No ssl certificate on Windows 10 (v2.4)

[knaos]

What happened?

When installing freshly Barrier on Windows 10, the ssl key is not created.

Version

v2.4

Git commit hash (if applicable)

No response

If applicable, where did you install Barrier from?

Github Releases. Version 2.4

What OSes are you seeing the problem on? (Check all that apply)

Windows

What OS versions are you using?

Server: Windows 10
Client: Macosx 12.0.1

Relevant log output

No response

Any other information

No response

[juvin-git]

close ssl in the setting

[p12tic]

@knaos Did you try 2.4.0? It seems like this bug should be fixed by #979.

[knaos]

@p12tic Yes, I tried with version 2.4, it was just not present in the dropdown of the issue opener.

[knaos]

You can see that even though the SSL is enabled in the settings, the SSL Fingerpring is shown as Disabled

[Claudweb]

Having exactly the same issue. Just tried installing barrier today for the first time on two Windows 10 machines and couldn't get it working. The log showed

[2021-11-03T14:45:49] INFO: OpenSSL 1.0.2l 25 May 2017
[2021-11-03T14:45:49] ERROR: ssl certificate doesn't exist: C:\Users...\AppData\Local\Barrier\SSL\Barrier.pem

After disabling SSL in the settings it finally started working.

[Endorphine71]

Yeah, I had the same issue. No SSL certificate is ever created.

I went back to the previous version and didn't have any issues. This is on Windows 11 Home and connecting to a MacBook Pro M1 with MacOS Monterey.

[Nikarous]

#231 (comment) workaround

[cfarvidson]

I had the same problem on MacOS Monterey. Solved it with the mentioned workaround.

[qavnjdusagon]

I just installed Barrier on GNU/Linux (Trisquel 9), compiled as indicated in the wiki, about says 2.4.0-release-4ed01413, I have exactly the same problem. The workaround indicated solved it, but only after I deactivated and reactivated SSL.

[joel-williams]

Same issue as @cfarvidson above, also does not seem to be resolved by disabling SSL. The app reports that SSL fingerprinting is disabled, but the connection between client and server still doesn't work. Logs show SSL errors due to missing cert.

[pjank]

Found this "issue" after struggling with the same problem for a while and found my own "workaround".

Here's my story (aside from other trial-and-error steps, skipped for clarity), maybe this helps somebody:

1. Installed Barrier 2.4.0 first time on a PC (Win10).
   Couldn't connect (with SSL enabled) due to the missing cert file.
   And the "SSL Fingerprint" row in the UI was showing "Disabled".
2. Tried generating it manually (based on these instructions) - the openssl.exe step failed due to "barrier.conf not found". And it sure was missing (in Program Files\Barrier).
   And BTW I imagine the workaround linked in the comment above would also fail for the same reason.
3. Tried to figure out what should be in that file...
   Found the few "examples" here. But no, that's a totally different type of barrier.conf file. Why do we use the same name for 2 different things? One is Barrier screens config, another is OpenSSL config.
4. As last resort - uninstalled 2.4.0, cleared all leftovers (just in case: registry, app data), downloaded and installed v2.3.4. And viola - the SSL cert was created automagically. Then installed 2.4.0 again. And all works!

[albertony]

2. Tried generating it manually (based on these instructions) - the openssl.exe step failed due to "barrier.conf not found". And it sure was missing (in Program Files\Barrier).
And BTW I imagine the workaround linked in the comment above would also fail for the same reason.

There is a pull request for updating those instructions according to v2.4. Basically you will have to install OpenSSL separately now, to do the manual setup. As you found out, the OpenSSL config file barrier.conf is not included anymore, and also the version of the included openssl executable is quite old. This is related to Barrier no longer using it to generate certificate/fingerprint, but uses library functions instead.

[albertony]

@p12tic : I wonder if the following line is causing cert not being created in v2.4, shouldn't it open the file in mode "w"?

barrier/src/lib/net/SecureUtils.cpp

Line 193 in 2db65f0

auto fp = fopen_utf8_path(path.c_str(), "r");

[albertony]

The suggested change has been merged to master, and it fixes my issue: Barrier now creates certificate and fingerprint on first launch on Windows 10.

