2.0.3.7 on Mac: Missing certificates

Mikael_Andersson · June 19, 2018, 5:29am

Warnings: [ 2018-06-18 07:40:35 +02 - [Warning-Duplicati.Library.Modules.Builtin.CheckMonoSSL-MissingCerts]: No certificates found, you can install some with one of these commands: cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives Read more: Release Notes Mono 3.12.0 | Mono,

How do I resolve this?
Did not happen on beta version.

Mikael_Andersson · June 19, 2018, 6:25am

upgraded mono from 5.10 to 5.12, no difference

Mikael_Andersson · June 19, 2018, 11:15am

appears there were a problem with my mono installation.
Was under the impression that ssl certs would be loaded automatically at installation but does not seem to have happened for me.

Resolved by downloading certs from curl - Extract CA Certs from Mozilla and running:
cert-sync --user cacert.pem

Duplicati warning was correct.

JonMikelV · June 21, 2018, 4:25am

Thanks for sharing your experience with this, I’m not positive when the “No certificates found” message was added to Duplicati but it’s nice to know it’s showing when it should!

I’ve flagged your post as the solution - let me know if you disagree. And thanks for using Duplicati!

Pectojin · July 14, 2018, 4:35pm

Very nice solution!

I had this happen on my mac as well after upgrading it recently and couldn’t figure out why MacOS isn’t even mentioned on the mono release page where they provide solutions for Debian/RHEL.

JonMikelV · July 16, 2018, 9:40pm

This happened for me as well, but wasn’t around any updates. My daily job suddenly started throwing this warning and error at least 5 days after any updates had been done…

Oddly, there was one day where it did NOT throw the warning or error and the job ran successfully leading me to suspect they are related.

@Mikael_Andersson’s solution seems to have worked for me as well so perhaps the message should be updated to add to the Debian and RedHat suggestions something along the lines of:

curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem #for MacOS

In the job log:

2018-07-16 09:34:06 -05 - [Warning-Duplicati.Library.Modules.Builtin.CheckMonoSSL-MissingCerts]: No certificates found, you can install some with one of these commands:
    cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems
    cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives
Read more: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync

In the global log:

