[BUG] HTTPS API request not supported - net::ERR_CERT_AUTHORITY_INVALID

[LBF38]

Describe the bug

Can't make an HTTPS API request to the Syncthing REST API. It throws an error.
Same issue on mobile too.

To Reproduce
Steps to reproduce the behavior:

1. Go to the plugin's settings tab.
2. Change the Syncthing base URL to use the https protocol.
3. Click on "Check API Status"
4. See error

Expected behavior

Should display "Syncthing Ping : Pong" to correctly check the API status.

Screenshots

On Desktop :

On Mobile :

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Brave
• Version:

Smartphone (please complete the following information):

• Device: Android
• OS:
• Browser:
• Version:

Additional context

Need to make some researches on HTTPS requests.

[LBF38]

Useful resources :

• Electron API :
  • https://www.electronjs.org/docs/latest/api/dialog#dialogshowcertificatetrustdialogbrowserwindow-options-macos-windows
  • https://www.electronjs.org/docs/latest/api/structures/certificate
  • https://www.electronjs.org/docs/latest/api/app#appimportcertificateoptions-callback-linux

[LBF38]

Link to the open topic for this issue :

• Obsidian Forum - HTTPS issue related topic
• Syncthing Forum - HTTPS certificate issue

[LBF38]

Here is a SO response to add the CA to a fetch request : https://stackoverflow.com/questions/31861109/tls-what-exactly-does-rejectunauthorized-mean-for-me

But the issue is that it is possible in a nodejs environment, thus not on mobile.

[LBF38]

As far as I know, here are some solutions/ideas I have found to resolve, in some way, the HTTPS issue :

1. Adding the self-signed certificate to the trusted certificates store : It should also work on mobile, even thought the procedure to make it work is longer to achieve and tougher. Might be the best solution.
2. Ignore the certificate validation by using the rejectUnauthorized: false header inside the request : This has been mentioned in the NodeJS documentation. Therefore, I need to test it on mobile to see if it would work.
3. Disabling the HTTPS : This one is the simplest but less secure of all. It will work on mobile while exposing sensitive data if not on a trusted network. Therefore, it is suboptimal but at least it works.
4. Change the certificate to a Let's Encrypt certificate (or other one) : This one would resolve the issue of the untrusted certificate. But it needs to be modified inside the Syncthing configuration, thus it needs more research.

[LBF38]

Links :

• https://forum.syncthing.net/t/android-and-tls1-2/12931
• Convert a .pem to .cer : https://unix.stackexchange.com/questions/131334/obtain-cer-file-from-pem-file
• How to make a self-signed certificated trusted ? : https://superuser.com/questions/1090776/how-to-make-a-self-signed-certificate-trusted

[LBF38]

From the Syncthing Forum answers :
https://letsencrypt.org/docs/certificates-for-localhost/

openssl req -x509 -out localhost.crt -keyout localhost.key \ 
-newkey rsa:2048 -nodes -sha256 \ 
-subj '/CN=localhost' -extensions EXT -config <( \ 
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 

[LBF38]

Problem solved on PC / Desktop !!! 🎉
Here are the steps to follow:

1. Stop Syncthing
2. Go to the Syncthing local config directory : <your user path>\AppData\Local\Syncthing
3. Generate a private key

openssl genrsa -out https-key.pem 2048

4. Generate the certificate for localhost :

openssl req -new -x509 -key https-key.pem -out https-cert.pem -days 1095 -subj "/CN=localhost/O=Syncthing/OU=Syncthing Automatically Generated" -addext "subjectAltName = DNS:localhost"

Note

The -days 1095 is required for Syncthing to not generate another certificate and erase the one we generate. It seems that the system automatically regenerates the HTTPS certificate to still be valid.
1095 days = 3 years.

5. Generate a https-cert.cer from the generated certificate :

openssl x509 -in https-cert.pem -outform der -out https-cert.cer

6. Add your newly generated certificate https-cert.cer to your PC's certificate root store and make it trustworthy.
7. Restart Syncthing
8. Go to https://localhost:8384, you should see a valid, trusted certificate !
9. Now, in Obsidian, in the Syncthing Integration plugin's settings, test the API Status, you should get Syncthing ping: pong notification !
10. Enjoy ! Full-HTTPS connection !

Screenshot of the configuration w/ HTTPS connection

Now, I need to test this on mobile to see if it also works !!

[LBF38]

This issue should now be solved thanks to this PR (syncthing/syncthing-android#2013).
The import/export config feature is available in both Syncthing Android app (Official and Fork version).

The setup needs to be tested before closing this issue.