15602)                      = 0
close(4)                                = 0
statx(AT_FDCWD, "/home/<USERNAME>/.local/state/syncthing/https-cert.pem", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT, STATX_ALL, {stx_mask=STATX_ALL|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=782, ...}) = 0
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=3552, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=3552, ...}) = 0
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 3552
lseek(4, -2260, SEEK_CUR)               = 1292
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 2260
close(4)                                = 0
newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=3552, ...}, 0) = 0
newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=3552, ...}, 0) = 0
ppoll([{fd=3, events=POLLIN}], 1, {tv_sec=0, tv_nsec=0}, NULL, 8) = 0 (Timeout)
ppoll([{fd=3, events=POLLIN}], 1, NULL, NULL, 8^Cstrace: Process 12123 detached
 <detached ...>

That might be a bug (and I don't want to waste your time with that), so I'll probably just have to compile this with printfs to figure out what is happening.

Thanks for looking at this.

[Martchus]

I also noticed the hanging. Probably in the presence of the url argument it doesn't assume the status operation to be the default anymore so it just hangs without any operation. I'll look into this issue.

[aerusso]

Thank you, this last comment got me to put it all together.

With the url specified as my ipv4 address, it works. Specified by the hostname as the url it does not.

I'm guessing a name comparison is being performed. Specifically, because the error message says:

Error: TLS error: The host name did not match any of the valid hosts for this certificate (22)

That's not the whole story though: if I replace my fqdn with just the host name, I'm left with only the final error:

Error: TLS error: The certificate is self-signed, and untrusted (9)

Presumably, there is some path that is ok with self-signed certificates only if it is for an IP address. The issue is caused by specifying a domain name in the syncthing configuration, and can be worked around by specifying the IP as the URL directly (or in the environment variable). A better solution is to get a real certificate if you want to use a domain name.

Digging in a bit more, I found SyncthingConnection::loadSelfSignedCertificate. Reading your docstring, it looks like you don't load the self-signed certificate if the url fails isLocal (quite reasonably, I'll add). Trying to add logic to decide to add the self-signed certificate, when an actually globally-accessible URL happens to point to a local instance seems ripe for some kind of security bug, so really I think this is just a "too bad, either use your local ip, or actually get a real certificate" kind of resolution.

Thanks again for the help and the great application!

[Martchus]

Right, I had added this kind of check. I suppose I'll leave it like this because the code is probably complicated enough.

I will look into the app hanging with no operation of course.

I guess it also can't hurt to add debug output one can enable via an env variable or CLI flag for the certificate loading.

[Martchus]

Just for the record, I fixed the CLI hanging with no operation.

One can also now set the env variable LIB_SYNCTHING_CONNECTOR_LOG_CERT_LOADING=1 to debug the certificate loading like it has already been possible for many other details (see https://github.com/Martchus/syncthingtray/blob/master/docs/devel.md#logging).