Release: 2.0.6.100 (canary) 2021-08-11

kenkendk · August 11, 2021, 9:07am

2.0.6.100-2.0.6.100_canary_2021-08-11

Switched to improved CI model, thanks @warwickmm
Fixed issue with reporting wasted space, thanks @aureliandevel
Fixed throttling requests to OneDrive and respecting the server retry-after headers, thnaks @tygill
File backend now overwrites files, thanks @warwickmm
Added .dar files to list of compressed file extensions, thanks @samuel-w
Fixed typos in example scripts, thanks @warwickmm
The Makefile now calls msbuild, thanks @warwickmm
When testing for known compressed file extensions, the compare is now case-insensitive, thanks @samuel-w
Improved code quality, thanks @marodev
Fixed an issue with handling the deprecated Azure and S3 options, thanks @warwickmm
Avoid using ECDSA algorithm for SFTP if the client does not support it, thanks @warwickmm
Added SAS token support to Azure backend, thanks @sergethedev17
Improved test method for aFTP backend, thanks @sergethedev17
Added support for mega.nz 2fa, thanks @vfrz
Changed from Tardigrade backend to Storj DCS backend, thanks @TopperDEL
Removed BouncyCastle dependency and now using .Net built-in parsing of SSL certificates, thanks @mnaiman
Regex filters now match newlines in paths with wildcards, thanks @warwickmm
Reduced number of cases where database cleanup is triggered, thanks @warwickmm
Fixed a dispose bug in most backends introduced with PutAsync, thanks @warwickmm
Updated UI to more prominently display deprecation information, thanks @warwickmm
Fixed handling of special characters in paths on the aFTP backend, thanks @warwickmm

Taomyn · August 11, 2021, 1:49pm

Trying this out on my systems. Updated the previous canary on my Fedora server, all is well, but now trying a Raspberry Pi and it’s failing on the certificate:

Aug 11 15:34:54 ralph systemd[1]: Started Duplicati web-server.
Aug 11 15:34:56 ralph duplicati-server[7719]: A serious error occurred in Duplicati: System.Security.Cryptography.CryptographicException: Unable to decode certificate. ---> System.Security.Cryptography.CryptographicException: `MonoBtlsPkcs12.Import` failed.
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.MonoBtlsObject.CheckError (System.Boolean ok, System.String callerName) [0x00022] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.MonoBtlsObject.CheckError (System.Int32 ret, System.String callerName) [0x00000] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.MonoBtlsPkcs12.Import (System.Byte[] buffer, Microsoft.Win32.SafeHandles.SafePasswordHandle password) [0x00033] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.X509CertificateImplBtls.ImportPkcs12 (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password) [0x00054] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.X509CertificateImplBtls.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x0004f] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:    --- End of inner exception stack trace ---
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.X509CertificateImplBtls.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x0007c] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.MonoBtlsProvider.GetNativeCertificate (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags flags) [0x00007] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.Btls.X509PalImplBtls.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00006] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) [0x00021] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.Byte[] rawData, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00017] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System.Byte[] rawData, System.String password) [0x00011] in <a9a08e39ba304bd0a84c49bd158dfc02>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Duplicati.Server.Database.ServerSettings.get_ServerSSLCertificate () [0x00050] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Duplicati.Server.WebServer.Server..ctor (System.Collections.Generic.IDictionary`2[TKey,TValue] options) [0x002a4] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Duplicati.Server.Program.StartWebServer (System.Collections.Generic.Dictionary`2[TKey,TValue] commandlineOptions) [0x00000] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Aug 11 15:34:56 ralph duplicati-server[7719]:   at Duplicati.Server.Program.RealMain (System.String[] _args) [0x00227] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Aug 11 15:34:56 ralph systemd[1]: duplicati.service: Main process exited, code=exited, status=100/n/a

If I revert it to HTTP then it’s fine so I know it’s basically ok, just having issues with the certificate. I have fully updated the Pi OS just in case and it didn’t fix it.

