Recommended Posts

Hi,

I am running Sync on a NAS and on a Linux server. I would like to use a valid SSL certificate on both instances. Both systems have automated certificate renewal facilities, but of course they do not know anything about my running Sync instances and the certificate is owned by root in a different folder.

First I thought, it might be a good idea to change certificate rights and to point sync.conf to the certificate - but this would yield a security issue.

The next idea is to make a copy of the certificate into the folder, where the sync executable resides and to change the ownership. This can be done with a daily cron job.

I presume that there is no option to get hold of the "original" certificate without having a security issue and that there is no clever built-in Let's Encrypt functionality in Sync? Any other suggestions?

Link to post
Share on other sites

You don't indicate why this would be a good idea, and I certainly don't see why. Break something supported to do something with no visible benefit.  Keep your ssl certs and your bt sync stuff separate. bt sync doesn't need to know a domain name and you don't need that hassle. Just let btsync do its encryption the way they intended.

Link to post
Share on other sites
8 hours ago, Timbo said:

Keep your ssl certs and your bt sync stuff separate. bt sync doesn't need to know a domain name and you don't need that hassle. Just let btsync do its encryption the way they intended.

I think Vince42 is referring to the web interface here and wants to use a Let's encrypt certificate rather than a self-signed certificate, which is completely reasonable IMO.

Vince42: I assume that you are requesting the certificates while using Apache/nginx/... to do the validation? I think there are two reasonable approaches to do this without copying or changing ownership:

  • Create an extra group, of which both your web server user and RLSync user are a member. Give the group read access to the certificate;
  • or use filesystem ACLs to configure more fine-grained access rights (with ACLs e.g. the www or apache user could be the owner of a file, but the RLSync user could also have read access).
Link to post
Share on other sites
  • 1 month later...

If you already run HTTP servers on both boxes that do HTTPS properly, you could make Sync only listen to localhost and use your HTTP servers as local proxies. That way the SSL certificates of Apache, nginx or whatever apply instead of the certificate of Sync.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.