Beta build available here: https://dev.azure.com/debauchee/Barrier/_build/results?buildId=759&view=artifacts&pathAsName=false&type=publishedArtifacts

[Gbrothers1]

Here is my experience for windows 10 users, and I know have a complete understanding I think of how to solve the issue.

Steps: (How to get SSL working on windows)

1. Install Barrier.exe onto windows 10 machine, and configure as normal. (Fresh Install)
   (Error) Failed to generate SSL Certificate...
2. Install Git for windows (Fresh) using standard configurations and options
3. cd to the file path '/c/Users/Ethan/AppData/Local/Barrier/SSL" and run the following command
4. $ openssl req -x509 -nodes -days 365 -subj //CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

• This will generate the "Barrier.pem" file and output in the current directory
• If you don't include the two forward slashes before the "-subj" then bash will translate the parameter path to "C:Program Files/Git/CN=Barrier" this is called a POSIX-WIndows Path Conversion here

5. Restart Barrier Client via "Reload" Button.
6. Should work now

This same step will have to be performed on macOS Monterey as well running on M1 processor with the latest updates and patches.

Steps:

1. Download and install Barrier.dmg
2. Configure as normal for client/server operation.
3. Open terminal and cd to the following directory '/Applications/Barrier.app/Contents/MacOS' and excite the command bellow:
   $ openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem
4. Reload the server or client and you should have working SSL

Notes:

• I completed this install on two machines a M1 MacBook Pro M1 (2021) and a Windows 10 based Dell Inspiron i5-x64 (2017 model), after allowing network permission which was an issue on the MacOS Monetary, had to specifically add all the programs "barrier" in System Settings / Security & Privacy / Accessibility and allow network permissions.
• Also minor wifi issues occur with different network modules speeds, my windows machine us running 802.11b/g/n connected to an 802.11ac wifi-router, where my M1 has an 802.11ac model and this has made a significant disadvantage in latency as I'm currently setup in my office about 30 feet away from the router.

[shodanx2]

Hello,

Trying out barrier for the first time (I last used synergy in 2003-2004ish)

My setup is a windows 10 computer driving a center monitor and two raspberry pi controlling two monitors stacked on top of each other on either side of the main monitor

windows 10 version 2.4.0 compiled nov 2021
on RPiOS, installed using apt, version october 2018

Started everything on all computers

First got this error

(Been trying this out since last week but didn't have time to try more things until today now that I found this thread !)

I disabled SSL in server

After reloading the server, the clients would connect/disconnect for no apparent reason

So I went in the clients and also disabled SSL

Seems to work

--tangent 1
The new clients didn't appear in server configurator, but it was as easy as clicking a blank square and typing my client hostname s in screen names

--tangent 2
I've been playing with it about 1 minute, it appears to work really great. Only visual weirdness I'm having is that if a window is focused, it gets defocused when my cursor crosses the monitor boundary but I feel that is something easily configurable somewhere

Ah found it, in each "screen name" I checked "fix preserve focus" why is this not the default ? (oh, this doesn't work for the server apparently)

--tangent 3

This is stretching it but, what do you guys use to export/drag windows on the server to client ? Does such a thing exist yet ?

thanks

[xsentricity]

Here is an easy workaround. Install version 2.3.2 first. Then run it and it will create the SSL certificate on windows. Once you verified it works, then download 2.4 and install it. If it gets the point where it says can't shutdown the application or something just click the button retry and that should work.

I did it twice today and it worked. Have a great new years !

[JanaSokolova]

Found this "issue" after struggling with the same problem for a while and found my own "workaround".

Here's my story (aside from other trial-and-error steps, skipped for clarity), maybe this helps somebody:

1. Installed Barrier 2.4.0 first time on a PC (Win10).
   Couldn't connect (with SSL enabled) due to the missing cert file.
   And the "SSL Fingerprint" row in the UI was showing "Disabled".
2. Tried generating it manually (based on these instructions) - the openssl.exe step failed due to "barrier.conf not found". And it sure was missing (in Program Files\Barrier).
   And BTW I imagine the workaround linked in the comment above would also fail for the same reason.
3. Tried to figure out what should be in that file...
   Found the few "examples" here. But no, that's a totally different type of barrier.conf file. Why do we use the same name for 2 different things? One is Barrier screens config, another is OpenSSL config.
4. As last resort - uninstalled 2.4.0, cleared all leftovers (just in case: registry, app data), downloaded and installed v2.3.4. And viola - the SSL cert was created automagically. Then installed 2.4.0 again. And all works!

