Fresh Barrier Install Shows is:openERROR: ssl certificate doesn't exist: /home/thomas/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem

[TafThorne]

Operating Systems

Server: Ubuntu 18.04

Client: Microsfot Windows 10 Version 1803 (OS Build 17134.523)

Barrier Version

Server: 2.2.0-snapshot-53ebc47a

Client: 2.1.0-RELEASE-0b2dfd80

Steps to reproduce bug

1. Go to https://github.com/debauchee/barrier/wiki to Download and install the Windows binary.
2. Go to https://github.com/debauchee/barrier/releases to install the latest release, which for Ubuntu is a Flatpak
3. Start the client on the Windows machine, set to client mode and give server IP address.
4. Start the server on the Ubuntu machine with flatpak run com.github.debauchee.barrier
5. Click the "Configure Sever..." button and enter the client details.
6. Start Barrier
7. Observe errors in the Barrier > Show Log

[2019-01-18T11:41:57] INFO: OpenSSL 1.1.1  11 Sep 2018
[2019-01-18T11:41:57] ERROR: ssl certificate doesn't exist: /home/thomas/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem
[2019-01-18T11:42:13] INFO: OpenSSL 1.1.1  11 Sep 2018
[2019-01-18T11:42:13] ERROR: ssl certificate doesn't exist: /home/thomas/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem
[2019-01-18T11:42:29] INFO: OpenSSL 1.1.1  11 Sep 2018

Other info

• When did the problem start to occur? On a fresh install of what I (probaby mistakenly) thought was the latest releases.
• Is there a way to work around it? IDK, probably trying to get the same version on both ends?
• Does this bug prevent you from using Barrier entirely? Yes

[TafThorne]

I can confirm that the file does not exist:

$ ls ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/
$ locate Barrier.pem

[TafThorne]

I thought this could be similar to #142 but allowing barrier.exe and barriers.exe through the firewall did not change the message in the logs.

'171 also looked related but I cannot work out where the Barrier.pem shown there comes from. Following the supplied link did not really change anything.

I can at least confirm this is related to having the SSL config enabled. With that disabled I am able to get the client and server to work together.

[AdrianKoshka]

That's interesting, I'm a daily user of the flatpak and barrier managed to generate an SSL certificate for me just fine.

alc@am1m-s2h ~ % ls -l .var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem 
-rw-rw-r--. 1 alc alc 1649 May 21  2018 .var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem

[Ch4ni]

As a workaround, I used the synergy instructions from this page: https://wiki.archlinux.org/index.php/synergy#Set_up_encryption_on_server

TL;DR:

mkdir -p ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Fingerprints
openssl req -x509 -nodes -days 365 -subj /CN=Barrier-newkey rsa:4096-keyout ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem -out ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem
openssl x509 -fingerprint -sha2 -noout -in ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem > ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Fingerprints/Local.txt

Then enable encryption from the settings on both the client and server, restart both, and accept the new server certificate from your client ... should be good to go from there.

Edit: change keylength from 1024 to 4096 change -sha1 to -sha2

[AdrianKoshka]

I'll leave this issue open just in case someone else also has this issue. Also you might want to bump that key-length from 1024 to 4096, and use sha2 instead of sha1.

[Ch4ni]

fair point. I usually use the 4K keys ... I just got lazy this time around and copy/pasted. Comment updated with @AdrianKoshka 's suggestions.

Edit: punctuation.

[TafThorne]

When I run the openssl req command I get an error message:

$ openssl req -x509 -nodes -days 365 -subj /CN=Barrier-newkey rsa:4096-keyout ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem -out ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem
req: Use -help for summary.

It looks like you have lost a couple of spaces from the command. The following works:

$ openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem -out ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem
Generating a 4096 bit RSA private key
......................................................................................................................................................++
.......................................................................................................................................................................++
writing new private key to '/home/thomas/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem'
-----

The openssl x509 command then also fails.

$ openssl x509 -fingerprint -sha2 -noout -in ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem > ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Fingerprints/Local.txt
x509: Unknown digest sha2
x509: Use -help for summary.

I believe that the workaround advice should be updated to:

mkdir -p ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Fingerprints
openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem -out ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem
openssl x509 -fingerprint -sha1 -noout -in ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Barrier.pem > ~/.var/app/com.github.debauchee.barrier/data/barrier/SSL/Fingerprints/Local.txt

At least in my case.

[TafThorne]

Now does the absence of sha2 support explain the cause of my issue? If whatever is expected to automatically generate the keys is trying to use sha2 and silently failing.

I have version 1.1.0g of OpenSSL.

$ openssl version
OpenSSL 1.1.0g  2 Nov 2017

What version is expected to have the sha2 support? It seems that I can use either -sha256 or -sha512 in the command line without getting an error.

[TafThorne]

I am pleased to report that with the workaround in place (using sha512 in this case) I have been able to connect the Windows client to the flatpak version of barrier.

