Open FalcoGer opened 1 year ago
zadam
commented
1 year ago Hi, you can set NODE_TLS_REJECT_UNAUTHORIZED=0 environment variable to the trilium process, it will then allow self signed certificates.
I'm not sure if it's possible to force the electron process to use the system certificate store.
FalcoGer
commented
1 year ago Thanks, although that's a bit inconvenient. Would it be possible to add that as a checkbox? Or better yet some way to import the CA as trusted?
This is a security concern because globally setting it to allow unauthorized certificates would probably also affect webview. Importing the CA as trusted would be a lot safer.
FalcoGer
commented
1 year ago I started trillium like this, but the error persists.
NODE_TLS_REJECT_UNAUTHORIZED=0 trilium
DB size: 7475 KB
Trusted reverse proxy: false
App HTTP server starting up at port 37840
{
"appVersion": "0.59.4",
"dbVersion": 213,
"syncVersion": 29,
"buildDate": "2023-04-17T21:40:35+02:00",
"buildRevision": "1d3272e9f8c27106a66227fbb580677ae5d70427",
"dataDirectory": "/home/paul/.local/share/trilium-data",
"clipperProtocolVersion": "1.0",
"utcDateTime": "2023-05-13T16:33:44.680Z"
}
CPU model: AMD A12-9720P RADEON R7, 12 COMPUTE CORES 4C+8G, logical cores: 4 freq: 1800 Mhz
Listening on port 37840
Becca (note cache) load took 43ms
Registered global shortcut Ctrl+Alt+P for action createNoteIntoInbox
[2178760:0513/183347.557465:ERROR:vaapi_wrapper.cc(1095)] vaCreateConfig failed, VA error: an invalid/unsupported value was supplied
[2178760:0513/183347.561388:ERROR:vaapi_wrapper.cc(1070)] FillProfileInfo_Locked failed for va_profile VAProfileH264ConstrainedBaseline and entrypoint VAEntrypointEncSlice
[2178760:0513/183347.577868:ERROR:vaapi_wrapper.cc(1095)] vaCreateConfig failed, VA error: an invalid/unsupported value was supplied
[2178760:0513/183347.578510:ERROR:vaapi_wrapper.cc(1070)] FillProfileInfo_Locked failed for va_profile VAProfileH264Main and entrypoint VAEntrypointEncSlice
[2178760:0513/183347.578776:ERROR:vaapi_wrapper.cc(1095)] vaCreateConfig failed, VA error: an invalid/unsupported value was supplied
[2178760:0513/183347.579285:ERROR:vaapi_wrapper.cc(1070)] FillProfileInfo_Locked failed for va_profile VAProfileH264High and entrypoint VAEntrypointEncSlice
[2178760:0513/183347.581031:ERROR:vaapi_wrapper.cc(1095)] vaCreateConfig failed, VA error: an invalid/unsupported value was supplied
[2178760:0513/183347.581247:ERROR:vaapi_wrapper.cc(1070)] FillProfileInfo_Locked failed for va_profile VAProfileH264ConstrainedBaseline and entrypoint VAEntrypointEncSlice
[2178760:0513/183347.581636:ERROR:vaapi_wrapper.cc(1095)] vaCreateConfig failed, VA error: an invalid/unsupported value was supplied
[2178760:0513/183347.582289:ERROR:vaapi_wrapper.cc(1070)] FillProfileInfo_Locked failed for va_profile VAProfileH264Main and entrypoint VAEntrypointEncSlice
[2178760:0513/183347.582983:ERROR:vaapi_wrapper.cc(1095)] vaCreateConfig failed, VA error: an invalid/unsupported value was supplied
[2178760:0513/183347.585342:ERROR:vaapi_wrapper.cc(1070)] FillProfileInfo_Locked failed for va_profile VAProfileH264High and entrypoint VAEntrypointEncSlice
[2178760:0513/183347.630266:ERROR:sandbox_linux.cc(376)] InitializeSandbox() called with multiple threads in process gpu-process.
Generated CSRF token m5CTs4dU-av0iB54iOcu1uohv9Cx6E674Kgk with secret _csrf=QYA5KL2am11IvcD7p6vkUDnp; Path=/
200 GET /api/options with 6339 bytes took 2ms
200 GET /api/tree with 52421 bytes took 4ms
200 GET /api/keyboard-actions with 12153 bytes took 2ms
200 GET /api/script/widgets with 2 bytes took 2ms
websocket client connected
200 GET /api/keyboard-shortcuts-for-notes with 2 bytes took 2ms
200 GET /api/note-map/_optionsSync/backlink-count with 11 bytes took 1ms
200 GET /api/options with 6339 bytes took 2ms
200 GET /api/script/startup with 2 bytes took 3ms
Table counts: notes: 757, note_revisions: 871, branches: 772, attributes: 307, etapi_tokens: 0
All consistency checks passed with no errors detected (took 50ms)
[2178713:0513/183352.255126:ERROR:cert_issuer_source_aia.cc(32)] Error parsing cert retrieved from AIA (as DER):
ERROR: Failed parsing Certificate SEQUENCE
ERROR: Failed parsing Certificate
sync failed: Request to GET https://pihole.lan/trilium//api/setup/status failed, error: Error: net::ERR_CERT_AUTHORITY_INVALID
stack: Error: Request to GET https://pihole.lan/trilium//api/setup/status failed, error: Error: net::ERR_CERT_AUTHORITY_INVALID
at generateError (/usr/lib/trilium/resources/app.asar/src/services/request.js:191:12)
at ClientRequest.<anonymous> (/usr/lib/trilium/resources/app.asar/src/services/request.js:58:47)
at ClientRequest.emit (node:events:394:28)
at ClientRequest._die (node:electron/js2c/browser_init:101:8391)
at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/browser_init:101:7128)
at SimpleURLLoaderWrapper.emit (node:events:394:28)
at SimpleURLLoaderWrapper.callbackTrampoline (node:internal/async_hooks:130:17)
Slow 200 POST /api/sync/test with 143 bytes took 315msI have also noticed that when I edit the entry in the gnome menu, that it would revert. It would even recreate it if I delete it.