**Update: so far so good with Windows, so just the Debian release is causing me problems and only if I try to use a certificate

warwickmm · August 11, 2021, 3:45pm

@mnaiman, could this be related to the certificate changes here?

mnaiman · August 11, 2021, 4:15pm

Do you have RSA or EC private key for certificate?

mnaiman · August 11, 2021, 4:26pm

Im using Ubuntu and docker version (based on debian:buster). RSA is supported by Mono, EC are not (maybe in .NET Core version will be).

One more instruction, you may have saved certificate in database which cant be loaded now. So please try to run Duplicati with --webservice-sslcertificatefile=
empty parameter should clear certificate from database and then import it again.
There should be warning in log based on this line

github.com

duplicati/duplicati/blob/beaf03562fdcf4425e962085bdf7175d6a465f49/Duplicati/Server/WebServer/Server.cs#L127

    
      
          {

              try

              {

                  cert = Program.DataConnection.ApplicationSettings.ServerSSLCertificate;

          

                  if (cert != null)

                      certValid = cert.HasPrivateKey;

              }

              catch (Exception ex)

              {

                  Duplicati.Library.Logging.Log.WriteWarningMessage(LOGTAG, "DefectStoredSSLCert", ex, Strings.Server.DefectSSLCertInDatabase);

              }

          }

          else if (certificateFile.Length == 0)

          {

              Program.DataConnection.ApplicationSettings.ServerSSLCertificate = null;

          }

          else

          {

              try

              {

Taomyn · August 11, 2021, 4:53pm

I think it’s RSA, it was generated by my local Microsoft CA server.

That did the trick thanks, the webservice is working again with HTTPS, however I still see this message but also on my Fedora server:

RPi


System.AggregateException: One or more errors occurred. (Unable to write data to the transport connection: The socket has been shut down.) ---> System.IO.IOException: Unable to write data to the transport connection: The socket has been shut down. ---> System.Net.Sockets.SocketException: The socket has been shut down
  at System.Net.Sockets.Socket.Send (System.Byte[] buffer, System.Int32 offset, System.Int32 size, System.Net.Sockets.SocketFlags socketFlags) [0x0001a] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x000b4] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
   --- End of inner exception stack trace ---
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x00107] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.<InnerWrite>m__0 () [0x00006] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at System.Threading.Tasks.Task.InnerInvoke () [0x00012] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
--- End of stack trace from previous location where exception was thrown ---

  at Mono.Net.Security.MobileAuthenticatedStream.InnerWrite (System.Boolean sync, System.Threading.CancellationToken cancellationToken) [0x00100] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x001c5] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x000a4] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.StartOperation (Mono.Net.Security.MobileAuthenticatedStream+OperationType type, Mono.Net.Security.AsyncProtocolRequest asyncRequest, System.Threading.CancellationToken cancellationToken) [0x00314] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
   --- End of inner exception stack trace ---
  at System.Threading.Tasks.Task.ThrowIfExceptional (System.Boolean includeTaskCanceledExceptions) [0x00014] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
  at System.Threading.Tasks.Task.Wait (System.Int32 millisecondsTimeout, System.Threading.CancellationToken cancellationToken) [0x00052] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
  at System.Threading.Tasks.Task.Wait () [0x00000] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 count) [0x00019] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at System.Net.Security.SslStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 count) [0x00006] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at HttpServer.HttpClientContext.Send (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x00039] in <bed89f1655ee48029f6d6812f54c58ad>:0 
  at HttpServer.HttpResponse.Send () [0x0007f] in <bed89f1655ee48029f6d6812f54c58ad>:0 
  at Duplicati.Server.WebServer.BodyWriter.Dispose (System.Boolean disposing) [0x00029] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at System.IO.TextWriter.Dispose () [0x00000] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
  at Duplicati.Server.WebServer.BodyWriter.WriteJsonObject (System.Object o) [0x00068] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at Duplicati.Server.WebServer.BodyWriter.OutputOK (System.Object result) [0x00006] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at (wrapper remoting-invoke-with-check) Duplicati.Server.WebServer.BodyWriter.OutputOK(object)
  at Duplicati.Server.WebServer.RESTMethods.Backups.GET (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x0003e] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x00146] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
---> (Inner Exception #0) System.IO.IOException: Unable to write data to the transport connection: The socket has been shut down. ---> System.Net.Sockets.SocketException: The socket has been shut down
  at System.Net.Sockets.Socket.Send (System.Byte[] buffer, System.Int32 offset, System.Int32 size, System.Net.Sockets.SocketFlags socketFlags) [0x0001a] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x000b4] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
   --- End of inner exception stack trace ---
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x00107] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.<InnerWrite>m__0 () [0x00006] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at System.Threading.Tasks.Task.InnerInvoke () [0x00012] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 
--- End of stack trace from previous location where exception was thrown ---

