I have spent some time with Duplicati, but it feels quite beta, so far? I am stuck on configuring an ftp backup, which says on testing a connection: Failed to connect: Authentication failed, see inner exception.
So, where I can see this inner exception?
Started from command line, exception trace is:
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /build/mono-L7Ktbc/mono-6.8.0.105+dfsg/external/boringssl/ssl/handshake_client.c:1132
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00064] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x00106] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x0012a] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
--- End of inner exception stack trace ---
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00346] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
at System.Threading.Tasks.TaskToApm.End (System.IAsyncResult asyncResult) [0x00033] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
at System.Net.Security.SslStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) [0x00000] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
at System.Net.TlsStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) [0x00000] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
at (wrapper remoting-invoke-with-check) System.Net.TlsStream.EndAuthenticateAsClient(System.IAsyncResult)
at System.Net.FtpControlStream+<PipelineCallback>c__AnonStorey0.<>m__0 (System.IAsyncResult ar) [0x00000] in <a85c1a570f9a4f9f9c3d2cfa5504e34f>:0
--- End of stack trace from previous location where exception was thrown ---
Hello and welcome to the forum!
Looks like this is a certificate validation issue. Are you using a self-signed certificate on your FTP server? Or is it from a trusted public CA?
I have no idea. I’m using an FTPS share of a QNAP nas, straight out of the box. I can mount it in Ubuntu without problems.
Edit your backup job, go to page 2, and click the Test Connection button. You may be given the option to trust the certificate. Or let us know if you get some sort of error when you do the test.
That is exactly what I did.
Oh yes, I see. What OS is Duplicati installed on?
I am running Ubuntu 20.04.3 LTS
As a test can you try enabling the “accept any SSL certificate” option? It is listed under the Advanced Options area on page 2 of your backup config:
If this works then I do think it’s a trust issue. Your cert on the FTP server may be self-signed. If that’s the case we could lock it down a bit more by removing this option and just trusting the specific SSL cert hash.
The “accept any SSL certificate” option works for TLS 1.0, 1.1 and 1.2; it fails for TLS 1.3.
Is this essential, or can you just get certificates working on TLS 1.2? This may be a limitation of mono:
We are way behind on tracking boringssl - Git at Google in our fork and need to update it to track the latest changes including the TLS 1.3 support.
The old mono code might also be getting you into a problem with an expired certificate, but that’s TBD.
BoringSSL Bug: Cannot connect to websites using let’s encrypt SSL certificates #21253
Make sure that Ubuntu is fully updated. I had thought a newer ca-certificates package took care of this.
ca-certificates (20210119~20.04.2) focal-security; urgency=medium
[ Dimitri John Ledkov ]
* mozilla/blacklist.txt: blacklist expired "DST Root CA X3".
(LP: #1944481)
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 22 Sep 2021 07:46:54 -0400
I cannot get certificates to work with whatever version of TLS.
I am running the latest version of ca-certificates
Does /etc/ca-certificates.conf contain this line, including the exclamation point at start of line?
!mozilla/DST_Root_CA_X3.crt
Yes, it does contain this line.
Do you have /usr/bin/cert-sync which I think comes from ca-certificates-mono package?
EDIT:
$ apt content ca-certificates-mono
/.
/etc
/etc/ca-certificates
/etc/ca-certificates/update.d
/etc/ca-certificates/update.d/mono-keystore
/usr
/usr/bin
/usr/bin/cert-sync
/usr/lib
/usr/lib/mono
/usr/lib/mono/4.5
/usr/lib/mono/4.5/cert-sync.exe
/usr/share
/usr/share/doc
/usr/share/doc/ca-certificates-mono
/usr/share/doc/ca-certificates-mono/changelog.Debian.gz
/usr/share/doc/ca-certificates-mono/copyright
/etc/ca-certificates/update.d/mono-keystore is the hook from update-ca-certificates
File /usr/bin/cert-sync is there.
Otherwise, not what I expect:
$ apt content ca-certificates-mono
E: Invalid operation content
Not sure why that fails. How about version or any other way to see if package is installed?
Check /usr/bin/cert-sync, and look in /etc/ca-certificates/update.d/mono-keystore
$ dpkg -l | grep ca-certificates-mono
ii ca-certificates-mono 6.8.0.105+dfsg-2 all Common CA certificates (Mono keystore)
I suppose you could see the update-ca-certificates man page, and run it, just in case there’s an install order problem. I would hope that mono coming in later would obtain its certificates from current Linux though.
Somewhat less of an end-to-end update is to just run /etc/ca-certificates/update.d/mono-keystore
Running update-ca-certificates makes no difference.