Failed to connect: Authentication failed, see inner exception

ts678 · February 16, 2022, 7:28pm

Direct testing of mono TLS connect is below, but I’ve never tried it on FTPS. I think that’s on port 990.

Secure Socket Layer (SSL) / Transport Layer Security (TLS)

has an example command line you can try to adapt, and some other mono troubleshooting information.

You can also try finding out what certificate chain QNAP is actually using. Maybe it’s not Let’s Encrypt?

openssl s_client -connect <host>:<port> and look at what kind of certificates QNAP is sending.
Start looking at the summary at top. Below is detaila that we don’t care about now. Type Q to quit early.

eezacque · February 16, 2022, 7:35pm

Will look into this tomorrow.

ts678 · February 16, 2022, 7:43pm

Sure. Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 was first thought but may be off.

Example of a Let’s Encrypt cert chain leading to the now-infamous expired DST Root CA X3 certificate:

$ openssl s_client -connect api.backblazeb2.com:443 | head -15
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = backblazeb2.com
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = backblazeb2.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGjTCCBXWgAwIBAgISA7xwm70s7TitUqWIv8ZhKRnUMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMDgwNjIxMzdaFw0yMjA1MDkwNjIxMzZaMBoxGDAWBgNVBAMT

eezacque · February 16, 2022, 8:24pm

Not looking good:

$ openssl s_client -connect myqnap:21
CONNECTED(00000003)
139987646113088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

drwtsn32 · February 16, 2022, 8:46pm

Maybe that’s because port 21 isn’t TLS by default? Explicit FTPS can do TLS over port 21, because at some point it asks the connection to change to TLS. Implicit FTPS is over port 990 and is purely TLS from the get-go. (At least that’s how I understand it.)

What happens if you test with port 990?

ts678 · February 16, 2022, 10:59pm

Alternatively, this suggests QNAP port 21 might switch to TLS if you add option -starttls ftp

eezacque · February 17, 2022, 6:37pm

Took some time to read up on SSL matter, so I have a somewhat clear view on anything QuFTP, i.e. the FTP server of QNAP. QuFTP offers two flavours: standard FTP and FTP with explicit SSL/TLS. I mistook the former for vanilla FTP, but the manual makes clear it features implicit SSL/TLS, and it seems to work with Duplicati. The standard installed certificate is self-signed by QNAP, and it does not work with Duplicati.

edit: I created/signed my own certificates, and explicit ssl/tls seems to work,

drwtsn32 · February 17, 2022, 6:49pm

That shouldn’t be a problem. You just need to trust the certificate’s hash. (At least this is what I’ve done with other protocols that use a TLS layer, I haven’t done it with FTPS myself.)

What happens now when you go to the page 2 of your backup destination, configure it for implicit FTPS (eg, port 990), and then press the Test Connection button?

eezacque · February 17, 2022, 8:10pm

I didn’t get a chance to trust the hash: just an exception.

drwtsn32 · February 17, 2022, 10:57pm

Can you set the “accept any certification” option again and re-test? Does it work when you have it set to port 990?

eezacque · February 18, 2022, 3:51pm

Explicit FTPS is working now with my new certificate. I can set the server to use port 21 or 990: they both work. I’m not sure whether it makes sense to “accept any SSL certificate”, but, yes, this works too.