GrampsWebSync LetsEncrypt

I am running GrampsWeb in a container behind a reverse proxy. When synchronizing my gramps with grampsweb over http using the grampswebsync addon version 1.3.5, it works fine. I can also access grampsweb over https without any problem from Safari. However when I try synchronizing gramps with grampsweb over https it fails with an unknown CA. My certificate is issued by letsencrypt. Below, is a screenshot of the failed connection as seen in Wireshark. Any help appreciated.

Screenshot 2025-11-20 at 3.54.04 PM2940×406 135 KB

Gramps 6.0.5
Gramps Web API 3.4.1
Gramps Web Frontend 25.10.2
Gramps QL 0.4.0
Sifts 1.1.0
locale: en
multi-tree: false
task queue: false
OCR: true
chat: false

Gramps 6.0.6
GrampsWebSync 1.3.5

Hi, Mac users have reported certificate-related issues before, please check if there is a useful hint in those issues:

Hi David,

Thanks for the pointers. The workaround from issue #24 fixes the problem.

Q: Why would Safari and curl trust my Let’s Encrypt certificate, but the addon fails with “Unknown CA”? They should all use the same macOS system keychain.

Debug logs without workaround:

% /Applications/Gramps.app/Contents/MacOS/Gramps --debug grampswebsync
setup debugging grampswebsync
2025-11-22 08:22:36.593: DEBUG: grampswebsync.py: line 102: Initializing Gramps Web Sync addon.
2025-11-22 08:22:38.065: DEBUG: grampswebsync.py: line 79: Retrieving password for user XXXXXXX
2025-11-22 08:22:38.066: WARNING: grampswebsync.py: line 83: Keyring is not installed, cannot retrieve password.
2025-11-22 08:22:39.820: DEBUG: grampswebsync.py: line 221: Moving to next page from page 0.
2025-11-22 08:22:39.823: DEBUG: grampswebsync.py: line 221: Moving to next page from page 1.
2025-11-22 08:22:47.135: DEBUG: grampswebsync.py: line 221: Moving to next page from page 1.
2025-11-22 08:22:48.356: DEBUG: grampswebsync.py: line 221: Moving to next page from page 1.
2025-11-22 08:22:48.356: DEBUG: grampswebsync.py: line 221: Moving to next page from page 2.
2025-11-22 08:22:48.406: DEBUG: webapihandler.py: line 160: Fetching an access token from the server
2025-11-22 08:22:48.451: DEBUG: grampswebsync.py: line 221: Moving to next page from page 1.
2025-11-22 08:23:25.037: DEBUG: grampswebsync.py: line 213: Closing Gramps Web Sync addon.

Why would Safari and curl trust my Let’s Encrypt certificate, but the addon fails with “Unknown CA”? They should all use the same macOS system keychain.

Good question, but I have no clue and no macOS system. If you ever find out, please do let me know…

Hi David,

Problem solved! The issue was that my reverse proxy was only serving the domain certificate without the Let’s Encrypt R13 intermediate certificate. Once I added the intermediate certificate to the reverse proxy configuration, HTTPS connections works fine.

GrampsWebSync shows a generic “Connection failed” error for SSL certificate issues. Here’s a small patch that distinguishes SSL certificate errors from general connection failures, which could help other users diagnose similar issues:

except URLError as e:
    import ssl
    if isinstance(e.reason, ssl.SSLError):
        self.loginpage.show_error(
            _("SSL certificate error. Server may have incomplete certificate chain.")
        )
    else:
        self.loginpage.show_error(
            _("Connection failed. Please check the URL and your internet connection.")
        )
    return False

This change is in the test_connection method around line 385 in grampswebsync.py.

Thanks for your help!

Eric

Hi David,

Have you considered the very minimal above change? WDYT?

Eric