Closed pestala closed 3 years ago
Is it possible that this machine has its time misconfigured, making the certificate expired or not valid yet?
The system time is correct.
I've got three devices connecting to the same server with only one machine having an issue.
The machine having the issue had version 2.5.1 installed, so I upgraded to 2.5.3 with no luck.
What are the operating systems (and their versions) on the devices in question?
For the clients, I'm running Pop!_OS 20.04 LTS on the laptop and desktop. I also have Foreground running on my Android phone. For the server, I'm running Raspbian Buster (10) on a Raspberry Pi 3. The desktop client is the one that giving the error.
@pestala what if you try taskd.ca = isrgrootx1.pem
from https://letsencrypt.org/certificates/, on the desktop?
Can you review the Taskserver logs to see if there's more information during the exception, for example with debug.tls = 2
?
@bradyt That cert fixed it!
I have a pretty dim understanding of how these keys and certs interact with each other. Do you know why one cert would work on one client but not on another?
Does it make sense to use the letsencrypt cert on all my clients, or is it better to leave the working clients alone?
Thanks for all your help! :)
I have a little bit of information. I believe the Let's Encrypt DST_ROOT_CA_X3.crt
expired a few days ago.
I'm not sure why it would work on some devices but not others, especially on identical operating systems.
Does it still work on laptop if you comment out that taskd.ca
line, like the following?
# taskd.ca = ~/.task/DST_ROOT_CA_X3.crt
If so, maybe Taskwarrior can rely on some system CA files, for example, similar to how Let's Encrypt CA files are distributed for browsers to function, if I understand correctly.
The laptop does still sync after commenting out that line.
I took a few steps to test if taskwarrior would ignore the certificate I provided and use a system cert instead:
taskd.ca = ~/.task/DST_ROOT_CA_X3.crt
and changed the cert name to a filename that doesn't exist and got the error CA certificate not found
.DST_ROOT_CA_X3.crt
to something else and got the error Bad CA file: ASN1 parser: Error in TAG.
and sync failed.DST_ROOT_CA_X3.crt
to different characters, and taskwarrior synced properly.isrgrootx1.pem
with no syncing issues.This may be the wrong conclusion (or make no sense at all!) but it seems that taskwarrior only looks at the cert that is provided in .taskrc and verifies it has been properly formatted. Apart from formatting, there doesn't seem to be any validation of the cert happening on either the laptop client or taskd.
I hope you find the following a concise, plausible and reasonable paraphrasing consistent with your findings.
If you specify an unparseable cert for taskd.ca
, you find an error.
Otherwise, if the server cert can be validated with either of system certs or one specified in taskd.ca
, progress continues towards a secure connection.
It seems that some random edits of a cert file are okay. Maybe they were characters added after the delimited block.
This morning when I ran
task sync
on my main machine, I got the following error:I have not made any changes to the configuration on the device that fails, and it was working fine yesterday.
Running the same command on my laptop and in Foreground with the same configuration works (i.e. all certs and keys have been copied directly with no modifications). I checked that all the configuration files match exactly.
I am running my own server from home with a static IP address.
I tried restarting taskd on my server and rebooting the machine with no luck.
Any suggestions would be greatly appreciated!