  at Mono.Net.Security.MobileAuthenticatedStream.InnerWrite (System.Boolean sync, System.Threading.CancellationToken cancellationToken) [0x00100] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x001c5] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x000a4] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.StartOperation (Mono.Net.Security.MobileAuthenticatedStream+OperationType type, Mono.Net.Security.AsyncProtocolRequest asyncRequest, System.Threading.CancellationToken cancellationToken) [0x00314] in <a9a08e39ba304bd0a84c49bd158dfc02>:0 <---

Fedora


System.AggregateException: One or more errors occurred. (Unable to write data to the transport connection: The socket has been shut down.) ---> System.IO.IOException: Unable to write data to the transport connection: The socket has been shut down. ---> System.Net.Sockets.SocketException: The socket has been shut down
  at System.Net.Sockets.Socket.Send (System.Byte[] buffer, System.Int32 offset, System.Int32 size, System.Net.Sockets.SocketFlags socketFlags) [0x0001a] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x00075] in <3f672a941b5f466fb5dc321b3015c863>:0 
   --- End of inner exception stack trace ---
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x000be] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.<InnerWrite>m__0 () [0x00006] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at System.Threading.Tasks.Task.InnerInvoke () [0x00012] in <d57a575dd6be4193a54eb87783bbd39c>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <d57a575dd6be4193a54eb87783bbd39c>:0 
--- End of stack trace from previous location where exception was thrown ---

  at Mono.Net.Security.MobileAuthenticatedStream.InnerWrite (System.Boolean sync, System.Threading.CancellationToken cancellationToken) [0x00100] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x001d2] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x000a4] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.StartOperation (Mono.Net.Security.MobileAuthenticatedStream+OperationType type, Mono.Net.Security.AsyncProtocolRequest asyncRequest, System.Threading.CancellationToken cancellationToken) [0x00314] in <3f672a941b5f466fb5dc321b3015c863>:0 
   --- End of inner exception stack trace ---
  at System.Threading.Tasks.Task.ThrowIfExceptional (System.Boolean includeTaskCanceledExceptions) [0x00014] in <d57a575dd6be4193a54eb87783bbd39c>:0 
  at System.Threading.Tasks.Task.Wait (System.Int32 millisecondsTimeout, System.Threading.CancellationToken cancellationToken) [0x00052] in <d57a575dd6be4193a54eb87783bbd39c>:0 
  at System.Threading.Tasks.Task.Wait () [0x00000] in <d57a575dd6be4193a54eb87783bbd39c>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 count) [0x00019] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at System.Net.Security.SslStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 count) [0x00006] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at HttpServer.HttpClientContext.Send (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x00039] in <bed89f1655ee48029f6d6812f54c58ad>:0 
  at HttpServer.HttpResponse.Send () [0x0007f] in <bed89f1655ee48029f6d6812f54c58ad>:0 
  at Duplicati.Server.WebServer.BodyWriter.Dispose (System.Boolean disposing) [0x00029] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at System.IO.TextWriter.Dispose () [0x00000] in <d57a575dd6be4193a54eb87783bbd39c>:0 
  at Duplicati.Server.WebServer.BodyWriter.WriteJsonObject (System.Object o) [0x00068] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at Duplicati.Server.WebServer.BodyWriter.OutputOK (System.Object result) [0x00006] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at (wrapper remoting-invoke-with-check) Duplicati.Server.WebServer.BodyWriter.OutputOK(object)
  at Duplicati.Server.WebServer.RESTMethods.Backups.GET (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x0003e] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
  at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x00146] in <3752ce5d8337471da6b77129cfa4bdbe>:0 
---> (Inner Exception #0) System.IO.IOException: Unable to write data to the transport connection: The socket has been shut down. ---> System.Net.Sockets.SocketException: The socket has been shut down
  at System.Net.Sockets.Socket.Send (System.Byte[] buffer, System.Int32 offset, System.Int32 size, System.Net.Sockets.SocketFlags socketFlags) [0x0001a] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x00075] in <3f672a941b5f466fb5dc321b3015c863>:0 
   --- End of inner exception stack trace ---
  at System.Net.Sockets.NetworkStream.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 size) [0x000be] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.<InnerWrite>m__0 () [0x00006] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at System.Threading.Tasks.Task.InnerInvoke () [0x00012] in <d57a575dd6be4193a54eb87783bbd39c>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <d57a575dd6be4193a54eb87783bbd39c>:0 
--- End of stack trace from previous location where exception was thrown ---

