rmfakecloud icon indicating copy to clipboard operation
rmfakecloud copied to clipboard
verified publisher icon ddvk

Issues with proxy

Open haudankaivajasi opened this issue 5 months ago • 8 comments

Hi, I just updated my rm2 from 2.15 to 3.11.2.5 to utilize new features and use rm-hacks. I first updated rmfakecloud docker container to v0.0.25 to see if the latest version works well and it did. Then I updated my rm2 and after running "Reenabling after a system update" steps on the tablet I could connect to my cloud but not sync.

I then uninstalled the whole thing with ./installer.sh uninstall, made sure there were no dangling folders or files, updated the installer.sh to v0.0.7 a,d ran the installation steps again:

root@reMarkable:~# chmod +x ./installer.sh root@reMarkable:~# ./installer.sh install Extracting embedded binary... Failed to stop rmfakecloud-proxy.service: Unit rmfakecloud-proxy.service not loaded. ~/rmfakecloud ~ Generating CA key and crt... Generating private key... Generating pub key... writing RSA key Generating csr and crt... Certificate request self-signature ok subject=C = AA, ST = QQ, L = JJ, O = the culture, CN = *.appspot.com Generation complete! Clearing symlinks in /etc/ssl/certs... done. Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Enter your own cloud url [http(s)://somehost:port] >https://yy.xx.net/ Setting cloud sync to: https://yy.xx.net/ Created symlink /etc/systemd/system/multi-user.target.wants/rmfakecloud-proxy.service → /etc/systemd/system/rmfakecloud-proxy.service. Patching /etc/hosts Stoping xochitl.. Fixing sync status... Starting xochitl...

And from thetroubleshooting I'm getting:

root@reMarkable:~# systemctl status proxy -l Unit proxy.service could not be found.

Are there still some dangling files present or why isn't the proxy working? Is there any way to start this from scratch or fix this issue?

haudankaivajasi avatar Aug 13 '25 12:08 haudankaivajasi

The service is named rmfakecloud-proxy

Eeems avatar Aug 13 '25 14:08 Eeems

Troubleshooting:

root@reMarkable:~# ping my.remarkable.com PING my.remarkable.com (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.209 ms

  • "(should be localhost)" as it seems to be

root@reMarkable:~# ping local.remarkable.com PING local.remarkable.com (10.11.99.1): 56 data bytes 64 bytes from 10.11.99.1: seq=0 ttl=64 time=0.177 ms

  • "(should be localhost)", but it is not? Should it be?

root@reMarkable:~# echo Q | openssl s_client -connect localhost:443 -verify_hostname local.appspot.com -CAfile /etc/ssl/certs/ca-certificates.crt 2>&1 | grep Verify Verify return code: 0 (ok) Verify return code: 0 (ok)

  • seems to be ok

root@reMarkable:~# systemctl status rmfakecloud-proxy ● rmfakecloud-proxy.service - rmfakecloud reverse proxy Loaded: loaded (/etc/systemd/system/rmfakecloud-proxy.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2025-08-13 18:53:02 EEST; 35min ago Main PID: 186 (rmfakecloud-pro) CGroup: /system.slice/rmfakecloud-proxy.service └─ 186 /home/root/rmfakecloud/rmfakecloud-proxy -cert /home/root/rmfakecloud/proxy.bundle.crt -key /home/root/rmfakecloud/proxy.key https://xx.yy.net

Aug 13 19:23:57 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:23:57 http: TLS handshake error from server_ip:49204: remote error: tls: unknown certificate authority Aug 13 19:24:01 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:24:01 http: TLS handshake error from server_ip:49205: remote error: tls: unknown certificate authority Aug 13 19:24:07 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:24:07 http: TLS handshake error from server_ip:49206: remote error: tls: unknown certificate authority Aug 13 19:25:52 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:25:52 http: TLS handshake error from server_ip:49220: remote error: tls: unknown certificate authority Aug 13 19:25:54 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:25:54 http: TLS handshake error from server_ip:49223: remote error: tls: unknown certificate authority Aug 13 19:25:58 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:25:58 http: TLS handshake error from server_ip:49225: remote error: tls: unknown certificate authority Aug 13 19:27:29 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:27:29 http: TLS handshake error from server_ip:49251: remote error: tls: unknown certificate authority Aug 13 19:27:31 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:27:31 http: TLS handshake error from server_ip:49252: remote error: tls: unknown certificate authority Aug 13 19:27:35 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:27:35 http: TLS handshake error from server_ip:49254: remote error: tls: unknown certificate authority Aug 13 19:27:41 reMarkable rmfakecloud-proxy[186]: 2025/08/13 19:27:41 http: TLS handshake error from server_ip:49255: remote error: tls: unknown certificate authority

  • proxy seems to be ok, but what is with the TLS handshake error? Could this be the culprit or is there something else to check?

haudankaivajasi avatar Aug 13 '25 16:08 haudankaivajasi

root@reMarkable:~# ping local.remarkable.com PING local.remarkable.com (10.11.99.1): 56 data bytes 64 bytes from 10.11.99.1: seq=0 ttl=64 time=0.177 ms

* "(should be localhost)", but it is not? Should it be?

10.11.99.1 is a local address. It's the USB address.

  • proxy seems to be ok, but what is with the TLS handshake error? Could this be the culprit or is there something else to check?

This would be the error. Your device does not trust the signing authority you are using to create your certificate on the server hosting rmfakecloud.

Eeems avatar Aug 13 '25 18:08 Eeems

Traefik handles the cert generation/renewal via Let's Encrypt on my setup, so the certs should be legit. Is there any workarounds or possible causes for this?

haudankaivajasi avatar Aug 13 '25 20:08 haudankaivajasi

https://community.traefik.io/t/lets-encrypt-x509-certificate-signed-by-unknown-authority/11112/13 Is this relevant?

You will need to look closer at the certificate being served to the tablet, and what CA is being reported, and then look into installing the proper trust chain on the device if it's missing and it's serving what you are expecting.

Eeems avatar Aug 13 '25 21:08 Eeems

Hard to say. rmfakecloud seems to be the only one having this problem atm and everything else seems to be working.

I have to look into my Traefik stack and possibly update it at some point.

The thing I don't understand is how updating broke the sync as I have not touched anything else than the install script in my tablet.

haudankaivajasi avatar Aug 14 '25 03:08 haudankaivajasi

https://community.traefik.io/t/lets-encrypt-x509-certificate-signed-by-unknown-authority/11112/13 Is this relevant?

You will need to look closer at the certificate being served to the tablet, and what CA is being reported, and then look into installing the proper trust chain on the device if it's missing and it's serving what you are expecting.

Okay, I just migrated from Traefik v2.5 to the latest version (3.6) and boy, is the migration between those a PIA. Checked that it generated new certs and everything works...except rmfakecloud sync, pairing works ok.

Came back to read your message again and oh boy, I have no idea where to start. Got any pointers in layman's terms?

haudankaivajasi avatar Aug 15 '25 13:08 haudankaivajasi

https://support.moonpoint.com/security/encryption/openssl/checking-website-certificate.php This would have some information for using openssl to inspect certificates returned by web servers.

Eeems avatar Aug 16 '25 16:08 Eeems