Thank you for your help in getting me up and running. Please let me know if there is anything more I can do to help find the cause of the issue and possible solution.

[julius59]

Same setup and same behaviour as in the bug description here.

[nedart]

I had this same issue. Both client and server were version 2.2.0-snapshot-53ebc47a. Using the commands in the post by @TafThorne did the trick.

[tassosblackg]

I had the same issue, it worked for me too!

[hatzkel]

This just crept up on me out of the blue after this past update. Had to follow the instructions above as well.

[obasilakis]

Hey, I tried @TafThorne 's commands and I'm getting this:

[2019-06-15T17:20:12] INFO: OpenSSL 1.1.1b 26 Feb 2019 [2019-06-15T17:20:12] ERROR: could not use ssl certificate [2019-06-15T17:20:12] ERROR: error:0909006C:PEM routines:get_name:no start line

anyone knows what's the issue?

[hifi]

Not trying to sound rude but why this hasn't been fixed in the official Flatpak build as it seems to affect all new installs, including me today and is a real barrier to entry for new users?

[AdrianKoshka]

So, as was probably obvious, the openssl command-line tools aren't shipped, which prevents the certificate from being generated, I'm working on fixing this finally. I'm sorry.

[AdrianKoshka]

Truly sorry this was an issue for so long, it really shouldn't have been. After work it can be hard to find the energy to work on OSS.

[hifi]

Indeed, thank you for fixing the issue.

My point was that the Flatpak package is likely one of the main channels to install Barrier and since it was effectively broken for all new users it was a bit frustrating to find the issue had been open for so long.

[AdrianKoshka]

Fixed for me on a personal machine at work, before I had no cert.

[AdrianKoshka]

openssl is shipped with barriers flatpak, and I believe this has been fixed.

[fbidu]

Hey people, I just ran into this issue on a fresh install using snapd on fedora!

mkdir -p /home/fbidu/snap/barrier-kvm/2/.local/share/barrier/SSL/ 
cd /home/fbidu/snap/barrier-kvm/2/.local/share/barrier/
openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

Worked for me!

[4F2E4A2E]

This is how I've got it running on Windows:

• Install git for windows
• cd into 'C:\Users\<user>\AppData\Local\Barrier\SSL\'
• run in the cmd openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem
• restart barrier

[cfarvidson]

I had the exact same issue on macOS Monterey (12.0.1) today.

Solved it by running the openssl command described in @4F2E4A2E post.

• cd into /Users/<user>/Library/Application Support/barrier/SSL
• run in the cmd openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem
• restart barrier

[shymega]

This should be opened again, as it appears to be an ongoing issue with Barrier. Reopening.

[CaptainKraft]

I also had this problem with a fresh install on Arch Linux. Also, the workaround did not work for me due to differing paths. Here are the commands I had to use to get this to work:

mkdir -p ~/.local/share/barrier/SSL/Fingerprints
openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/.local/share/barrier/SSL/Barrier.pem -out ~/.local/share/barrier/SSL/Barrier.pem
openssl x509 -fingerprint -sha1 -noout -in ~/.local/share/barrier/SSL/Barrier.pem > ~/.local/share/barrier/SSL/Fingerprints/Local.txt

[cmsxbc]

I just choose to disable it.... i'm in private network.

barriers --disable-crypto

[eaguad1337]

I had the same issue on fresh install, Windows Host, and I solved this way:

First, install openssl, then:

cd %LOCALAPPDATA%\Barrier\SSL
mkdir Fingerprints
openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem
openssl x509 -fingerprint -sha1 -noout -in Barrier.pem > Fingerprints\Local.txt

If you use WSL, I recommend you to do it from there, replacing %LOCALAPPDATA% with your Windows path.

[mchiasson-youi]

On Ubuntu using the latest from the snap store (2.4.0), this is how I solved it

mkdir -p ~/snap/barrier/682/.local/share/barrier/SSL/Fingerprints
openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/snap/barrier/682/.local/share/barrier/SSL/Barrier.pem -out ~/snap/barrier/682/.local/share/barrier/SSL/Barrier.pem
openssl x509 -fingerprint -sha1 -noout -in ~/snap/barrier/682/.local/share/barrier/SSL/Barrier.pem > ~/snap/barrier/682/.local/share/barrier/SSL/Fingerprints/Local.txt

[501st-alpha1]

I had the same issue just now on a fresh install of Barrier 2.4.0 on Windows.

I tried running the command given by @4F2E4A2E in Git Bash, but it gave me an error about the -subj line, and when running Barrier after got a similar error to @obasilakis. After some research determined it was some kind of escaping issue, so ran this command instead:

openssl req -x509 -nodes -days 365 -subj //CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

(note the double //)

and that worked; Barrier now runs and accepts connections successfully.