Thank you this worked for me! However now I am getting a communications error.

ERROR: failed to launch, error: process immediately stopped
[2022-02-28T11:01:01] INFO: backing off, wait=10s, failures=12
[2022-02-28T11:01:11] INFO: starting new process as privileged user
barriers.exe: unrecognized option --disable-client-cert-checking' Try barriers.exe --help' for more information.

[TomLewis]

@Gbrothers1

ERROR: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib :(

[alansenairj]

I am using version 2.4. I put it to work just putting Barrier.pem generated at client on server.
The file in windows is located at: C:\Users\ALAN\AppData\Local\Barrier\SSL
You must copy it to Linux path: cp Barrier.pem /home/yourusername/.local/share/barrier/SSL

Reload client activating SSL

Just reload server and it is done. Check logs to see if it is working.

[JgBr123]

Here is an easy workaround. Install version 2.3.2 first. Then run it and it will create the SSL certificate on windows. Once you verified it works, then download 2.4 and install it. If it gets the point where it says can't shutdown the application or something just click the button retry and that should work.

I did it twice today and it worked. Have a great new years !

This solved the issue. Thank you !

[JanaSokolova]

Thanks guys, I'm sorry to say, I did the download of the old version and it didn't work for me. So I abandoned the ship completely and swam over to input director. That application was easier to set up. Thanks for taking the time to answer everyone.

[shodanx2]

The app should generate ask the user if they want to generate a self-signed certificate, and then create one and put it in the right place and put the reference to it in the config file.

[ohadschn]

Could someone add this to the troubleshooting wiki (and more generally, the fact that the log can be read from the GUI)?
I spent maybe an hour trying every possible troubleshooting step to no avail: https://github.com/debauchee/barrier/wiki/Troubleshooting

[ToOpenSky]

Found this "issue" after struggling with the same problem for a while and found my own "workaround".

Here's my story (aside from other trial-and-error steps, skipped for clarity), maybe this helps somebody:

1. Installed Barrier 2.4.0 first time on a PC (Win10).
   Couldn't connect (with SSL enabled) due to the missing cert file.
   And the "SSL Fingerprint" row in the UI was showing "Disabled".
2. Tried generating it manually (based on these instructions) - the openssl.exe step failed due to "barrier.conf not found". And it sure was missing (in Program Files\Barrier).
   And BTW I imagine the workaround linked in the comment above would also fail for the same reason.
3. Tried to figure out what should be in that file...
   Found the few "examples" here. But no, that's a totally different type of barrier.conf file. Why do we use the same name for 2 different things? One is Barrier screens config, another is OpenSSL config.
4. As last resort - uninstalled 2.4.0, cleared all leftovers (just in case: registry, app data), downloaded and installed v2.3.4. And viola - the SSL cert was created automagically. Then installed 2.4.0 again. And all works!

Thank you, step 4. worked for me.

[ToOpenSky]

Thank you very much. Step 4. is the important one, double slash "//".

[ohadschn]

Unfortunately this has been broken for almost a year with no release (fixing this or otherwise).
Synergy on the other hand just released 11 days ago (needless to say, it does not suffer from this issue)...
You can get the (almost) latest binaries here: https://github.com/DEAKSoftware/Synergy-Binaries

[halfbeing]

Yes, this is still completely broken.

I tried loads of solutions suggested above, but none worked. Copying the SSL certificate to the server didn't work. Going back to version 2.3.2 worked in Windows, but it is impossible to install and configure on MacOS Ventura, and would probably be quite a headache to do in Linux (I didn't even bother trying that). I tried running that openssl command in MacOS, but it doesn't recommend the command openssl.

Broken for a year. This looks like abandonware. I'll try Synergy.

[shodanx2]

I'm curious, if you just put in a self signed .pen certificate, would it work ?