I also noticed this error [2178713:0513/183352.255126:ERROR:cert_issuer_source_aia.cc(32)] Error parsing cert retrieved from AIA (as DER):. The certificate is offered as PEM on the URL. does it need to be DER?
Edit
Where the information is available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier and the URI MUST point to either a single DER encoded certificate as specified in [RFC2585] or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797].
I'll convert it. silly me.
Edit 2 I did that and reissued the certificate. The failed to parse error is gone, but the cert is still not accepted.
zadam
commented
1 year ago Try setting "noproxy" into the proxy field here:
The reasoning is a bit complex, basically electron has 2 network stacks and trilium by default uses the chromium one which doesn't respect the NODE_TLS_REJECT_UNAUTHORIZED. By setting the noproxy you're forcing trilium to use the node's network stack (which is pretty obscure of course) which should respect it.
Some background on electron networking and TLS is here: https://stackoverflow.com/questions/58615762/will-an-electron-based-app-pass-system-wide-nodejs-environment-variables
FalcoGer
commented
1 year ago That worked (after a restart). But I would still consider this a workaround because of the security implications with webview.
Without NODE_TLS_REJECT_UNAUTHORIZED=0 the error message changed to this
Sync server handshake failed, error: Request to GET https://pihole.lan/trilium/api/setup/status failed, error: Error: self signed certificate in certificate chainBut I would still consider this a workaround because of the security implications with webview.
Sorry, I don't get it. What does web view have to do with this?
FalcoGer
commented
1 year ago Sorry, I don't get it. What does web view have to do with this?
If you set NODE_TLS_REJECT_UNAUTHORIZED=0, wouldn't that mean that web view would also accept invalid certificates when it shows content from an https source? Using CAs is a security feature. Whitelisting your own CA if you use one is the proper way to do it. Allowing any self signed certificate is a problem.
FalcoGer
commented
1 year ago I tested it with a webview
#webViewSrc="https://self-signed.badssl.com/" It does not load. (but it also doesn't show any errors.) I'd still prefer properly allowing the CA in a whitelist without whitelisting everything for node components.
zadam
commented
1 year ago If you set NODE_TLS_REJECT_UNAUTHORIZED=0, wouldn't that mean that web view would also accept invalid certificates when it shows content from an https source?
AFAIK no, because NODE_TLS_REJECT_UNAUTHORIZED has effect only on the node process network stack (within electron) while web view using the chromium network stack.
ttlttc
commented
11 months ago Try setting "noproxy" into the proxy field here:
The reasoning is a bit complex, basically electron has 2 network stacks and trilium by default uses the chromium one which doesn't respect the
NODE_TLS_REJECT_UNAUTHORIZED. By setting thenoproxyyou're forcing trilium to use the node's network stack (which is pretty obscure of course) which should respect it.Some background on electron networking and TLS is here: https://stackoverflow.com/questions/58615762/will-an-electron-based-app-pass-system-wide-nodejs-environment-variables
strange but it really waorked,thanks! ony use :set NODE_TLS_REJECT_UNAUTHORIZED=0: is still not enough for avoid handshake error
Trilium Version
0.59.4
What operating system are you using?
Ubuntu
What is your setup?
Local + server sync
Operating System Version
Linux [hostname redacted] 5.15.0-70-generic #77-Ubuntu SMP Tue Mar 21 14:02:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Description
The desktop client does not check the trusted certificate store in
/etc/ssl/certs/. I have generated a certificate authority and signed a client certificate with it and added the CA to the trusted cert store by putting it into/usr/local/ca-certificates/[name redacted]/CA_[name redacted].crtand then runningsudo update-ca-certificates.The programs like wget and curl accept the certificate. But in trilium there is no option to either ignore invalid certificates nor an option to import the CA and it doesn't check
/etc/ssl/certseither, so it seems that it's impossible to use a self signed certificate.The specific error is
ERR_CERT_AUTHORITY_INVALIDI use a reverse proxy on the URI
/trilium/in apache to redirect tolocalhost:8080. The web interface works fine on that URI, but the desktop client doesn't even get there because it rejects the cert.The certificate in question is similar to this
Error logs
19:20:13.797 Updating option syncServerHost to https://hostname-redacted.lan/trilium/ 19:20:13.799 Updating option syncServerTimeout to 120000 19:20:13.800 Updating option syncProxy to 19:20:13.804 204 PUT /api/options with 0 bytes took 8ms 19:20:13.816 200 GET /api/options with 6339 bytes took 2ms 19:20:15.028 Slow 200 POST /api/sync/test with 143 bytes took 329ms