  at Mono.Net.Security.MobileAuthenticatedStream.InnerWrite (System.Boolean sync, System.Threading.CancellationToken cancellationToken) [0x00100] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x001d2] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x000a4] in <3f672a941b5f466fb5dc321b3015c863>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.StartOperation (Mono.Net.Security.MobileAuthenticatedStream+OperationType type, Mono.Net.Security.AsyncProtocolRequest asyncRequest, System.Threading.CancellationToken cancellationToken) [0x00314] in <3f672a941b5f466fb5dc321b3015c863>:0 <---

mnaiman · August 11, 2021, 6:17pm

Perfect.

Cant replicate these logs on my Linux machines.
Any steps to be taken to replicate?
Everything is working or something is broken?

Taomyn · August 12, 2021, 5:56am

Everything appears to be normal since I sorted the certificate, and last night’s backups all went fine as far as I can tell. Those messages simply appear shortly after the service is started on both Fedora and RPi, so there’s nothing I am performing that makes them happen.

For reference, on the Fedora 34 server the service file contains the following, and also explains why it did not have a certificate issue (I’d completely forgotten that it had the problem once before and this was the recommended fix, so I might try it on the RPi):

[Unit]
Description=Duplicati Backup software

[Service]
ExecStartPre=/usr/bin/sqlite3 /root/.config/Duplicati/Duplicati-server.sqlite "update option set value='' where Name='server-ssl-certificate';"
ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any --webservice-sslcertificatefile=/usr/share/Duplicati/maggie.mydomain.com.pfx --webservice-sslcertificatepassword=*****
# ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any
Restart=on-failure
RestartSec=30
Environment=SYSTEMD_LOG_LEVEL=debug

[Install]
WantedBy=multi-user.target

On the RPi-4 machines it’s currently as follows:

Description=Duplicati web-server
After=network.target

[Service]
Nice=19
IOSchedulingClass=idle
EnvironmentFile=-/etc/default/duplicati
ExecStart=/usr/bin/duplicati-server $DAEMON_OPTS
Restart=always

[Install]
WantedBy=multi-user.target

And its options file:

# Defaults for duplicati initscript
# sourced by /etc/init.d/duplicati
# installed at /etc/default/duplicati by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Additional options that are passed to the Daemon.
DAEMON_OPTS="--webservice-port=8200 --webservice-interface=any --webservice-sslcertificatefile=/usr/share/Duplicati/ralph.mydomain.com.pfx --webservice-sslcertificatepassword=*****"
# DAEMON_OPTS="--webservice-port=8200 --webservice-interface=any --webservice-sslcertificatefile=
# DAEMON_OPTS="--webservice-port=8200 --webservice-interface=any"

mnaiman · August 12, 2021, 1:51pm

I think as of 2.0.6.100 you cant stop doing ExecStartPre=/usr/bin/sqlite3 /root/.config/Duplicati/Duplicati-server.sqlite “update option set value=’’ where Name=‘server-ssl-certificate’;”