ystem.AggregateException: One or more errors occurred. ---> System.AggregateException: Value does not fall within the expected range. ---> System.ArgumentException: Value does not fall within the expected range.
  at Renci.SshNet.Session.WaitOnHandle (System.Threading.WaitHandle waitHandle, System.TimeSpan timeout) [0x00041] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Session.Renci.SshNet.ISession.WaitOnHandle (System.Threading.WaitHandle waitHandle) [0x0000d] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.WaitOnHandle (System.Threading.WaitHandle waitHandle) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Close () [0x00080] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ChannelSession.Close () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Dispose (System.Boolean disposing) [0x0000f] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ClientChannel.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ChannelSession.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Disconnect () [0x00053] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Sftp.SftpSession.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SftpClient.OnDisconnecting () [0x00017] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Disconnect () [0x00006] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SftpClient.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Duplicati.Library.Backend.SSHv2.Dispose () [0x00008] in <e43cdcaec911420ba5f812d5ecc9ca5a>:0 
  at Duplicati.Library.Main.BackendManager.Dispose () [0x00077] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Operation.BackupHandler+<RunAsync>d__19.MoveNext () [0x00fc1] in <0ce58d578b8642d49036dc15fbad38f1>:0 
   --- End of inner exception stack trace ---
  at Duplicati.Library.Main.Operation.BackupHandler+<RunAsync>d__19.MoveNext () [0x0102c] in <0ce58d578b8642d49036dc15fbad38f1>:0 
   --- End of inner exception stack trace ---
  at CoCoL.ChannelExtensions.WaitForTaskOrThrow (System.Threading.Tasks.Task task) [0x0005d] in <6973ce2780de4b28aaa2c5ffc59993b1>:0 
  at Duplicati.Library.Main.Operation.BackupHandler.Run (System.String[] sources, Duplicati.Library.Utility.IFilter filter) [0x00008] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Controller+<>c__DisplayClass13_0.<Backup>b__0 (Duplicati.Library.Main.BackupResults result) [0x00035] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Controller.RunAction[T] (T result, System.String[]& paths, Duplicati.Library.Utility.IFilter& filter, System.Action`1[T] method) [0x0022e] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Controller.Backup (System.String[] inputsources, Duplicati.Library.Utility.IFilter filter) [0x00068] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Server.Runner.Run (Duplicati.Server.Runner+IRunnerData data, System.Boolean fromQueue) [0x00335] in <8486dd191d20467cbf8d627f56ca2e90>:0 
---> (Inner Exception #0) System.AggregateException: Value does not fall within the expected range. ---> System.ArgumentException: Value does not fall within the expected range.
  at Renci.SshNet.Session.WaitOnHandle (System.Threading.WaitHandle waitHandle, System.TimeSpan timeout) [0x00041] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Session.Renci.SshNet.ISession.WaitOnHandle (System.Threading.WaitHandle waitHandle) [0x0000d] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.WaitOnHandle (System.Threading.WaitHandle waitHandle) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Close () [0x00080] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ChannelSession.Close () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Dispose (System.Boolean disposing) [0x0000f] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ClientChannel.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ChannelSession.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Disconnect () [0x00053] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Sftp.SftpSession.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SftpClient.OnDisconnecting () [0x00017] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Disconnect () [0x00006] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SftpClient.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Duplicati.Library.Backend.SSHv2.Dispose () [0x00008] in <e43cdcaec911420ba5f812d5ecc9ca5a>:0 
  at Duplicati.Library.Main.BackendManager.Dispose () [0x00077] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Operation.BackupHandler+<RunAsync>d__19.MoveNext () [0x00fc1] in <0ce58d578b8642d49036dc15fbad38f1>:0 
   --- End of inner exception stack trace ---
  at Duplicati.Library.Main.Operation.BackupHandler+<RunAsync>d__19.MoveNext () [0x0102c] in <0ce58d578b8642d49036dc15fbad38f1>:0 
---> (Inner Exception #0) System.ArgumentException: Value does not fall within the expected range.
  at Renci.SshNet.Session.WaitOnHandle (System.Threading.WaitHandle waitHandle, System.TimeSpan timeout) [0x00041] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Session.Renci.SshNet.ISession.WaitOnHandle (System.Threading.WaitHandle waitHandle) [0x0000d] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.WaitOnHandle (System.Threading.WaitHandle waitHandle) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Close () [0x00080] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ChannelSession.Close () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Dispose (System.Boolean disposing) [0x0000f] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ClientChannel.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.ChannelSession.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Channels.Channel.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Disconnect () [0x00053] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.Sftp.SftpSession.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SubsystemSession.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SftpClient.OnDisconnecting () [0x00017] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Disconnect () [0x00006] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Dispose (System.Boolean disposing) [0x0000c] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.SftpClient.Dispose (System.Boolean disposing) [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Renci.SshNet.BaseClient.Dispose () [0x00000] in <502177f7126d48e4be01a83c8cdb4c79>:0 
  at Duplicati.Library.Backend.SSHv2.Dispose () [0x00008] in <e43cdcaec911420ba5f812d5ecc9ca5a>:0 
  at Duplicati.Library.Main.BackendManager.Dispose () [0x00077] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Operation.BackupHandler+<RunAsync>d__19.MoveNext () [0x00fc1] in <0ce58d578b8642d49036dc15fbad38f1>:0 <---

---> (Inner Exception #1) System.AggregateException: One or more errors occurred. ---> System.Exception: Unable to find log in lookup table, this may be caused by attempting to transport call contexts between AppDomains (eg. with remoting calls)
  at Duplicati.Library.Logging.Log.get_CurrentScope () [0x0004d] in <a0d17c5f1b8942efac55f621de8cc00b>:0 
  at Duplicati.Library.Logging.Log.WriteMessage (Duplicati.Library.Logging.LogMessageType type, System.String tag, System.String id, System.Exception ex, System.String message, System.Object[] arguments) [0x0001e] in <a0d17c5f1b8942efac55f621de8cc00b>:0 
  at Duplicati.Library.Logging.Log.WriteWarningMessage (System.String tag, System.String id, System.Exception ex, System.String message, System.Object[] arguments) [0x00000] in <a0d17c5f1b8942efac55f621de8cc00b>:0 
  at Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess+<>c.<Run>b__1_3 (System.String rootpath, System.String errorpath, System.Exception ex) [0x00000] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Utility.Utility+<EnumerateFileSystemEntries>d__23.MoveNext () [0x001d9] in <5336a8b903594fa5ae5a9692dae4b7fe>:0 
  at System.Linq.Enumerable+SelectManySingleSelectorIterator`2[TSource,TResult].MoveNext () [0x0006f] in <9da65c3aa2654e53b5f11b79677182e0>:0 
  at Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess+<ExpandWorkList>d__4.MoveNext () [0x000da] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess+<>c__DisplayClass1_0+<<Run>b__0>d.MoveNext () [0x00263] in <0ce58d578b8642d49036dc15fbad38f1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.GetResult () [0x00000] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at CoCoL.AutomationExtensions+<RunTask>d__10`1[T].MoveNext () [0x000cc] in <6973ce2780de4b28aaa2c5ffc59993b1>:0 
   --- End of inner exception stack trace ---
---> (Inner Exception #0) System.Exception: Unable to find log in lookup table, this may be caused by attempting to transport call contexts between AppDomains (eg. with remoting calls)
  at Duplicati.Library.Logging.Log.get_CurrentScope () [0x0004d] in <a0d17c5f1b8942efac55f621de8cc00b>:0 
  at Duplicati.Library.Logging.Log.WriteMessage (Duplicati.Library.Logging.LogMessageType type, System.String tag, System.String id, System.Exception ex, System.String message, System.Object[] arguments) [0x0001e] in <a0d17c5f1b8942efac55f621de8cc00b>:0 
  at Duplicati.Library.Logging.Log.WriteWarningMessage (System.String tag, System.String id, System.Exception ex, System.String message, System.Object[] arguments) [0x00000] in <a0d17c5f1b8942efac55f621de8cc00b>:0 
  at Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess+<>c.<Run>b__1_3 (System.String rootpath, System.String errorpath, System.Exception ex) [0x00000] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Utility.Utility+<EnumerateFileSystemEntries>d__23.MoveNext () [0x001d9] in <5336a8b903594fa5ae5a9692dae4b7fe>:0 
  at System.Linq.Enumerable+SelectManySingleSelectorIterator`2[TSource,TResult].MoveNext () [0x0006f] in <9da65c3aa2654e53b5f11b79677182e0>:0 
  at Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess+<ExpandWorkList>d__4.MoveNext () [0x000da] in <0ce58d578b8642d49036dc15fbad38f1>:0 
  at Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess+<>c__DisplayClass1_0+<<Run>b__0>d.MoveNext () [0x00263] in <0ce58d578b8642d49036dc15fbad38f1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.GetResult () [0x00000] in <c9f8153c41de4f8cbafd0e32f9bf6b28>:0 
  at CoCoL.AutomationExtensions+<RunTask>d__10`1[T].MoveNext () [0x000cc] in <6973ce2780de4b28aaa2c5ffc59993b1>:0 <---
<---
<---

JonMikelV · July 16, 2018, 9:40pm

For those that are curious, here’s what I saw after running the cert-sync on MacOS High Sierra 10.13.5…

Mono Certificate Store Sync - version 5.2.0.0
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy user store:
I already trust 0, your new list has 132
Certificate added: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Certificate added: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G3
Certificate added: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
Certificate added: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Certificate added: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Certificate added: C=US, O="Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, OU="(c) 2006 Entrust, Inc.", CN=Entrust Root Certification Authority
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Certificate added: C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Certificate added: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3
Certificate added: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1
Certificate added: C=FI, O=Sonera, CN=Sonera Class2 CA
Certificate added: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
Certificate added: C=US, O="The Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority
Certificate added: C=US, O="Starfield Technologies, Inc.", OU=Starfield Class 2 Certification Authority
Certificate added: C=TW, O=Government Root Certification Authority
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Certificate added: C=FR, O=Certplus, CN=Class 2 Primary CA
Certificate added: O=Digital Signature Trust Co., CN=DST Root CA X3
Certificate added: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
Certificate added: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority
Certificate added: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
Certificate added: C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Certificate added: C=US, O=SecureTrust Corporation, CN=Secure Global CA
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
Certificate added: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority
Certificate added: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA
Certificate added: C=FR, O=Dhimyotis, CN=Certigna
Certificate added: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
Certificate added: O="Cybertrust, Inc", CN=Cybertrust Global Root
Certificate added: C=TW, O="Chunghwa Telecom Co., Ltd.", OU=ePKI Root Certification Authority
Certificate added: C=RO, O=certSIGN, OU=certSIGN ROOT CA
Certificate added: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3
Certificate added: C=US, O="thawte, Inc.", OU="(c) 2007 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G2
Certificate added: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2008 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G3
Certificate added: C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2008 VeriSign, Inc. - For authorized use only", CN=VeriSign Universal Root Certification Authority
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2007 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G4
Certificate added: C=HU, L=Budapest, O=NetLock Kft., OU=Tanúsítványkiadók (Certification Services), CN=NetLock Arany (Class Gold) Főtanúsítvány
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2
Certificate added: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1
Certificate added: C=JP, O="Japan Certification Services, Inc.", CN=SecureSign RootCA11
Certificate added: C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu
Certificate added: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
Certificate added: C=ES, O=IZENPE S.A., CN=Izenpe.com
Certificate added: C=EU, L=Madrid (see current address at www.camerfirma.com/address), OID.2.5.4.5=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008
Certificate added: C=EU, L=Madrid (see current address at www.camerfirma.com/address), OID.2.5.4.5=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008
Certificate added: C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", CN=Go Daddy Root Certificate Authority - G2
Certificate added: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Root Certificate Authority - G2
Certificate added: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Services Root Certificate Authority - G2
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Commercial
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Networking
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Premium
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC
Certificate added: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
Certificate added: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
Certificate added: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2
Certificate added: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate added: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate added: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA
Certificate added: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA
Certificate added: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3
Certificate added: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee
Certificate added: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009
Certificate added: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009
Certificate added: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2
Certificate added: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
Certificate added: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA
Certificate added: O=TeliaSonera, CN=TeliaSonera Root CA v1
Certificate added: C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
Certificate added: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2
Certificate added: CN=Atos TrustedRoot 2011, O=Atos, C=DE
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Certificate added: C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Certificate added: C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
Certificate added: OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign
Certificate added: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Certificate added: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
Certificate added: C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1
Certificate added: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
Certificate added: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - EC1
Certificate added: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT
Certificate added: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA
Certificate added: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA
Certificate added: C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2
Certificate added: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2
Certificate added: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015
Certificate added: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015
Certificate added: C=FR, O=Certplus, CN=Certplus Root CA G1
Certificate added: C=FR, O=Certplus, CN=Certplus Root CA G2
Certificate added: C=FR, O=OpenTrust, CN=OpenTrust Root CA G1
Certificate added: C=FR, O=OpenTrust, CN=OpenTrust Root CA G2
Certificate added: C=FR, O=OpenTrust, CN=OpenTrust Root CA G3
Certificate added: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Certificate added: C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 1
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 2
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 3
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 4
Certificate added: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2
Certificate added: C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
Certificate added: C=CN, O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", CN=GDCA TrustAUTH R5 ROOT
Certificate added: C=PA, S=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1
Certificate added: C=PA, S=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2
Certificate added: C=PA, S=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC
132 new root certificates were added to your trust store.
Import process completed.

Importing into BTLS user store:
I already trust 0, your new list has 132
Certificate added: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Certificate added: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G3
Certificate added: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
Certificate added: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Certificate added: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Certificate added: C=US, O="Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, OU="(c) 2006 Entrust, Inc.", CN=Entrust Root Certification Authority
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Certificate added: C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Certificate added: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3
Certificate added: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1
Certificate added: C=FI, O=Sonera, CN=Sonera Class2 CA
Certificate added: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
Certificate added: C=US, O="The Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority
Certificate added: C=US, O="Starfield Technologies, Inc.", OU=Starfield Class 2 Certification Authority
Certificate added: C=TW, O=Government Root Certification Authority
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Certificate added: C=FR, O=Certplus, CN=Class 2 Primary CA
Certificate added: O=Digital Signature Trust Co., CN=DST Root CA X3
Certificate added: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
Certificate added: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority
Certificate added: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
Certificate added: C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Certificate added: C=US, O=SecureTrust Corporation, CN=Secure Global CA
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
Certificate added: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority
Certificate added: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA
Certificate added: C=FR, O=Dhimyotis, CN=Certigna
Certificate added: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
Certificate added: O="Cybertrust, Inc", CN=Cybertrust Global Root
Certificate added: C=TW, O="Chunghwa Telecom Co., Ltd.", OU=ePKI Root Certification Authority
Certificate added: C=RO, O=certSIGN, OU=certSIGN ROOT CA
Certificate added: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3
Certificate added: C=US, O="thawte, Inc.", OU="(c) 2007 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G2
Certificate added: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2008 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G3
Certificate added: C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2008 VeriSign, Inc. - For authorized use only", CN=VeriSign Universal Root Certification Authority
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2007 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G4
Certificate added: C=HU, L=Budapest, O=NetLock Kft., OU=Tanúsítványkiadók (Certification Services), CN=NetLock Arany (Class Gold) Főtanúsítvány
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2
Certificate added: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1
Certificate added: C=JP, O="Japan Certification Services, Inc.", CN=SecureSign RootCA11
Certificate added: C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu
Certificate added: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
Certificate added: C=ES, O=IZENPE S.A., CN=Izenpe.com
Certificate added: C=EU, L=Madrid (see current address at www.camerfirma.com/address), OID.2.5.4.5=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008
Certificate added: C=EU, L=Madrid (see current address at www.camerfirma.com/address), OID.2.5.4.5=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008
Certificate added: C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", CN=Go Daddy Root Certificate Authority - G2
Certificate added: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Root Certificate Authority - G2
Certificate added: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Services Root Certificate Authority - G2
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Commercial
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Networking
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Premium
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC
Certificate added: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
Certificate added: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
Certificate added: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2
Certificate added: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate added: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate added: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA
Certificate added: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA
Certificate added: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3
Certificate added: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee
Certificate added: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009
Certificate added: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009
Certificate added: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2
Certificate added: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
Certificate added: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA
Certificate added: O=TeliaSonera, CN=TeliaSonera Root CA v1
Certificate added: C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
Certificate added: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2
Certificate added: CN=Atos TrustedRoot 2011, O=Atos, C=DE
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Certificate added: C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Certificate added: C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
Certificate added: OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign
Certificate added: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Certificate added: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
Certificate added: C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1
Certificate added: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
Certificate added: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - EC1
Certificate added: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT
Certificate added: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA
Certificate added: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA
Certificate added: C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2
Certificate added: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2
Certificate added: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015
Certificate added: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015
Certificate added: C=FR, O=Certplus, CN=Certplus Root CA G1
Certificate added: C=FR, O=Certplus, CN=Certplus Root CA G2
Certificate added: C=FR, O=OpenTrust, CN=OpenTrust Root CA G1
Certificate added: C=FR, O=OpenTrust, CN=OpenTrust Root CA G2
Certificate added: C=FR, O=OpenTrust, CN=OpenTrust Root CA G3
Certificate added: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Certificate added: C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 1
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 2
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 3
Certificate added: C=US, O=Amazon, CN=Amazon Root CA 4
Certificate added: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2
Certificate added: C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
Certificate added: C=CN, O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", CN=GDCA TrustAUTH R5 ROOT
Certificate added: C=PA, S=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1
Certificate added: C=PA, S=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2
Certificate added: C=PA, S=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2
Certificate added: C=US, S=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC
132 new root certificates were added to your trust store.
Import process completed.

