mirror of
https://github.com/louislam/uptime-kuma.git
synced 2026-03-02 22:57:00 -05:00
Matrix - Unable to verify the first certificate #1260
Labels
No labels
A:accessibility
A:api
A:cert-expiry
A:core
A:dashboard
A:deployment
A:documentation
A:domain expiry
A:incidents
A:maintenance
A:metrics
A:monitor
A:notifications
A:reports
A:settings
A:status-page
A:ui/ux
A:user-management
Stale
ai-slop
blocked
blocked-upstream
bug
cannot-reproduce
dependencies
discussion
duplicate
feature-request
feature-request
good first issue
hacktoberfest
help
help wanted
house keeping
invalid
invalid-format
invalid-format
question
releaseblocker 🚨
security
spam
type:enhance-existing
type:new
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/uptime-kuma#1260
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Chiller2019 on GitHub (Jul 17, 2022).
⚠️ Please verify that this bug has NOT been raised before.
🛡️ Security Policy
📝 Describe your problem
I set Matrix (Synapse) as notification-provider but when I send a test-message, I get an error.
and Log:
Now my question, how can I install my self-signed RootCA or deactivate TLS-Check?
PS.: Uptime-Kuma has a Proxy over Traefik
I import the CA Certificate on the host, with
curl -XPOST -d '{"type": "m.login.password", "identifier": {"user": "botusername", "type": "m.id.user"}, "password": "passwordforuser"}' "https://home.server/_matrix/client/r0/login"I became a right output without faults.🐻 Uptime-Kuma Version
1.17.1
💻 Operating System and Arch
Ubuntu 20.04.4 LTS
🌐 Browser
GC 103.0+
🐋 Docker Version
20.10.17
🟩 NodeJS Version
No response
@Chiller2019 commented on GitHub (Jul 22, 2022):
Can no one help?
@HolgerAusB commented on GitHub (Aug 13, 2022):
I have the same problem with homebridge. It seems to be problem with the web-server part , Because curl is raising the error too.
My problem is, that checking 'Certificate Expiry' is not working when 'ignore TLS/SSL-errors' is active. That should be changed.
@Chiller2019 commented on GitHub (Aug 13, 2022):
And what exactly did you do to solve the problem?
@HolgerAusB commented on GitHub (Aug 13, 2022):
As a user, I can't!
Kuma does not send a notification on cert expiry, when you set 'irgnore TLS/SSL-errors'. From my point this is a bug to kuma.
On the other hand, it is a bug to the webserver-engine of your/mine smarthome software. Don't know if this is nginx, Node.js etc. But as far as I researched, this first-cert-issue is on them. With a web browser there is no problem, they do know this middle-CA. But curl (and kuma) can't resolv this problem. The very same cert on Apache server does not have this problem with curl or kuma.
@hugokernel commented on GitHub (Aug 29, 2022):
Same problem here.
@Chiller2019 commented on GitHub (Aug 29, 2022):
Yeahr but I think its possible to add a tag to curl when kuma will send a message. The tag is "--insecure"
@hugokernel commented on GitHub (Aug 29, 2022):
False alarm for me, sorry, problem of conf in the certificate following renewal.
@Aterfax commented on GitHub (Oct 10, 2022):
Can you not place your own CA cert into
/etc/ssl/certs/via a bind mount? I'm not sure if Uptime Kuma itself as part of the upstart process will call the commandupdate-ca-certificatesthough.That might need to be added to the docker.
@Chiller2019 commented on GitHub (Oct 10, 2022):
Tried months ago, doesn't work.
@Aterfax commented on GitHub (Oct 10, 2022):
Did you try running
update-ca-certificatesfrom a console within the docker container first?@Aterfax commented on GitHub (Oct 10, 2022):
Setting a valid CA cert appears to have been handled in this thread: https://github.com/louislam/uptime-kuma/issues/1380
@HolgerAusB commented on GitHub (Oct 26, 2022):
so for my problem with homebridge (via node.js) the solution was simple. In the config of homebridge I just changed the path to
cert.pemtofullchain.pem.@Aterfax commented on GitHub (Oct 28, 2022):
In the case of certificates issued from Letsencrypt etc... the full chain of certificates including the CA (certificate authority), the intermediate CA certificate as well as your own domain's issued certificate must be supplied added to your service (e.g. homebridge / nginx etc... must use the fullchain.pem which contains the full chain) or some devices will be unable to verify the trust chain from your domain's certificate back to a trusted root CA certificate due to the missing middle link of the intermediate certificates.
This issue was originally filed by someone trying to use their own root CA and sub-certificates (I think). If using your own certificate authority, the details of adding the new CA certificates/trust chain are detailed in https://github.com/louislam/uptime-kuma/issues/1380 using the NODE_EXTRA_CA_CERTS environment variable.
@github-actions[bot] commented on GitHub (Jan 26, 2023):
We are clearing up our old issues and your ticket has been open for 3 months with no activity. Remove stale label or comment or this will be closed in 2 days.
@github-actions[bot] commented on GitHub (Jan 29, 2023):
This issue was closed because it has been stalled for 2 days with no activity.
@rizkytegar commented on GitHub (Apr 18, 2023):
how to solve this problem ?
@EgonHeuson commented on GitHub (Feb 1, 2024):
Hello,
I noticed I have the exact same error when I use certificates that I have to replace each year by a new one (officially signed by an external accreditation platform). It's like UptimeKuma keeps in memory the first certificate it checks and doesn't replace it with the new one, or doesn't change which certificate it checks.
Any idea?
@HolgerAusB commented on GitHub (Feb 1, 2024):
Are you sure it's Kuma? I had a similar issue. But here it was Homebridge (NodeJS), that doesn't use the new certificate automatically, which I copied by script from a different machine via ssh. I need to reboot that RaspberryPi after each renewal of the LetsEncrypt Wildcard cert, which is done by the copy script, too (following night 3am via
at).@EgonHeuson commented on GitHub (Feb 2, 2024):
Hey! I think so, but not sure. In my case it's pretty straightforward. I handle the certificates with NginxProxyManager for each of my application, and when I renew my certificate, I delete the old one, and add a new .cert file. My web browsers don't have any issue with the new certificates by the way. For now I deactivated the SSL check in Kuma, but don't really know what to do else.
@Namydad commented on GitHub (Feb 7, 2024):
same problem
@berils commented on GitHub (Mar 8, 2024):
Im facing this issue with services which are on "LAN".
RootCA imported succesfully.
External cert check works as expected.
Has anyone found workaround/fix for this case?
@CommanderStorm commented on GitHub (Mar 8, 2024):
click on the cert expiry link to see where the chain is failing:
@berils commented on GitHub (Mar 8, 2024):
Im getting status like this:
@fnaquira commented on GitHub (Sep 1, 2024):
did you find a solution or workaround? I also get a valid certificate but getting error on Kuma
@HolgerAusB commented on GitHub (Sep 2, 2024):
@fnaquira, not for kuma side, but if you are controlling the server, you want to check, it is always a good advise to prove, how you are implementing the certificates. For my letsencrypt cert, it helped to use fullchain.pem instead of chain.pem
e.g. for apache2 site config: