trilium-server will not sync with trilium-desktop over TLS; ERROR: ERR_CERT_AUTHORITY_INVALID

[radomuc]

Hello, over http I got a successful sync, but with https I didn't managed to get a sync. I tried with a certificate signed by CA - this failed. I don't know how I can configure the desktop-variant to accept my CA. I can't find any documentation about this. So I then tried a self-signed certificate as described in the documentation, but this also failed again with the same error (ERR_CERT_AUTHORITY_INVALID). Do you have any suggestions about this issue?

--- LOG --- 09:14:18.386 DB size: 1601 KB 09:14:19.673 Note cache load took 9ms 09:14:19.745 App HTTP server starting up at port 37840 09:14:19.745 { "appVersion": "0.47.5", "dbVersion": 183, "syncVersion": 20, "buildDate": "2021-06-25T21:26:48+02:00", "buildRevision": "0a2807c0b3fb7809d1cd1be3a051d127db010b5e", "dataDirectory": "/home/user/.local/share/trilium-data", "clipperProtocolVersion": "1.0" } 09:14:19.773 CPU model: Intel(R) Core(TM) i7 CPU 870 @ 2.93GHz, logical cores: 8 freq: 1333 Mhz 09:14:19.782 Listening on port 37840 09:14:19.841 Registered global shortcut Ctrl+Alt+P for action createNoteIntoInbox 09:14:19.878 Generated CSRF token ClT3oPLF-_IbmWO9NkKQKrMMAwj48y836hNQ with secret _csrf=2Jrja-apy3MjDEhD8lxjrRNr; Path=/ 09:14:20.214 200 GET /api/options took 2ms 09:14:20.222 200 GET /api/keyboard-actions took 2ms 09:14:20.226 200 GET /api/keyboard-shortcuts-for-notes took 0ms 09:14:20.228 200 GET /api/tree took 1ms 09:14:20.230 200 GET /api/script/widgets took 2ms 09:14:20.232 200 POST /api/tree/load took 0ms 09:14:20.833 200 GET /api/notes/HNqMDt8QC6oe took 2ms 09:14:21.903 Slow 200 GET /api/similar-notes/HNqMDt8QC6oe took 97ms 09:14:21.905 200 GET /api/notes/HNqMDt8QC6oe/revisions took 1ms 09:14:22.031 200 POST /api/notes/HNqMDt8QC6oe/link-map took 2ms 09:14:22.286 200 GET /api/script/startup took 1ms 09:14:22.290 200 POST /api/tree/load took 1ms 09:14:22.296 200 POST /api/tree/load took 0ms 09:14:22.303 200 POST /api/tree/load took 1ms 09:14:24.861 sync failed: Request to GET https://nextcloudrpi.ho:7777/api/setup/status failed, error: Error: net::ERR_CERT_AUTHORITY_INVALID stack: Error: Request to GET https://nextcloudrpi.ho:7777/api/setup/status failed, error: Error: net::ERR_CERT_AUTHORITY_INVALID at generateError (/usr/lib/trilium/resources/app.asar/src/services/request.js:191:12) at ClientRequest. (/usr/lib/trilium/resources/app.asar/src/services/request.js:58:47) at ClientRequest.emit (events.js:315:20) at ClientRequest._die (electron/js2c/browser_init.js:105:8391) at SimpleURLLoaderWrapper. (electron/js2c/browser_init.js:105:7128) at SimpleURLLoaderWrapper.emit (events.js:315:20) at SimpleURLLoaderWrapper.callbackTrampoline (internal/async_hooks.js:131:14)

[zadam]

Hi, there's a trilium-no-cert-check.sh which will disable TLS cert verification. Start the desktop client using that and it should work (the communication is still encrypted but the cert is not verified).

[Y-con]

Hi, there's a trilium-no-cert-check.sh which will disable TLS cert verification. Start the desktop client using that and it should work (the communication is still encrypted but the cert is not verified).

Hi, I ran with trilium-no-cert-check.sh but it did not help. So I simulated trilium-no-cert-check.sh way to set the env and print it.But NODE_TLS_REJECT_UNAUTHORIZED is undefined . Even if I set up a global windows environment for NODE_TLS_REJECT_UNAUTHORIZED ,it won't help. That seems a little bit weird for me.

trilium> set NODE_TLS_REJECT_UNAUTHORIZED=0 trilium> node .\src\www

[d03j]

Hi, there's a trilium-no-cert-check.sh which will disable TLS cert verification. Start the desktop client using that and it should work (the communication is still encrypted but the cert is not verified).

I am having a similar issue running 0.47.5 desktop on unbuntu 21.04 and 0.47.5 server on a docker container.

I used Let's Encrypt's certbot to generate a certificate for my no-ip domain and updated the config.ini with the pahs to the certificate and key. While I am testing the configuration, I haven't opened a port in my router yet but know TLS is working because I can access the server by entering its IP address in my browser (https://xxx.xxx.xxx.xxx) and choosing to ignore the certificate warning.

When I try to sync the desktop (working before I moved it to https) I get ERR_CERT_COMMON_NAME_INVALID. The reult is the same for trilium (expected) and trilium-no-cert-check.sh (unexpected),

If I run echo $NODE_TLS_REJECT_UNAUTHORIZED after starting trilium-no-cert-check.sh I get an empty result, If I enter export NODE_TLS_REJECT_UNAUTHORIZED=0 in the command line myself and then start trillium, I get "0" when I try echo $NODE_TLS_REJECT_UNAUTHORIZED.