Pectojin · July 17, 2018, 8:16am

I believe the existing message is caused by mono itself and not any specific part of the application, and I don’t think we can modify it.

But we can probably make a check for it and provide that information in a separate warning. Where would that check make sense to run? before starting a backup?

JonMikelV · July 17, 2018, 3:02pm

Unless we’re talking about different messages, it’s our text:

github.com

duplicati/duplicati/blob/de84650eae85dd42e90b6e87381449f09303300a/Duplicati/Library/Modules/Builtin/Strings.cs#L18


    public static string ConfirmPassphrasePrompt { get { return LC.L(@"Confirm encryption passphrase"); } }

    public static string Description { get { return LC.L(@"This module will ask the user for an encryption password on the command line unless encryption is disabled or the password is supplied by other means"); } }

    public static string Displayname { get { return LC.L(@"Password prompt"); } }

    public static string EmptyPassphraseError { get { return LC.L(@"Empty passphrases are not allowed"); } }

    public static string EnterPassphrasePrompt { get { return LC.L(@"Enter encryption passphrase"); } }

    public static string PassphraseMismatchError { get { return LC.L(@"The passphrases do not match"); } }

}

internal static class CheckMonoSSL {

    public static string Description { get { return LC.L(@"When running with Mono, this module will check if any certificates are installed and suggest installing them otherwise"); } }

    public static string Displayname { get { return LC.L(@"Check for SSL certificates"); } }

    public static string ErrorMessage { get { return LC.L(@"No certificates found, you can install some with one of these commands:{0}    cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems{0}    cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives{0}Read more: {1}", Environment.NewLine, "http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync"); } }

}

internal static class HttpOptions {

    public static string Description { get { return LC.L(@"This module exposes a number of properties that can be used to change the way http requests are issued"); } }

    public static string DescriptionAcceptAnyCertificateLong { get { return LC.L(@"Use this option to accept any server certificate, regardless of what errors it may have. Please use --accept-specified-ssl-hash instead, whenever possible."); } }

    public static string DescriptionAcceptAnyCertificateShort { get { return LC.L(@"Accept any server certificate"); } }

    public static string DescriptionAcceptHashLong2 { get { return LC.L(@"If your server certificate is reported as invalid (eg. with self-signed certificates), you can supply the certificate hash to approve it anyway. The hash value must be entered in hex format without spaces. You can enter multiple hashes separated by commas."); } }

    public static string DescriptionAcceptHashShort { get { return LC.L(@"Optionally accept a known SSL certificate"); } }

    public static string DisableExpect100Long { get { return LC.L(@"The default HTTP request has the header ""Expect: 100-Continue"" attached, which allows some optimizations when authenticating, but also breaks some web servers, causing them to report ""417 - Expectation failed"""); } }

    public static string DisableExpect100Short { get { return LC.L(@"Disable the expect header"); } }

    public static string DisableNagleLong { get { return LC.L(@"By default the http requests use the RFC 896 nagling algorithm to support transfer of small packages more efficiently."); } }

I should mention that for me, adding the certs resolved the “No certificates found” warning, but has NOT done anything with the “Value does not fall within the expected range” SshNet error.

