the fast, reliable localhost tunneling solution 0.5.9, CA trust issue

By Bjarni RĂșnar 2016-11-22, 10:58

Version 0.5.9 of has been released and is available for download.

This is a critical update, please upgrade as soon as possible!

Highlights since version 0.5.8:

  • Fix how loads CA certificates (critical)
  • Add --fe_nocertcheck, --whitelabel and --whitelabels arguments
  • Create vipagekite for safer configuration editing

The latter two features will be discussed in future blog posts, please read on for information on the critical Certificate Authority trust issue.

The CA trust issue

This release of fixes a critical bug in how verifies the authenticity of the relays and other servers, including dynamic DNS. Note that although this post focuses on the impact on users, the same flaw may also have caused problems for people using TLS certificates with their own relay infrastructure. uses TLS security to protect the integrity and confidentiality of its connections to the servers, and until recently the PageKite service TLS certificate were signed by StartCom. Unfortunately, due to a breach of trust, StartCom is no longer a trusted certificate authority and we are in the process of changing our certificates as a result.

Normally changing certificates and Certificate Authorities would be a routine upgrade, but due to a bug in the default configuration, certificates signed by any authority other than StartCom will fail to validate. This update corrects that flaw.

The StartCom-signed certificate we use to secure the PageKite tunnels will last for two more years, but the certificate used to validate our dynamic DNS service expires later this week - on the 26th of November.

Impact Timeline

November 26, 2016: old versions of will no longer be able to update DNS records.

Most of the time, this will cause no problems. However, in the event of network outages or server downtime, PageKite's ability to adapt and migrate to a different relay will be impaired - even if establishes a new tunnel connection

Late 2018: old versions of will stop working completely.

At this point, our last certificate from StartCom will have expired and instances of that have neither been upgraded or reconfigured will go off-line. The exact date for this event is currently unknown; the certificate itself expires on December 27th, 2018, but we may need to change certificates sooner if other issues come up.


The preferred solution is to upgrade to 0.5.9 or later.

If an upgrade is infeasible, a configuration change can also be used to work around the issue; by adding the following line to your configuration (after the defaults line, if it is present):



  • Edit ~/.pagekite.rc if you are using from the CLI or GUI on Linux or OS X
  • Edit pagekite.cfg if you are using on Windows.
  • Edit /etc/pagekite.d/20_frontends.rc if you are using the Debian (or RPM) package.
  • The actual certificate store path depends on your operating system, please check and adapt as necessary.
  • If your operating system does not provide a certificate authority bundle, you can download one from the cURL home page


None, comments are closed.

The Blog

Welcome to the PageKite blog!

Here we write about anything and everything to do with running the service, building a company, open-source, privacy online... you name it.

But mostly it's about PageKite.

Other venues