macOS MailKit certificate check error: MailKit.Security.SslHandshakeException

doemaas · June 6, 2025, 2:20pm

Backup is fine by the way.

macOS Sequoia 15.5, M2
Duplicati 2.1.0.5_stable_2025-03-04
Run as service via launchctl
Mail response configured with starttls smtp
Other clients correctly use the same smtp server from the same machine, including openssl
Openssl shows no errors in certificates presented by the smtp server
It was, and still is, a Let’s Encrypt certificate chain on the smtp server side

History:

this setup worked fine before a gracefull sutdown of the machine for nearly 8 days (short vacation)
in that period the server certificates (Let’s Encrypt) were renewed, they show no errors and this is a normal, frequent process that never results in errors.
from the first backup after the start up of the machine it shows the MailKit error
A restart of the machine, a restart of the service, checking the smtp connection, checking the certificates, following the MailKit troubleshooting tips all look working fine and do not give any clue on what could be wrong.

What are options to investigate further? What certificate store does MailKit within Duplicati use? How to check that certificate store? How to debug this issue?

Any pointer to eable further investigation is appreciated.

Full Error message:

[Warning-Duplicati.Library.Modules.Builtin.ReportHelper-ReportSubmitError]: Failed to send message: MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection. The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons: 1. The server is using a self-signed certificate which cannot be verified. 2. The local system is missing a Root or Intermediate certificate needed to verify the server’s certificate. 3. The certificate presented by the server is expired or invalid. See MailKit/FAQ.md at master · jstedfast/MailKit · GitHub for possible solutions. → System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback. SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection. The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons: 1. The server is using a self-signed certificate which cannot be verified. 2. The local system is missing a Root or Intermediate certificate needed to verify the server’s certificate. 3. The certificate presented by the server is expired or invalid. See MailKit/FAQ.md at master · jstedfast/MailKit · GitHub for possible solutions.

doemaas · June 8, 2025, 3:00pm

The only thing I could do, against common sense, was adding the whole chain (server>R10>ISRG) to the system certs in keychain. That did not help.

Probably it’s something else and even not certificate related at all.

Anyone got a clue of how to investigate this further?

kenkendk · June 10, 2025, 8:35am

Those are good questions that I don’t have an immediate answer for. The MailKit library lives inside Duplicati, and there are no exposed logging/debugging features.

However, I did notice that Duplicati is using a rather outdated version of MailKit (2.4.1 from 2019 !).
Since that was made, a number of substantial changes have been made, including a transition to use the .NET TLS setup, so it should follow the OS key store.

My best guess as to what is happening is that LetsEncrypt has transitioned to something new (cert or TLS1.3 etc), and this is no longer working with the old MailKit library.

I have a PR that updates MailKit to the latest version which I assume fixes the problem.

doemaas · June 25, 2025, 9:30pm

Thanks!

What I totally forgot is that I have another version running on a QNAP NAS, the Duplicati version is 2.0.8.1_beta_2024-05-07 and that one is still sending the status emails with exactly the same mail response configuration. If nothing changed in the way Mailkit is handling things and how Duplicati is handling the Mailkit elements, you would think that one should also fail.

Which version can I use with the new Mailkit?

kenkendk · June 29, 2025, 5:52pm

I think the implementation of TLS on QNAP and macOS are different, so that might explain it. The 2.0.8.1 version is running with Mono, but the 2.1.0.5 is using .NETCore, so that is also a change.

That would be the latest canary build, 2.1.0.120