[halfbeing]

Yes it will.

I eventually discovered that I had made a clumsy copy-paste before my previous comment, which was why I failed to create an SSL certificate when I tried. You can in fact create an SSL certificate on the Barrier server which will make it work properly.

I did this on a Mac, but I have read that this works on Linux as well, so I think it should work on Windows (maybe you have to install openssl first – that I don't know for certain). The command should be exactly the same. Only the path of the Barrier SSL folder in which you execute it will be different. This is what you do:

1. Open a terminal in the Barrier SSL folder on the server machine.
2. Execute the following command:
   openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem
3. Click "Reload" in the Barrier user interface on the server machine to restart the server.
4. After a while, you will get popups on your client machines asking you to accept the SSL certificate. Accept it.

[DennisGentry-Zoetis]

Hi,

Is there any release scheduled? It's been a bit over a year since 2.4.0, and this bug and several others have PRs and/or are already fixed in master, it's just that master seems not to be automatedly built anymore. If not, I'll pursue other solutions.

Thanks for any info you can provide!

[jfranco09]

Found this "issue" after struggling with the same problem for a while and found my own "workaround".

Here's my story (aside from other trial-and-error steps, skipped for clarity), maybe this helps somebody:

1. Installed Barrier 2.4.0 first time on a PC (Win10).
   Couldn't connect (with SSL enabled) due to the missing cert file.
   And the "SSL Fingerprint" row in the UI was showing "Disabled".

2. Tried generating it manually (based on [these instructions](https://github.com/debauchee/barrier/wiki/Command-Line#generating-certificate-and-fingerprint)) - the `openssl.exe` step failed due to "**barrier.conf not found**". And it sure was missing (in Program Files\Barrier).
   And BTW I imagine the workaround linked in the comment above would also fail for the same reason.

3. Tried to figure out what should be in that file...
   Found the few "examples" [here](https://github.com/debauchee/barrier/tree/master/doc). But no, that's a totally different type of _barrier.conf_ file. Why do we use the same name for 2 different things? One is Barrier screens config, another is OpenSSL config.

4. As last resort - **uninstalled 2.4.0**, cleared all leftovers (just in case: registry, app data), downloaded and **installed v2.3.4**. And viola - the SSL cert was created automagically. Then **installed 2.4.0 again**. And all works!

This did the trick for me

[haukened]

To fix this for Windows installs, you can run the following with PowerShell as admin during (or after) install without any additional software requirements:

$cert = New-SelfSignedCertificate -DnsName Barrier -KeyExportPolicy Exportable

# Public key to Base64
$CertBase64 = [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')

# Private key to Base64
$RSACng = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$KeyBytes = $RSACng.Key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)
$KeyBase64 = [System.Convert]::ToBase64String($KeyBytes, [System.Base64FormattingOptions]::InsertLineBreaks)

# Put it all together
$Pem = @"
-----BEGIN PRIVATE KEY-----
$KeyBase64
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
$CertBase64
-----END CERTIFICATE-----
"@

# Output to file
$Pem | Out-File -FilePath $env:LOCALAPPDATA\Barrier\SSL\Barrier.pem -Encoding Ascii

Thanks to @murphyne for making this work for the current user, and not requiring a username change!

[dilipprasad]

To fix this for Windows installs, you can run the following with PowerShell as admin during (or after) install without any additional software requirements:

$cert = New-SelfSignedCertificate -DnsName Barrier -KeyExportPolicy Exportable

# Public key to Base64
$CertBase64 = [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')

# Private key to Base64
$RSACng = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$KeyBytes = $RSACng.Key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)
$KeyBase64 = [System.Convert]::ToBase64String($KeyBytes, [System.Base64FormattingOptions]::InsertLineBreaks)

# Put it all together
$Pem = @"
-----BEGIN PRIVATE KEY-----
$KeyBase64
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
$CertBase64
-----END CERTIFICATE-----
"@

# Output to file
$Pem | Out-File -FilePath C:\Users\<your-username>\AppData\Local\Barrier\SSL\Barrier.pem -Encoding Ascii

Be sure to change to your user!

