Duplicati@stretch to Minio over TLS

Setting up Duplicati on Debian Stretch for backup to Minio over TLS 1.2

There are a lot of WinXX client-HowTos, none of them solves the pbl. for linux/debian/ubuntu based Clients.

Abstract

Using an LXC (maybe docker later on) Duplicati-Client to backup up local Data to a remote Minio-Server (S3) over LetsEncrypted TLS Connection.

Versions at the time of writing

Server:

  • buster (Debian Testing) with ZFS
  • Minio: 2018-09-12T18:49:56Z (docker)
  • LetsEncrypt set up as suggested @ minio-website

Client:

  • Stretch (Debian Stable) @ LXC
  • Duplicati 2.0.3.11_canary_2018-09-05
  • Mono from Stable, mono-runtime 4.6.2.7+dfsg-1

Mono 4.6 from Stretch is not working with Minio & TLS 1.2
Minio throwes TLS Error

minio_1  |
minio_1  | API: SYSTEM()
minio_1  | Time: 08:21:56 UTC 09/21/2018
minio_1  | Error: tls: client offered an unsupported, maximum protocol version of 301
minio_1  |        remoteAddr=xx.xx.xx.xx:16188, localAddr=xx.xx.xx.xx:443
minio_1  |        1: cmd/logger/logger.go:294:logger.LogIf()
minio_1  |        2: cmd/http/listener.go:243:http.(*httpListener).start.func2()

Duplicati throws Error:

A WebException with status SecureChannelFailure was thrown.

even with TLS tied to 1.2

allowed-ssl-versions TLS12

Solution: Update mono-runtime

Update to 5.14-xamarin3 from the mono-project.org

Configuring Backup

General

Name:       <Backup-Name>
Encryption: AES-256 (buildin)
Passphrase: <your-secret>

Destination

Storage Type:   S3 Compatible  
Use SSL:        Yes
Server:         Custom Server URL: <FQDN>
Bucket name:    <bucket-name>
Bucket create region: (default) ()
Storage class:  (default) ()
Folder path:    <Backup-Name>
AWS Access ID:  <MINIO_ACCESS_KEY>
AWS Access Key: <MINIO_SECRET_KEY>
…

HINT: the “Custom Server URL” does NOT take a URL-Format like https://.. – it takes an FQDN only.