macOS MailKit certificate check error: MailKit.Security.SslHandshakeException

Backup is fine by the way.

  • macOS Sequoia 15.5, M2
  • Duplicati 2.1.0.5_stable_2025-03-04
  • Run as service via launchctl
  • Mail response configured with starttls smtp
  • Other clients correctly use the same smtp server from the same machine, including openssl
  • Openssl shows no errors in certificates presented by the smtp server
  • It was, and still is, a Let’s Encrypt certificate chain on the smtp server side

History:

  • this setup worked fine before a gracefull sutdown of the machine for nearly 8 days (short vacation)
  • in that period the server certificates (Let’s Encrypt) were renewed, they show no errors and this is a normal, frequent process that never results in errors.
  • from the first backup after the start up of the machine it shows the MailKit error
  • A restart of the machine, a restart of the service, checking the smtp connection, checking the certificates, following the MailKit troubleshooting tips all look working fine and do not give any clue on what could be wrong.

What are options to investigate further? What certificate store does MailKit within Duplicati use? How to check that certificate store? How to debug this issue?

Any pointer to eable further investigation is appreciated.

Full Error message:

  • [Warning-Duplicati.Library.Modules.Builtin.ReportHelper-ReportSubmitError]: Failed to send message: MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection. The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons: 1. The server is using a self-signed certificate which cannot be verified. 2. The local system is missing a Root or Intermediate certificate needed to verify the server’s certificate. 3. The certificate presented by the server is expired or invalid. See MailKit/FAQ.md at master · jstedfast/MailKit · GitHub for possible solutions. → System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback. SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection. The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons: 1. The server is using a self-signed certificate which cannot be verified. 2. The local system is missing a Root or Intermediate certificate needed to verify the server’s certificate. 3. The certificate presented by the server is expired or invalid. See MailKit/FAQ.md at master · jstedfast/MailKit · GitHub for possible solutions.

The only thing I could do, against common sense, was adding the whole chain (server>R10>ISRG) to the system certs in keychain. That did not help.

Probably it’s something else and even not certificate related at all.

Anyone got a clue of how to investigate this further?

Those are good questions that I don’t have an immediate answer for. The MailKit library lives inside Duplicati, and there are no exposed logging/debugging features.

However, I did notice that Duplicati is using a rather outdated version of MailKit (2.4.1 from 2019 !).
Since that was made, a number of substantial changes have been made, including a transition to use the .NET TLS setup, so it should follow the OS key store.

My best guess as to what is happening is that LetsEncrypt has transitioned to something new (cert or TLS1.3 etc), and this is no longer working with the old MailKit library.

I have a PR that updates MailKit to the latest version which I assume fixes the problem.