(solved) Err_ssl_protocol_error

tugdualenligne · January 26, 2022, 10:10pm

I run (for years) Duplicati in a docker without issues.
I just enhanced my security and forces throught Traefik the use of TLS 1.2 and above.
All of my other Docker apps works fine, but I can’t connect to my Duplicati app. I get:
ERR_SSL_PROTOCOL_ERROR

Does anyone has an idea of how to correct that? I use the Beta version of Duplicati (June version from memory)

Thanks in advance

drwtsn32 · January 27, 2022, 2:15am

I have no experience with Traefik, but my Firefox only supports TLS 1.2/1.3 and I have no issue connecting to any of my Duplicati instances (one of which is in Docker).

What version of Duplicati are you using? Which docker image (official Duplicati or linuxserver)?

Edit to add: actually, duh, I don’t use TLS with Duplicati web UI at all. (I don’t access it over the internet, not worried about non-TLS at home.) Maybe someone who has experience with applying a certificate to the web UI can respond.

tugdualenligne · January 27, 2022, 9:06pm

Thanks.
Duplicati version is [version-v2.0.6.3-2.0.6.3_beta_2021-06-17]
Docker image is linuxserver/duplicati

If someone connecting through TLS, and therefore certificates, can respond, that’ll be great! Thanks

ts678 · January 27, 2022, 10:00pm

That would not be me, but looking at Traefik docs, it looks like it can hold certificates and terminate the TLS instead of passing it through to the final destination while somehow being able to control TLS version used. Alternatively, maybe it looks to see what was negotiated, and cuts things off if undesired? I don’t know area.

If it’s insisting that Duplicati do TLS by itself, you could test Duplicati at localhost with browsers or tools to see if will do desired TLS on that path, but seeing SslProtocols.Default in the server code worries me.

tugdualenligne · January 27, 2022, 10:07pm

Hi gents, thanks for helping. I managed to solve by opening temporarily my duplicati instance to the Internet, so that Traefik gives it a Let’s Encrypt certificate, instead of its default autogenerated Traefik certificate, and… voilà! Solved. I guess (but I’m not sure) that the autogenerated certificate wasn’t correct and prevented somehow the TLS connection.
If that is not the reason, the only other parameters I changed is in Traefik to go from hostHeader to Host. Will test another day to find out
Thanks