Latest Mono not supporting SSL correctly

Taomyn · February 25, 2020, 7:33am

Continuing the discussion from Fedora 31 and duplicati?:

Pulled this out of my previous topic where Duplicati still won’t install under Fedora 31 (and possibly other flavours), and see if anyone can help.

I use the SSL certificate options with Duplicati (currently running 2.0.5.103_canary_2020-02-18), and it was fine until I upgraded from Fedora 30 to 31. After overcoming the install issue I now hit a problem where the service crashes when I try to access the web GUI when HTTPS is enabled. Removing the service options to include a certificate and reverting to HTTP allows me access again. Backup appear to be unaffected though I need to check the logs later today.

I did find this bug report Mono 5.20.1.19 / httpcfg on Linux fails with "Operation is not supported on this platform." · Issue #14152 · mono/mono · GitHub which is a similar issue, with Mono being broken and possibly fixed just not released at the time.

It’s all beyond what I understand with Linux/Mono so maybe one of the more knowledgeable persons on this forum can make sense of it.

drwtsn32 · February 25, 2020, 11:45am

Hello, out of curiosity are you accessing Duplicati Web UI from across a network, or are you using https://localhost:8200 ?

Taomyn · February 25, 2020, 12:08pm

Both, from other PCs on the network and the duplicati_client app to perform GUI commands in a script, but each uses the fqdn of the machine as that’s the name on the certificate. Not sure if the command line client caused the crash, but accessing it from browser did. And this is a headless machine so not using a browser on it either.

Taomyn · May 12, 2020, 10:03am

Was finally able to upgrade Duplicati without needing to hack the RPM for my Fedora 31 server (the dependencies were all screwed before) to v2.0.5.106-2.0.5.106_canary_2020-05-11, but this issue with my certificate not working is still present.

This is the service command:

ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any --webservice-sslcertificatefile=/usr/share/Duplicati/maggie.mydomain.com.pfx --webservice-sslcertificatepassword=12345

This is the information from the logs when the service attempts to run:

May 12 11:48:32 MAGGIE.mydomain.com mono[1490294]: A serious error occurred in Duplicati: System.PlatformNotSupportedException: Operation is not supported on this platform.
May 12 11:48:32 MAGGIE.mydomain.com mono[1490294]:   at Duplicati.Server.Database.ServerSettings.get_ServerSSLCertificate () [0x00115] in <6afe22724f244985bae35015d56196db>:0
May 12 11:48:32 MAGGIE.mydomain.com mono[1490294]:   at Duplicati.Server.WebServer.Server..ctor (System.Collections.Generic.IDictionary`2[TKey,TValue] options) [0x002a4] in <6afe22724f244985bae35015d56196db>:0
May 12 11:48:32 MAGGIE.mydomain.com mono[1490294]:   at Duplicati.Server.Program.StartWebServer (System.Collections.Generic.Dictionary`2[TKey,TValue] commandlineOptions) [0x00000] in <6afe22724f244985bae35015d56196db>:0
May 12 11:48:32 MAGGIE.mydomain.com mono[1490294]:   at Duplicati.Server.Program.RealMain (System.String[] _args) [0x00227] in <6afe22724f244985bae35015d56196db>:0
May 12 11:48:32 MAGGIE.mydomain.com systemd[1]: duplicati.service: Main process exited, code=exited, status=100/n/a

Scare · May 12, 2020, 10:22am

Hi!
I just posted the same issue yesterday , so probably is something recent.

I found the problem is not something related to Mono, but seems caused from data reading from the database.
I found a workaround: before starting duplicati, I cleanup the “server-ssl-certificate” option inside the Duplicati-server.sqlite db:

update option set value='' where Name='server-ssl-certificate';

You should do every time, before starting the server.

Taomyn · May 12, 2020, 11:41am

Hi, thanks for the information. I will try that later, but does still allow SSL to work because clearing the value seems counter-intuitive?

Scare · May 12, 2020, 12:13pm

Yes, it will work again as you will pass the .pfx (and the password) in your service start string.
I didn’t check the code yet (I just discovered Duplicati few days ago and I’m really a newbie), but I suppose it doesn’t like to overwrite the ssl option if that is already set.

Taomyn · May 13, 2020, 7:42am

Just realised, I don’t know how to access a SQLite db in Linux, have only ever done it in Windows to run some commands and that was a with a GUI app. Is there is a command-line equivalent?

Also, have you reported this on their Github as a bug? Issues · duplicati/duplicati · GitHub I’ll happily add my comments/experience if you do.

Neil · July 24, 2020, 7:41pm

Hi,

You can access a SqliteDb from the command line like so:

sqlite3 /path/to/db

You can also install the sqlite3 browser app if you prefer a GUI.

If it helps, here’s the systemd service file that I used to start/stop Duplicati on my CentOS 8 server…

Create /etc/systemd/system/duplicati.service with the following contents:

[Unit]
Description=duplicati back-up service

[Service]
Environment=INSTALLDIR=/usr/lib/duplicati
Environment=LD_LIBRARY_PATH="${INSTALLDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
Environment=MONO_PATH="${MONO_PATH}:${INSTALLDIR}"

PreExecStart=/usr/bin/sqlite3 /root/.config/Duplicati/Duplicati-server.sqlite "update option set value='' where Name='server-ssl-certificate';"
ExecStart=/usr/bin/duplicati-server --webservice-port=8200 --webservice-interface=0.0.0.0 --webservice-sslcertificatefile=/opt/certs/archive.pfx --log-file=/var/log/duplicati.log

[Install]
WantedBy=multi-user.target

As you can see I have added a PreExecStart command to invoke sqlite3 before starting Duplicati to clear the setting from the database automatically.

Now start and enable the service:

systemctl start duplicati
systemctl enable duplicati

Hope this helps,

Neil.

bobbie · July 26, 2020, 1:56pm

Hi Neil,
thanks a lot for your post: Your workaround worked great for me! (opensuse 15.2, duplicati 2.0.5.108, mono 6.8.0)
bobbie

Taomyn · July 27, 2020, 8:11am

Thanks, worked a treat for me on Fedora, had to run systemctl daemon-reload before starting the changed service but after that HTTPS is ok again.

Taomyn · July 27, 2020, 9:50am

Oh and it was ExecStartPre not PreExecStart - perhaps it’s a Fedora thing, but no error seems to be thrown when using the wrong one, only the fact that SSL still fails because it didn’t run the fix.

bobbie · July 27, 2020, 4:57pm

You’re right: It should be “ExecStartPre” (also with openSUSE); just worked it out after rebooting my server

Taomyn · July 28, 2020, 5:46am

It was the same for me, the manual test obviously fixed the issue for the next service run, but on a reboot after installing some OS updates it was broken again

Neil · July 28, 2020, 12:42pm

Apologies, it should have been ExecStartPre

Neil · July 28, 2020, 12:44pm

Reposting with correct service file:

[Unit]
Description=duplicati back-up service

[Service]
Environment=INSTALLDIR=/usr/lib/duplicati
Environment=LD_LIBRARY_PATH="${INSTALLDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
Environment=MONO_PATH="${MONO_PATH}:${INSTALLDIR}"

ExecStartPre=/usr/bin/sqlite3 /root/.config/Duplicati/Duplicati-server.sqlite "update option set value='' where Name='server-ssl-certificate';"
ExecStart=/usr/bin/duplicati-server --webservice-port=8200 --webservice-interface=0.0.0.0 --webservice-sslcertificatefile=/opt/certs/archive.pfx --log-file=/var/log/duplicati.log

[Install]
WantedBy=multi-user.target