[willobrien]

Just had this issue. Ended up using openssl under cygwin terminal to generate the key:

cd /cygdrive/c/Users/<user>/AppData/Local/Barrier/SSL
$ openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

done.

[HewittJC]

For MacOS:

> cd /Users/<username>/Library/Application\ Support/barrier/SSL/
> openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

• Restart Barrier

Thanks to @4F2E4A2E for posting the openssl command that is used above 📈

[spoelstraethan]

If this is anything like the bug in Synergy Core, you can use Debug2 log level to let barrier create the certificate(s) and prompt you for trust when a client connects.......

[junbujianwpl]

If you use git-bash on Windows, try this command

openssl req -x509 -nodes -days 365 -subj "//CN=Barrier" -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

[hovanesgasparian]

@HewittJC do you have to do that for both macOS devices, or just the server? I tried it for just the server and it didn't work. I tried it for the client and it didn't work. I'm assuming if you generate 2 different Barrier.pem files, they are going to have 2 different fingerprints. Are you supposed to copy the generated pem file from the server MacBook to the client MacBook? I tried that, and it still didn't work... keeps giving me a timeout error...

[FlashNoob98]

> cd 
> cd .local/share/barrier/SSL
> openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

Solved executing the same command both on client side than server side on Archlinux

[denshigomi]

I had the same issue on a fresh Windows install. I didn't want to install anything to fix it, so I generated the certificate on my Ubuntu system and copied it over.

[d-amend]

I had the problem with my M1 MacBook Pro. That command fixed it! Thank you so much

1. Installed openssl 3 via Homebrew
2. cd /Users/user/Library/Application Support/barrier/SSL
3. openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

[omeysalvi]

Faced this issue too on 9th December 2021. @junbujianwpl fix worked for me.

[hovanesgasparian]

@d-amend what was your other device? Did you have to run that openssl req command on both devices?

[d-amend]

@hovanesgasparian the other device was an Intel iMac. It works out of the box there. Also installed via homebrew.

The server was the M1, the client the iMac. I thought also about copying, but assumed, that it will check if both have the same key, so I generated a new one on the M1.

[AntDavidLima]

I just had the same problem installing barrier on Arch Linux using pacman.

[d-amend]

Funny. I had to manually generate it on Monterey on a Intel Mac on the weekend, because it doesn't work there out of the box as on the M1.

[wildeep]

Installed to my Mac-mini and MacBook Pro (both M1, both on Monterey). Got the double-client-screen bug, but also wasn't able to complete a connection until I created SSL certs on each side, and approved each other's cert.

https://github.com/debauchee/barrier/issues/231#issuecomment-958800595 worked perfectly.

Now Barrier is working properly. Big success. :-)

[sgon00]

I am just having this problem in Windows 11. This is a hot/showstopper bug since 2019. Why has no one fixed it?

Edited:

What I do in Windows 11 powershell (NOT CMD):

$ Set-Alias openssl "C:\Program Files\Git\usr\bin\openssl.exe"  # if you have Git installed, you can use Git's openssl
$ cd ~\AppData\Local\Barrier\SSL\
$ openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

Restart Barrier and works.

[empusas]

Same problem on Mac:

from log: 2022-01-02T12:00:00] ERROR: ssl certificate doesn't exist: /Users/sascha/Library/Application Support/barrier/SSL/Barrier.pem [2022-01-02T12:00:00] ERROR: could not load client certificates [2022-01-02T12:00:00] ERROR: process exited with error code: 9

I have tried with Barrier-2.4.0-release.dmg on my MacBook Air M1 and my Hackintosh. Both have the same Problem.

[albertony]

A bug in version 2.4 that lead to certificate not being generated was fixed on master back in november (with pull request https://github.com/debauchee/barrier/pull/1425, related to issue https://github.com/debauchee/barrier/issues/1377), it just has not been released yet - which is very unfortunate. Not sure how this relates to the original problem here, though, which was with version 2.1/2.2, but if we're lucky then it is gone as well. 🤞

[iamutkarshtiwari]

@cfarvidson's comment solved my issue on MacOS monterey 12.1. Thank you!

[empusas]

Just for those who stumble across this issue. This is a problem for all platforms, Mac, Windows and Linux with the packages you can download right now and will persist until new packages have been released.

[sidusnare]

A bug in version 2.4 that lead to certificate not being generated was fixed on master back in november (with pull request #1425, related to issue #1377), it just has not been released yet - which is very unfortunate. Not sure how this relates to the original problem here, though, which was with version 2.1/2.2, but if we're lucky then it is gone as well. crossed_fingers

Any idea when this will be resolved? It's a lot easier for the package to correct this than figure out where and how I'm supposed to run an openssl command on a dozen separate machines and hope it likes what I generate

[qvqn]

you can install 2.3.2 and it will generate the keys then upgrade to 2.4 without having to mess with openssl

worked on mac and windows