`taskd sync` Causes Cert Error on Only One Computer

[pestala]

This morning when I ran task sync on my main machine, I got the following error:

Syncing with MYURL.com:53589

Handshake failed.  Error in the certificate.
Sync failed.  Could not connect to the Taskserver.

I have not made any changes to the configuration on the device that fails, and it was working fine yesterday.

Running the same command on my laptop and in Foreground with the same configuration works (i.e. all certs and keys have been copied directly with no modifications). I checked that all the configuration files match exactly.

task diag:

task 2.5.1
   Platform: Linux

Compiler
    Version: 9.2.1 20200306
       Caps: +stdc +stdc_hosted +LP64 +c8 +i32 +l64 +vp64 +time_t64
 Compliance: C++11

Build Features
      CMake: 3.16.3
    libuuid: libuuid + uuid_unparse_lower
  libgnutls: 3.6.11
 Build type: None

Configuration
       File: /home/MYHOME/.taskrc (found), 2263 bytes, mode 100664
       Data: /home/MYHOME/.task (found), dir, mode 40755
    Locking: Enabled
         GC: Enabled
    $EDITOR: /usr/bin/vim
     Server: MYDOMAIN.com:53589
         CA: /home/USER/.task/DST_ROOT_CA_X3.crt, readable, 2260 bytes
      Trust: strict
Certificate: /home/USER/.task/USER.cert.pem, readable, 3755 bytes
        Key: /home/USER/.task/USER.key.pem, readable, 24745 bytes
    Ciphers: NORMAL
      Creds: MYORG/USER/************************************

Hooks
     System: Enabled
   Location: /home/MYHOME/.task/hooks
             (-none-)

Tests
      $TERM: st-256color (120x30)
       Dups: Scanned 187 tasks for duplicate UUIDs:
             No duplicates found
 Broken ref: Scanned 187 tasks for broken references:
             No broken references found

I am running my own server from home with a static IP address.

I tried restarting taskd on my server and rebooting the machine with no luck.

Any suggestions would be greatly appreciated!

[tbabej]

Is it possible that this machine has its time misconfigured, making the certificate expired or not valid yet?

[pestala]

The system time is correct.

I've got three devices connecting to the same server with only one machine having an issue.

The machine having the issue had version 2.5.1 installed, so I upgraded to 2.5.3 with no luck.

[tbabej]

What are the operating systems (and their versions) on the devices in question?

[pestala]

For the clients, I'm running Pop!_OS 20.04 LTS on the laptop and desktop. I also have Foreground running on my Android phone. For the server, I'm running Raspbian Buster (10) on a Raspberry Pi 3. The desktop client is the one that giving the error.

[bradyt]

@pestala what if you try taskd.ca = isrgrootx1.pem from https://letsencrypt.org/certificates/, on the desktop?

Can you review the Taskserver logs to see if there's more information during the exception, for example with debug.tls = 2?

[pestala]

@bradyt That cert fixed it!

I have a pretty dim understanding of how these keys and certs interact with each other. Do you know why one cert would work on one client but not on another?

Does it make sense to use the letsencrypt cert on all my clients, or is it better to leave the working clients alone?

Thanks for all your help! :)

[bradyt]

I have a little bit of information. I believe the Let's Encrypt DST_ROOT_CA_X3.crt expired a few days ago.

I'm not sure why it would work on some devices but not others, especially on identical operating systems.

Does it still work on laptop if you comment out that taskd.ca line, like the following?

# taskd.ca = ~/.task/DST_ROOT_CA_X3.crt

If so, maybe Taskwarrior can rely on some system CA files, for example, similar to how Let's Encrypt CA files are distributed for browsers to function, if I understand correctly.

[pestala]

The laptop does still sync after commenting out that line.

I took a few steps to test if taskwarrior would ignore the certificate I provided and use a system cert instead:

• Uncommented taskd.ca = ~/.task/DST_ROOT_CA_X3.crt and changed the cert name to a filename that doesn't exist and got the error CA certificate not found.
• Created an empty file and pointed taskserver to it and got an error that the file contains no certificate.
• Changed the first character of DST_ROOT_CA_X3.crt to something else and got the error Bad CA file: ASN1 parser: Error in TAG. and sync failed.
• Changed a number of random characters near the bottom of DST_ROOT_CA_X3.crt to different characters, and taskwarrior synced properly.
• Pointed taskwarrior to isrgrootx1.pem with no syncing issues.

This may be the wrong conclusion (or make no sense at all!) but it seems that taskwarrior only looks at the cert that is provided in .taskrc and verifies it has been properly formatted. Apart from formatting, there doesn't seem to be any validation of the cert happening on either the laptop client or taskd.

[bradyt]

I hope you find the following a concise, plausible and reasonable paraphrasing consistent with your findings.

If you specify an unparseable cert for taskd.ca, you find an error.

Otherwise, if the server cert can be validated with either of system certs or one specified in taskd.ca, progress continues towards a secure connection.

It seems that some random edits of a cert file are okay. Maybe they were characters added after the delimited block.