After too many tries, this worked for me to connect and generate ssl certificate and i could connect to other machine now.
Thanks

[murphyne]

To get the script to work with any current user, you can replace C:\Users\<your-username>\AppData\Local with $env:LOCALAPPDATA.

Like this:

$Pem | Out-File -FilePath $env:LOCALAPPDATA\Barrier\SSL\Barrier.pem -Encoding Ascii

[frischeDaten]

Steps: (How to get SSL working on windows)

1. Install Barrier.exe onto windows 10 machine, and configure as normal. (Fresh Install)
   (Error) Failed to generate SSL Certificate...
2. Install Git for windows (Fresh) using standard configurations and options
3. cd to the file path '/c/Users/Ethan/AppData/Local/Barrier/SSL" and run the following command
4. $ openssl req -x509 -nodes -days 365 -subj //CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

• This will generate the "Barrier.pem" file and output in the current directory
• If you don't include the two forward slashes before the "-subj" then bash will translate the parameter path to "C:Program Files/Git/CN=Barrier" this is called a POSIX-WIndows Path Conversion here

Thanks, works for me on Windows 11, I just installed openssl 3 instead of git, though

[ssokolow]

I find that, if the intent isn't to have Git for Windows or OpenSSL or something else like that installed for other reasons (eg. on my firewalled-off-from-the-Internet Win7 "game console except not a console"), it's easiest to just install Barrier 2.3.4, let it generate the cert, and then upgrade to 2.4.0.

[haukened]

@murphyne quick question, this needs to be run as admin in order to get the crypto commands, is $env in that context still mapped to current user? Or system? I'm not primarily a windows developer, so just wanted to make sure.

To get the script to work with any current user, you can replace C:\Users\<your-username>\AppData\Local with $env:LOCALAPPDATA.

Like this:

$Pem | Out-File -FilePath $env:LOCALAPPDATA\Barrier\SSL\Barrier.pem -Encoding Ascii

[murphyne]

@murphyne quick question, this needs to be run as admin in order to get the crypto commands, is $env in that context still mapped to current user? Or system? I'm not primarily a windows developer, so just wanted to make sure.

@haukened
Yeah, you were right to hesitate. There appears to be a problem if the current user is not an admin. In that case, environment variables in elevated shell are mapped to the admin user. I'll see what can be done to work around that.

[haukened]

My first thought is to make a self elevating script, that gathers the current user, then elevates and re-launches with the user as a passed parameter.

[murphyne]

I did something similar. But it is still not a robust solution.
The self-elevating script must be run as a user, but there is a chance that it will be run as an admin, in which case the environment variables would point to admin. Perhaps it's best to leave the path hardcoded.

$Command = {
$cert = New-SelfSignedCertificate -DnsName Barrier -KeyExportPolicy Exportable

# Public key to Base64
$CertBase64 = [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')

# Private key to Base64
$RSACng = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$KeyBytes = $RSACng.Key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)
$KeyBase64 = [System.Convert]::ToBase64String($KeyBytes, [System.Base64FormattingOptions]::InsertLineBreaks)

# Put it all together
$Pem = @"
-----BEGIN PRIVATE KEY-----
$KeyBase64
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
$CertBase64
-----END CERTIFICATE-----
"@

# Ensure target folder exists
mkdir -p "$env:LOCALAPPDATA\Barrier\SSL" > $null

# Output to file
$Pem | Out-File -FilePath "$env:LOCALAPPDATA\Barrier\SSL\Barrier.pem" -Encoding Ascii
}

$CommandFormatted = $Command -replace '\$env:LOCALAPPDATA', $env:LOCALAPPDATA

$CommandEncoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($CommandFormatted))

Start-Process -Wait -WindowStyle Hidden -FilePath powershell.exe -Verb RunAs -ArgumentList "-EncodedCommand $CommandEncoded"

[syphax]

I had this same issue on a fresh Windows 11 machine; the Powersheel script above solved the issue.

[dexter74]

openssl req -x509 -nodes -days 365 -subj //CN=Barrier -newkey rsa:4096 -keyout %appdata%..\Local\Barrier\SSLBarrier.pem -out %appdata%..\Local\Barrier\SSLBarrier.pem