Cert errors on Mac Catalina

Mac Catalina 10.15.3
Mono 6.8.0

I recently installed 3 backup jobs to Box Drive, MS OneDrive and Google Drive. After help from ts678 I am able to run these successfully with no errors but I get Cert warnings on all three. I’ve researched and found several Mac Terminal commands that seem to have worked for others but when I try them I get “Option or File not found” errors. I found a program to update certificates to 2034 that ran successfully but I continue to get these warnings after each backup.

I am not very familiar with Terminal command syntax but am willing to try.

Any help would be appreciated.

Update. Since I first posted I have been able to run Mono Cert-Sync with no apparent change. I still get the errors.

Saying what sort of things, and when? I would have thought a serious cert error wouldn’t even connect.

Secure Socket Layer (SSL) / Transport Layer Security (TLS) has other suggestions, e.g. mozroots.exe.

If this needs Mac-specific expertise, perhaps a Mac user will drop by…

I should have said Cert Warning (not error). After the backup completes successfully I get the following Warning for all cloud backups:
2020-04-08 11:41:03 -05 - [Warning-Duplicati.Library.Modules.Builtin.CheckMonoSSL-MissingCerts]: No certificates found, you can install some with one of these commands: cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives curl -O https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem #for MacOS Read more: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync

I belive mozroots.exe has been deprecated and replaced by Cert-Sync in Mono. If I enter the command indicated in the message “cert-sync /etc/pki/tls/certs/ca-bundle.crt” I get a File not Found error for the part after Cert-Sync. Cert-Sync by itself seems to run but nothing happens and I still get the Warnings.

Are you sure you did the part " Make sure the ca-certificates-mono package is installed."?
A forum poster solved the warning on Linux by doing that. I don’t know macOS’ package tools.


Found another Linux user using this fix, and there might be more. macOS seems complicated. on Mac: Missing certificates gets into it. I’m not sure why others aren’t seeing it though.

What does a mono --version say? Perhaps you could see if updating to current mono helps.



shows the Ubuntu package names, where mono-complete has ca-certificates-mono and more.
I’m not sure what macOS package design looks like. There’s also a brew install mono plan.

It should not be a warning. I think mono has changed the strategy around certificates slightly, so if the backup completes it makes not sense to warn about missing certificates (either they exist, or they are not required).

An easy fix would be to remove the warning emitted from Duplicati in the next release.


I found a page for Mono support with the fix. In Mac Terminal enter:

curl -L -o /tmp/cacert.pem https://curl.haxx.se/ca/cacert.pem
cert-sync --user /tmp/cacert.pem

I ran these and then all three backups ran without error or Cert warning.

Thanks for the help.

1 Like

I found one about the same time, however I wasn’t sure it was the fix for you, but I’m glad it was…

TLS 1.2 Support

On Mac if you compiled and installed Mono from source (i.e. you don’t have access to the Apple TLS implementation), you can use cert-sync to populate the Mono certificate stores with CA certificates from the curl maintainers which are based on Mozilla’s trusted CA list:

I’m curious if you fall into this case. Possibly brew install mono would be a compile from source. Possibly the reason Duplicati sees little of this is that maybe others downloaded from mono-project.

Although you don’t need it now, one other possible workaround to end the noise might be based on:

C:\ProgramData\Duplicati\duplicati->Duplicati.CommandLine.exe help check-mono-ssl
Check for SSL certificates (check-mono-ssl):
 When running with Mono, this module will check if any certificates are
 installed and suggest installing them otherwise
 Module is loaded automatically, use --disable-module to prevent this

C:\ProgramData\Duplicati\duplicati->Duplicati.CommandLine.exe help disable-module
  --disable-module (String): Disables one or more modules
    Supply one or more module names, separated by commas to unload them


I was also trying to follow up on the @kenkendk thought (though I can’t personally add the easy fix).

Fully implement X509Store and related APIs #7019 has interesting comments on the design in 2018.

AppleTLS stack is a more recent change (mono v5, minimum requirement for Duplicati Beta):

The Mono.framework package that we distribute for macOS now uses the AppleTLS stack for implementing our SSL/TLS transport.

TLS 1.2 Support from Mono 4.8.0 Release Notes 22 Feb 2017 is where BTLS support came in, which caused the three-way potential split in certificate validation (mentioned in the X509Store issue above).

Thanks for this additional information. It seems to me that another “fix” would be to show the commands I used in the Warning message. The ones they show are for Linux systems and for Mac they say to read more.

The Read more looks like it means to point to new cert-sync command, which all directions use.
Two Linux directions have a local file available to give to cert-sync. For macOS, it’s a download.

I think the problem is figuring out which directions go with which OS. I guess it lost spaces below?

curl -O https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem #for MacOS

is what you did, except -O uses name of remote file, but in the current directory. -L handles a redirect.

This worked for me.
Thank you