In all cases I get ERR_CERT_COMMON_NAME_INVALID when trying to sync.

[chncho]

Hi, there's a trilium-no-cert-check.sh which will disable TLS cert verification. Start the desktop client using that and it should work (the communication is still encrypted but the cert is not verified).

I am having a similar issue running 0.47.5 desktop on unbuntu 21.04 and 0.47.5 server on a docker container.

I used Let's Encrypt's certbot to generate a certificate for my no-ip domain and updated the config.ini with the pahs to the certificate and key. While I am testing the configuration, I haven't opened a port in my router yet but know TLS is working because I can access the server by entering its IP address in my browser (https://xxx.xxx.xxx.xxx) and choosing to ignore the certificate warning.

When I try to sync the desktop (working before I moved it to https) I get ERR_CERT_COMMON_NAME_INVALID. The reult is the same for trilium (expected) and trilium-no-cert-check.sh (unexpected),

If I run echo $NODE_TLS_REJECT_UNAUTHORIZED after starting trilium-no-cert-check.sh I get an empty result, If I enter export NODE_TLS_REJECT_UNAUTHORIZED=0 in the command line myself and then start trillium, I get "0" when I try echo $NODE_TLS_REJECT_UNAUTHORIZED.

In all cases I get ERR_CERT_COMMON_NAME_INVALID when trying to sync.

Have you repair it ? I has the save problem too.

[PracBesTice]

Hey, i have the same Problem, is there any solution? Push.

[luddet]

I have the same problem on Kali linux. I have trilium_0.49.5_amd64.deb installed and try to sync to my trilium server version 0.49.5 running in docker. I'm using a certificate that is signed with my own self-signed CA cert. I have added the CA cert to /usr/local/share/ca-certificates and run update-ca-certificates --fresh. I have also imported the CA cert into firefox certificate store, and logging in to trilium that way works just fine, so it seems that node is not picking up the CA cert from the system on linux. Also, connecting to my server from a windows install of trilium works just fine after installing my CA cert into the trusted root CA store, so it seems that the problem happens only on linux. Is there any workaround yet?

[mytlogos]

I found a currently working workaround, for disabled any certificate errors: Start trilium with the following flag: /usr/lib/trilium/trilium --ignore-certificate-errors This flag comes from Electron.js itself, where it will ignore any certificate errors. Syncing works with a custom CA and DNS Name.

See https://www.electronjs.org/docs/latest/api/command-line-switches#--ignore-certificate-errors If it works for everyone, than it could maybe added to the current trilium-no-cert-check.sh script.

Edit: I used it on v0.51.2, did not test it on any other versions.

[Nordiger]

Hi, some problem here.

I'm running trilium with docker on my Synology NAS and use a Let's Encrypt's certificate.

I've setup Trilium behind reverse proxy

Is there a solution? I use it on v0.53.2

[egidijus]

You can also use the switch with windows standalone. Create a shortcut to the trillium binary, then edit the shortcut and append to the target field like this:

trilium-windows-x64\trilium.exe --ignore-certificate-errors

This will allow your windows trilium to connect to a server with TLS configured even if the certs do not match. Example use case, real certificate, but you connect via IP address if you haven't got a DNS record configured yet.

[Darkfoxjj12]

You can also use the switch with windows standalone. Create a shortcut to the trillium binary, then edit the shortcut and append to the target field like this: It's working i don't have anymore the CERT_COMMONNAME error anymore ! ( also don't forgot to have a space between trillium.exe and --ignore-certificate-errors But for myself I have a problem, I'm using a reverse proxy ( HaProxy ) configured like this :

defaults mode http timeout client 10s timeout connect 5s timeout server 10s timeout http-request 10s

frontend myfrontend bind 192.168.1.190:80 bind 192.168.1.190:443 ssl crt /etc/ssl/cert.pem default_backend myservers

backend myservers server server1 192.168.1.199:8080

Like you I can acces to the 192.168.1.199:80 on http.
I can't access to 192.168.1.199 in https as expected, so i've set up the haproxy.
So I can acces to 192.168.1.190:443 
But I can't sync the trillium i'm just blocked here. 
![image](https://github.com/zadam/trilium/assets/28774360/fb8cee96-35da-4c34-89a9-1168093cb33f)

Trusted reverse proxy: false App HTTP server starting up at port 37840 Listening on port 37840 Triggering sync. [9128:0314/164946.762:ERROR:ssl_client_socket_impl.cc(978)] handshake failed; returned -1, SSL error code 1, net_error -200 No connection to sync server. Returning sync stats: {"initialized":false,"outstandingPullCount":0} 304 GET /api/sync/stats with 46 bytes took 1ms Returning sync stats: {"initialized":false,"outstandingPullCount":0} 304 GET /api/sync/stats with 46 bytes took 1ms

What should I do ?

[Darkfoxjj12]

What should I do ?

--- Solution --- This worked for me, I've setted up a reverse proxy ( HaProxy for myself ), I made a ssl termination and generated a self signed certificate, because I doesn't have a domain to make DNS Zones. After that i Imported the cerficate from the new reverse https proxy in my windows certificate manager. I moved the trillium server to the root of my windows C:/ Due to syntax problems like spaces Then I created a shortlink to my desktop with the " --ignore-certificate-errors" parameter. It look like this C:\trilium-windows-x64-0.63.3\trilium-windows-x64\trilium.exe --ignore-certificate-errors** And when I launched the link and connected it to my reverse proxy it's synchronizing the data yay ! If I made somes misunderstandings please let me know :)