[Solved] Syncthing fails to connect to relays after upgrading to v1.1.0

[Mark van Leeuwen]

Hi

Alt-F comes with a rather outdated version of Syncthing. 0.x while the latest at time of writing is 1.1.0. As syncthing includes an automatic updater this shoudln't be aproblem... except it is. Below how to make it all work.

Install the syncthing package via the package manager in Alt-F, then as root update syncthing using the command:

# syncthing -upgrade

In my case it updated to v1.1.0

When starting syncthing (as normal user as for normal usage root is not recommended), this new version started to complain when trying to access relays:

c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.000000 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]

Some investigation revelead that the golang runtime syncthing is written in could not validate the SSL/TLS certificate of relays.syncthing.net, the reason is that it is looking for the CA certificates in the following paths, none of which match Alt-F's file /etc/ssl/ca-bundle.cert.

"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL
"/etc/ssl/ca-bundle.pem",             // OpenSUSE
"/etc/pki/tls/cacert.pem",            // OpenELEC

The solution was to symlink ca-bundle.pem -> ca-bundle.crt via (as root)

# cd /etc/ssl;  ln -s ca-bundle.crt ca-bundle.pem

Start syncthing again and there you go, no more relay errors! ;-)

Note: As the syncthing updates can only be done by root (who owns the executable in Alt-F), I would recommend you disable the automatic updates feature via the gui as it will only complain about failed updates if you run syncthing as a regular user .... which you should.

@João: 

1) any option to create such a symlink by default?   It seems it woudl solve the same problem for any software written in Go.

2) Another thing is that the ca-bundle.crt seems quite outdated. Any plans to do a little update round of the CA certificates, or to make it a separate package installed by default that could be updated via the regular GUI?

3) Maybe you coudl upgrade the Alt-F syncthing package? There is an ARM build precompiled on the syncthing page https://github.com/syncthing/syncthing/releases/download/v1.1.0/syncthing-linux-arm-v1.1.0.tar.gz

Best, 

Mark

[João Cardoso]

On Thursday, March 7, 2019 at 9:47:12 AM UTC, Mark van Leeuwen wrote:

Hi

Alt-F comes with a rather outdated version of Syncthing. 0.x while the latest at time of writing is 1.1.0. As syncthing includes an automatic updater this shoudln't be aproblem... except it is. Below how to make it all work.

Install the syncthing package via the package manager in Alt-F, then as root update syncthing using the command:

# syncthing -upgrade

In my case it updated to v1.1.0

Its GUI has such a facility, I just used it. But after the upgrade their GUI didn't showup in the embeded Alt-F frame, your need to open it on a separate tab at http://<yournas>:8088

This is a security mechanism that although their advanced options allow it (embedding in a frame) it continues to not embedded. Thus the Alt-F Configure button does not works.

 

When starting syncthing (as normal user as for normal usage root is not recommended), this new version started to complain when trying to access relays:

c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.000000 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]

Some investigation revelead that the golang runtime syncthing is written in could not validate the SSL/TLS certificate of relays.syncthing.net, the reason is that it is looking for the CA certificates in the following paths, none of which match Alt-F's file /etc/ssl/ca-bundle.cert.

"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL
"/etc/ssl/ca-bundle.pem",             // OpenSUSE
"/etc/pki/tls/cacert.pem",            // OpenELEC

The solution was to symlink ca-bundle.pem -> ca-bundle.crt via (as root)

# cd /etc/ssl;  ln -s ca-bundle.crt ca-bundle.pem

Yes, that is the solution, even for other packages, and it is already on my (non cvs commited) sources.

 

Start syncthing again and there you go, no more relay errors! ;-)

Note: As the syncthing updates can only be done by root (who owns the executable in Alt-F), I would recommend you disable the automatic updates feature via the gui as it will only complain about failed updates if you run syncthing as a regular user .... which you should.

The 'rcsyncthing' init script does it all, including running it under the syncthing user and allowing connections from other hosts (that you adress in other post).

Whenever possible use the rc<service> shortcuts to the /etc/init.d/ initscripts, as they often customize needed requirements.

@João: 

1) any option to create such a symlink by default?   It seems it woudl solve the same problem for any software written in Go.

Yes, when/if for the next release.

 

2) Another thing is that the ca-bundle.crt seems quite outdated. Any plans to do a little update round of the CA certificates, or to make it a separate package installed by default that could be updated via the regular GUI?

Good idea, An automatic cron update will be better than a package, less burden for me and the users.

 

3) Maybe you coudl upgrade the Alt-F syncthing package? There is an ARM build precompiled on the syncthing page https://github.com/syncthing/syncthing/releases/download/v1.1.0/syncthing-linux-arm-v1.1.0.tar.gz 

I don't like to re-distribute binaries, syncthing is one exception, as I don't have the build cross-development setup for Go to build it myself. And as there is the option of upgrading from within they own GUI... inertia won.

But It is a possibility.

Thanks

Best, 

Mark