Hello,
For several days I’m trying to resolve well-known TrustFailure issue related to “DST_Root_CA_X3” certificate. My backup setup utilize Duplicati & Jottacloud on Asustor AS6460T NAS. Please help. I’ve exhausted all possibilities I’ve found.
Error:
System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /asustor/trunk_2021_01_12/x64_g3/x64_g3/objs/mono-6.12.0.107/external/boringssl/ssl/handshake_client.c:1132
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <652d36f38550428c85c9b233c47d70a6>:0
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <652d36f38550428c85c9b233c47d70a6>:0
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <652d36f38550428c85c9b233c47d70a6>:0
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <652d36f38550428c85c9b233c47d70a6>:0
--- End of inner exception stack trace ---
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <652d36f38550428c85c9b233c47d70a6>:0
at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <652d36f38550428c85c9b233c47d70a6>:0
--- End of inner exception stack trace ---
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebOperation.Run () [0x0009a] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.HttpWebRequest.GetResponse () [0x00016] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00088] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.DownloadFile (System.String address, System.String fileName) [0x00008] in <652d36f38550428c85c9b233c47d70a6>:0
at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadFile(string,string)
at Duplicati.Library.AutoUpdater.UpdaterManager.CheckForUpdate (Duplicati.Library.AutoUpdater.ReleaseType channel) [0x000ee] in <8d4cb1693e00483189d3952c3f0ed20f>:0
With the error in place I can’t update Duplicati to new canary release thus I can’t backup to Jottacloud. I’ve tried every solution I’ve found on the internet but nothing worked permanently or I do it improperly. My linux knowledge is very limited.
Main solutions tried:
- Deleting “DST ROOT CA X3” cert content from ca-certificates.crt as per Error in updater - Trust Failure - SSL error - #5 by seanws78
Open the file ca-certificates.crt
/etc/ssl/certs # vi ca-certificates.crt
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
It is not working at all.
- As above but with user store
sudo cert-sync --user /etc/ssl/certs/ca-certificates.crt
Not working either.
- Banning the “DST ROOT CA X3” cert and updating trust as in:
Error in updater - Trust Failure - SSL error - #3 by obones
sudo trust extract --format=pem-bundle --filter='pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert' /etc/ca-certificates/trust-source/blocklist/untrusted_authority.pem
sudo update-ca-trust
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
Not possible. Incompatible with Asustor.
- Deleting cert from Trust strore with hash
Error in updater - Trust Failure - SSL error - #10 by HybridAU
sudo certmgr -del -c -v -m Trust 5BCAA1C2780F0BCB5A90770451D96F38963F012D
It removes the certificate but gives no effect. Certificate is back on the next cert-sync.
- Editing config file
sudo dpkg-reconfigure ca-certificates
edit the file /etc/ca-certificates.conf.
sudo update-ca-certificates
Not possible on Asustor (no config file; update-ca-certificates not working)
-
Duplicati advanced options “accept-any-ssl-certificate” and “accept-specified-ssl-hash” doesn’t work
-
Deleting certificate as per:
Failed to connect: Error: TrustFailure (Authentication failed, see inner exception.) - #6 by drwtsn32
Delete file:
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
And run:
update-ca-certificates
Can’t run “update-ca-certificates” on Asustor thus cert-sync was used:
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
Actually it worked and Duplicati update to last canary was successful. I changed update channel back to Beta. Backups were running properly for 2 days. Unfortunately after NAS reboot issue was back again with Duplicati downgraded to beta (without prompt).
Using the solution for the second time gives nothing.
I’ve spent many hours on the issue so far without results.
I’ll appreciate any help to resolve it finally.
Thank you in advance.
Unix 5.4.0.0 (Asustor)
Duplicati 2.0.6.3
Mono 6.12.0.107