So those may not be as related as I assumed they were previously.

Pectojin · July 17, 2018, 3:16pm

Oh, my mistake.

I don’t think they’re related. My cert warning did not cause any actual issues. I just got a warning on every backup.

JonMikelV · July 17, 2018, 3:24pm

Do you think the multi-command string I proposed is too long? I’m worried the extra steps of manually downloading (and finding) the certs will be a turn-off for some users.

Also, do you think --user should NOT be used (--user will populate the per-user store in the user’s home directory, instead of the system-wide store.)

Pectojin · July 17, 2018, 3:28pm

Hmm, I did it without --user

I basically did

wget https://curl.haxx.se/ca/cacert.pem; cert-sync cacert.pem; rm -f cacert.pem # For MacOS

JonMikelV · July 17, 2018, 3:34pm

I like yours better and have put in a PR for it.
https://github.com/duplicati/duplicati/compare/master...JonMikelV-certUpdate-MacOS?quick_pull=1

Pectojin · July 17, 2018, 3:44pm

There might be a typo

https://curl.haxx.se/ca/cacert.pem; cert-sync cacert.pem; rm -f cacert.pem # For MacOS missing the wget

Pectojin · July 18, 2018, 8:52pm

@JonMikelV’s changes have been merged into master now Merge pull request #3324 from duplicati/JonMikelV-certUpdate-MacOS · duplicati/duplicati@c5e25e7 · GitHub
Should show up in next release.

JonMikelV · July 23, 2018, 8:42pm

That may not be a bad thing… I just tested on a Mac I support (10.13.5 High Sierra) and it doesn’t seem to have wget but it does have curl.

Maybe it would be “safer” to use:
curl --remote-name https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm -f cacert.pem # For MacOS

Instead of:
wget https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm -f cacert.pem # For MacOS

Actually, I was thinking - why would we NOT want Duplicati to do this? By having a “fetch latest certificates” button (maybe under global settings) Duplicati could do the fetch and cert-sync which would ensure thy are applied under the correct account.

Pectojin · July 23, 2018, 9:32pm

Hmm, changing to curl might be safe. I must admit it never occurred to me it wouldn’t be on a modern UNIX system (other than small containers).

Building it into Duplicati as a command might be a good idea, making it simpler to resolve for the end user.

JonMikelV · August 6, 2018, 8:34pm

Oddly, I’m finding that I have the certs added both for the regular user account and root (which is what the MacOS daemon is using) and I’m still getting the warnings.

Is it possible mono is running under yet a different account?

Pectojin · August 6, 2018, 9:48pm

Running ps aux | grep duplicati should reveal the user that Duplicati is running under on any UNIX system.

# ps aux | grep duplicati
rune             72887   0.0  0.0  4276968   1024 s001  S+   11:44PM   0:00.00 grep --color duplicati
rune             67054   0.0  0.1  4394052  18824   ??  S    Sun09PM   0:06.46 /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python /Users/rune/git/duplicati/Duplicati/GUI/Duplicati.GUI.TrayIcon/bin/Debug/OSXTrayHost/osx-trayicon-rumps.py
rune             67050   0.0  0.3  4528480  47972   ??  S    Sun09PM   0:55.64 /Library/Frameworks/Mono.framework/Versions/5.10.1/bin/mono --debug --debugger-agent=transport=dt_socket,address=127.0.0.1:59003 /Users/rune/git/duplicati/Duplicati/GUI/Duplicati.GUI.TrayIcon/bin/Debug/Duplicati.GUI.TrayIcon.exe

On my system Importing the certificates under the correct user worked for both my own user and for root.

JonMikelV · September 25, 2018, 2:07am

For the record, I found that when running Duplicati as daemon / service on MacOS (meaning it was running under root) I needed to run:

sudo -i #interactive login so all following commands execute as root
curl -O https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem #for MacOS