Even better ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any --webservice-sslcertificatefile=/usr/share/Duplicati/maggie.mydomain.com.pfx --webservice-sslcertificatepassword=***** is needed only for new/change certificate

For normal operations ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any is sufficient.

Try that if it is stop producing errors.

Taomyn · August 13, 2021, 6:10am

Thanks, will try that and report back - I need to do my weekly updates so will add this as part of that little job

Taomyn · August 13, 2021, 10:14am

I’m afraid it’s made no difference - some time after the service is started the same errors get logged, at least on the RPi I was monitoring

Sami_Lehtinen · August 13, 2021, 11:04am

Many comments about certificates. I wish there would be option to allow specific certificates by fingerprint, instead of using trust chain. It would provide better security + allow using self-signed certificates.

Btw. I didn’t realize the aftp is an option with Windows as well as on Linux. I think I’ll switch my backups to use aftp on Windows as well. Why? Because with Linux that seemed to solve quite many annoying ftps related issues. I also suspect that the Duplicati “hangs forever” issue might be ftp related. - Actually bad ftp lib could be the reason for the agonizing problems I’ve been dealing with. If it has broken error handling, it’s all that it takes to break down the system.

kenkendk · August 13, 2021, 11:17am

Just to clarify, the errors here are for hosting an SSL/TLS certificate on the server UI. I think you are commenting on certificates on backends.

For the server certificate, the update in this Canary is removing the previous SSL certificate loader and using a new one that does not depend on an external library. Seems the workaround is to clear the certificate and load it again.

For the backend certificates the client (i.e. Duplicati) has an option to set --accept-specified-ssl-hash which is supported by most backends, including the built-in FTP library. Unfortunately, some of the backends handle the HTTPS connection internally, making it hard to supply this support for all.

Taomyn · August 16, 2021, 8:11am

So it’s not gone very well. On Friday evening it went wrong again so on Saturday I switched all 4 *nix machines to use the same methods to start the service. A .service file that had preExecStart to clear the certificate then an ExecStart that would load the certificate. I also used a “default” file to load the options for the service start. All started up.

It seemed to go well but I didn’t expect much to happen as there are no backups scheduled for these machines over the weekend, but I awoke on Sunday morning to all 4 machines being shown by Zabbix as CPU overloaded and the https:8200 UI not accessible. On all the machines the mono processes were taking 100% CPU on each core, with the log files showing the exact same errors already reported. No backups were scheduled or running so whatever was the cause was internal to Duplicati from something else that is automated.

I have now switched all 4 to just non-SSL using http:8200 and so far for over 24hrs not a single problem including the scheduled backups which have all been successful so far.

Still no issues under Windows btw.

warwickmm · August 20, 2021, 3:49pm

Only the non-windows code paths were affected. Unfortunately, I don’t have the ability to test this. @mnaiman, it sounds like you’re not able to reproduce this? Could there be a mono version issue?

Sami_Lehtinen · September 1, 2021, 10:18am

Right, tested it and it worked perfectly and it also works. Just one wish, when log-level is high, and the check fails, it would be nice to see what the correct hash is for TOFU. No, it wasn’t a problem for me, because I manage my servers and I can check the OpenSSL cert file without any problems using --fingerprint, but it might be a problem for someone. Also with ftps explicit you can’t use direct OpenSSL connection to port to check cert fingerprint. On top of that, I generally dislike error messages like “Fail, X is wrong”. I prefer version “X is not Y as expected, aborting”.

This was a good improvement compared to accept-any-ssl-certificate. I guess the specific cert option didn’t exist back when I wrote the scripts.

Thank you