client *half* 'support' mtls

[1638410]

Describe feature

#1577

(trilium 0.98.1)
I use cloudflare to add mtls.
Although I disalble "forcing-mtls verify is true" in cf WAF (browsers and curl without mtls cert can visit my trilium site), the desktop client would fail with sync

failed, error: Error: net::ERR_SSL_CLIENT_AUTH_CERT_NEEDED

*because the whole .abc.com is figure using mtls.
Simple workaround is use another website, listing all subset of abc.com without trilium.abc.com when figure mtls on cloudflare, just syncing with proxy to my vps directly, or just locally.

(edited) could it just ignore the error and sync?

[dosubot[bot]]

Hi @1638410! I'm Dosu and I’m helping the Trilium team.

Trilium Desktop doesn't support presenting client certificates for mTLS, so syncing fails with servers (like Cloudflare mTLS) that require them—hence the net::ERR_SSL_CLIENT_AUTH_CERT_NEEDED error. There's no built-in way to configure or import client certificates in the desktop client as of 0.98.1. The main workaround is to use a local proxy (such as nginx or ghostunnel) that attaches your client certificate before forwarding requests to the server, or to bypass Cloudflare for the Trilium subdomain and sync directly with your VPS or locally. More details and discussion are in GitHub issue #1577.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[1638410]

@dosubot please teaching me how to use the ghostunnel to attach the website using mtls.

At least, I could directly using ssh port forwarding, to directly link to the trilium server without CDN.

[dosubot[bot]]

Trilium Desktop doesn't support client certificates for mTLS, so you need a local proxy like ghostunnel to handle the mTLS handshake for you. Here’s how you can do it:

1. Make sure you have your client certificate (client.crt), client key (client.key), and the CA certificate (ca.crt) that signed the server’s certificate.

2. Download and install ghostunnel from its GitHub page.

3. Run ghostunnel as a client-side proxy with a command like:

   ghostunnel client \
     --listen localhost:8443 \
     --target trilium.abc.com:443 \
     --cert client.crt \
     --key client.key \
     --cacert ca.crt

   This starts a local proxy on localhost:8443 that connects to your Trilium server using mTLS and presents your client certificate.

4. In Trilium Desktop, set your sync URL to https://localhost:8443 so it connects through ghostunnel.

If you see certificate errors, double-check your certs and keys. Trilium Desktop doesn’t use the system trust store, so ghostunnel must handle all TLS validation and client authentication for you. Only unauthenticated proxies are officially supported, so this setup may require some experimentation [source].

Alternatively, if you have SSH access to your VPS, you can use SSH port forwarding to bypass Cloudflare and mTLS:

ssh -L 8443:localhost:443 user@your-vps

Then point Trilium Desktop to https://localhost:8443 [source].

There’s no official Trilium documentation for this, so you may need to experiment a bit with your setup.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[dosubot[bot]]

Here's how you can use ghostunnel to let Trilium Desktop sync through an mTLS-protected endpoint:

1. Prepare your certificates: You’ll need your client certificate (client.crt), client key (client.key), and the CA certificate (ca.crt) that signed the server’s certificate.

2. Install ghostunnel: Download it from ghostunnel’s GitHub. It works on Linux, macOS, and Windows.

3. Run ghostunnel as a client-side proxy. For example, if your Trilium server is at trilium.abc.com:443, run:

   ghostunnel client \
     --listen localhost:8443 \
     --target trilium.abc.com:443 \
     --cert client.crt \
     --key client.key \
     --cacert ca.crt

   This starts a local proxy on localhost:8443. It connects to your Trilium server using mTLS, presenting your client certificate.

4. Configure Trilium Desktop: Set your sync URL to https://localhost:8443 so it connects through ghostunnel.

5. Troubleshooting: If you see certificate errors, double-check your certs and keys. Trilium Desktop doesn’t use the system trust store, so make sure ghostunnel is handling all TLS validation and client authentication for you. Only unauthenticated proxies are officially supported, so this setup may require some experimentation (reference).

SSH port forwarding alternative: If you have SSH access to your VPS, you can forward a local port to the Trilium server directly, bypassing Cloudflare and mTLS:

ssh -L 8443:localhost:443 user@your-vps

Then point Trilium Desktop to https://localhost:8443.

Let me know your OS if you need more specific commands or help with certificate formats!

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[1638410]

maybe I can simply add a host file to point the website directly to the ip of the vps to bypass mtls.
using another program is too 繁琐的(Inconvenient)

update: dont use it, another tls error:(

[1638410]

on linux

NODE_TLS_RECECT_UNAUTHORIZED=0 trilium --ignore-certificate-errors

Using hostfile to bypass the CDN(which use mtls), the vps use the cert of the origin cert of the abc.com, so just like selfsign certificate, just use --ignore-certificate-errors

[1638410]

I would check it now if it is using tls(not downgrade to http, not a programer, just afraid)

update: indeed