CheckMonoSSL-MissingCerts on Mac OS after upgrade

Duplicati 2.0.4.5_beta_2018-11-28 running on Mac OS X 10.13.6 as a service via launchd script. Upgraded from prior beta version that had been running well for many months without issue.

Whenever I go to run a backup now, I get the mono ssl issue after a couple puts.

2018-12-16 21:36:59 -05 - [Information-Duplicati.Library.Main.BasicResults-BackendEvent]: Backend event: Put - Completed: duplicati-b371fe5c97ecb43f7b43fef6cd022394f.dblock.zip.aes (19.91 MB),
...
]
Warnings: [
2018-12-16 21:32:31 -05 - [Warning-Duplicati.Library.Modules.Builtin.CheckMonoSSL-MissingCerts]: No certificates found, you can install some with one of these commands:
cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems
cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives
curl -O https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem #for MacOS
Read more: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync

Unfortunately, the instructions for the prior post somebody marked as solved, do not seem to work.

Do you get any errors when running the cert sync utility?

Those steps used to work on previous MacOS versions so I’m wondering if something in the new version has broken or changed it.

The instructions included with the error message don’t work well with service mode. Can you try them with ‘su’? That gets the certs installed with root acct. access.

Oh, nicely spotted. Yeah, in service mode it will run as root and the cert sync is installed per user.

More painful experience than spotting anything.

So, I went in, su’d to my admin account, sudo -i for interactive, and updated the certs.

Now Duplicati won’t even launch to give me a menu bar icon. I also can’t connect to the web control url, so it seems as if it no longer is running as a service either.

This was all running perfectly with the previous beta on multiple systems prior to letting it update itself on my daily use laptop. So, I guess just don’t do that. Hopefully when I re-install the old one it’ll go back to working again. :\

A little further digging:
Error message:
The database has version 6 but the largest supported version is 4.

This is likely caused by upgrading to a newer version and then downgrading.

If this is the case, there is likely a backup file of the previous database version in the folder [redacted path]

at Duplicati.Server.Program.GetDatabaseConnection (System.Collections.Generic.Dictionary`2[TKey,TValue] commandlineOptions) [0x0023b] in <670b0e4a9ae144208688fcb192d20146>:0

at Duplicati.Server.Program.RealMain (System.String _args) [0x002bb] in <670b0e4a9ae144208688fcb192d20146>:0

— End of inner exception stack trace —

at Duplicati.Library.AutoUpdater.UpdaterManager.RunMethod (System.Reflection.MethodInfo method, System.String args) [0x00097] in <9ce928d8db224e1f8330a80e119b5dbe>:0

at Duplicati.Library.AutoUpdater.UpdaterManager+<>c__DisplayClass58_0.<RunFromMostRecentSpawn>b__0 () [0x00000] in <9ce928d8db224e1f8330a80e119b5dbe>:0

at Duplicati.Library.AutoUpdater.UpdaterManager.WrapWithUpdater (Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy, System.Action wrappedFunction) [0x00157] in <9ce928d8db224e1f8330a80e119b5dbe>:0

at Duplicati.Library.AutoUpdater.UpdaterManager.RunFromMostRecentSpawn (System.Reflection.MethodInfo method, System.String cmdargs, Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy) [0x0004b] in <9ce928d8db224e1f8330a80e119b5dbe>:0

at Duplicati.Library.AutoUpdater.UpdaterManager.RunFromMostRecent (System.Reflection.MethodInfo method, System.String cmdargs, Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy) [0x0001b] in <9ce928d8db224e1f8330a80e119b5dbe>:0

at Duplicati.GUI.TrayIcon.Program.Main (System.String args) [0x0001c] in <ca93296e82084f80be4b4a222197f416>:0

Well, after reverting the database, things appeared to be working again. Then I got notified about the update, and I’m told:

Current version is - 2.0.3.3_beta_2018-04-02 (2.0.3.3)
2018-11-28 - 2.0.4.5_beta_2018-11-28

This puzzles the heck out of me, since it actually acted like it was working, except for the cert warning, after installing the update. Then once I fixed the cert error, it didn’t run, so I had to put the prior database back, and that appears to have reverted everything, which is especially weird. On top of that, it appears that even though this was the first time I got notified about an update, there have been prior newer beta versions, according to the change log.

Suggestions on moving forward? For now I’m just going to ignore the update dialog and leave it showing, though that will put me even further behind if I don’t eventually do something about it.

Decided I have a time machine backup, so I’d just YOLO it and do a manual overwrite install of the newest beta downloaded from the website. That appears to have worked as it is currently backing things up again. Here’s to hoping it completes without errors.

Well, another failed Duplicati upgrade here. I tried on MacOS to upgrade from 2.0.3.3beta to 2.0.4.23beta.

I run the installer from the Web GUI where it says that an upgrade is available and after downloading and activating the upgrade I get the “Connection to Server lost” error. I have no GUI password. I waited several minutes, clicked on the message but it always comes back. So I aborted this process and still have 2.0.3.3.

But now, during my next backup I get the CheckMonoSSL-MissingCerts warning message. I then ran the recommended curl command, which appears to have worked and installed a large number of certificates.

But now Duplicati does not launch anymore from the Web GUI. In Terminal I can see that Duplicati is complaining that “The database has version 7 but the largest supported version is 6.” Having seen this error many times before during every upgrade, I replaced the content of the Duplicati-server.sqlite file with the content of the backup_xxxxxx.sqlite file. After repairing the database I can launch Duplicati again, but I still have version 2.0.3.3.

Now I try the upgrade again. This time it appears the updater aborts the download of the upgrade from the internet. The log shows many errors in update: (502) Bad Gateway, NameResolutionFailure, etc.

As a workaround I download a fresh version of Duplicati from the website and replace the existing install. This seems to work, Duplicati is launching, my backup settings are still preserved and I have the latest version.

So, this took like half a day’s of work.

Download page saying ‘Bad gateway’ is probably this part. The good news is manual download worked.

I don’t have macOS so can’t comment on certificates. I don’t know why mono would need fixing again…

Duplicati no longer launching on Mac - database version? is your old DB issue, seemingly all on its own.

Since the above altercation, I’ve taken to either not updating duplicati on machines, or for ones that have time machine running and tested, doing a manual download and install when I get the notification, rather than letting it try to update on its own. That appears to have kept things working so far.

I’m seeing this exact issue on a fresh, new macOS installation. I’ve run duplicati on various other machines, including Linux, Windows, and macOS, but don’t recall ever coming across this before.

I downloaded the current most recent canary release (v2.0.7.100-2.0.7.100_canary_2023-12-27).

The warning text is pointing to a very old Mono release note (release 3.12.0):
http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
…which doesn’t have any instructions for macOS.
I’m running macOS 12.7.3 and have homebrew installed, including the ca-certificates package.

I located the ca-certificates/cert.pem at /usr/local/etc/ca-certificates.
When I try running

cert-sync /usr/local/etc/ca-certificates/cert.pem

I get an error message for each cert that couldn’t be imported. Something like:

Warning: Could not import C=US. O=CommScope Public Trust RSA Root-01
System.UnauthorizedAccessException: Access to the path "/usr/share/.mono" is denied.

/usr/share/.mono doesn’t exist on my system.
Instead, I ran

cert-sync --user /usr/local/etc/ca-certificates/cert.pem

…and 145 new root certificates were installed. Running a backup again completed without the warning.