This post is to both help resolve my issue and to document the solutions I’ve found for anyone searching in the future.
Until recently, all of my Duplicati clients (2 Ubuntu or derivative, 1 Windows 10) would successfully send mail reports to me using a private, local mail server. A new service I deployed to my environment required this mail server to be configured with SSL, and since I already had a functioning certificate authority (CA), I generated and installed a self-signed certificate on the mail server. This allowed me to continue with the new service, but it unintentionally (though logically) caused
MailKit.Security.SslHandshakeException errors on all Duplicati clients.
Resolving the problem was simple on the Ubuntu clients. On each client, I added the CA certificate to the machine trust store (specifically
/usr/local/share/ca-certificates/ to keep them separate from distro-provided certs in
/etc/ssl/certs/), then ran the following to update the combined list of trusted certs for the client OS and Mono, respectively.
sudo update-ca-certificates sudo cert-sync /etc/ssl/certs/ca-certificates.crt
I have not been able to identify a solution for the Windows 10 client. I have verified that the client trusts the same CA certificate, as I’m able to access a private HTTPS web service signed with the same CA using Microsoft Edge. The certificate was previously added to a Windows trust store on the client. I am also confident the problem is due to the certificate, as adding
?starttls=never to the
--send-mail-url option results in successful receipt of a mail report.
This StackOverflow post seems to be the best explanation of the problem I’ve found so far. MailKit, which I understand Duplicati uses for mail processing, uses a hard-coded list of trusted CAs, which doesn’t include my local CA. The only way I’ve found to update this list on Windows is to modify MailKit code somewhere, but I am both unsure where the changes need to be made and also reluctant to make such drastic changes that would most certainly be overwritten during updates.
I am no expert with SSL. I understand there are multiple certificate stores on Windows, and I may have simply added my CA certificate to the wrong one. I may also be missing an obvious solution.
What is the recommended way to get a Windows 10 Duplicati client to connect to a mail server configured with a self-signed certificate yet still remain as secure as possible?