Ssl Error connecting to OneDrive backup destination

I have the duplicati/duplicati ArmV7 docker image installed. Since the last update (~ 2 weeks ago) i get the following error for my existing and previously working onedrive backup destination:

“The SSL connection could not be established, see inner exception.”

Recreating the docker container did not solve the issue. I also tried to create a new backup but still the same error.

Found the following error in the logs:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
   at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.<SendCoreAsync>g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.<SendCoreAsync>g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Duplicati.Library.OAuthHelperHttpClient.<>c__DisplayClass25_0.<<GetAccessTokenAsync>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Duplicati.Library.Utility.Utility.WithTimeout[T](TimeSpan timeout, CancellationToken token, Func`2 func)
   at Duplicati.Library.OAuthHelperHttpClient.GetAccessTokenAsync(CancellationToken cancellationToken)
   at Duplicati.Library.OAuthHelperHttpClient.GetAccessTokenAsync(CancellationToken cancellationToken)
   at Duplicati.Library.OAuthHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Duplicati.Library.Backend.MicrosoftGraphBackend.SendRequestAsync[T](HttpRequestMessage request, CancellationToken cancelToken)
   at Duplicati.Library.Backend.MicrosoftGraphBackend.SendRequestAsync[T](HttpMethod method, String url, CancellationToken cancelToken)
   at Duplicati.Library.Utility.Utility.WithTimeout[T](TimeSpan timeout, CancellationToken token, Func`2 func)
   at Duplicati.Library.Backend.MicrosoftGraphBackend.Enumerate[T](String url, CancellationToken cancelToken)+MoveNext()
   at Duplicati.Library.Backend.MicrosoftGraphBackend.Enumerate[T](String url, CancellationToken cancelToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
   at Duplicati.Library.Backend.MicrosoftGraphBackend.ListAsync(CancellationToken cancelToken)+MoveNext()
   at Duplicati.Library.Backend.MicrosoftGraphBackend.ListAsync(CancellationToken cancelToken)+MoveNext()
   at Duplicati.Library.Backend.MicrosoftGraphBackend.ListAsync(CancellationToken cancelToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
   at System.Linq.AsyncEnumerable.<ToListAsync>g__Core|424_0[TSource](IAsyncEnumerable`1 source, CancellationToken cancellationToken) in /_/Ix.NET/Source/System.Linq.Async/System/Linq/Operators/ToList.cs:line 36
   at System.Linq.AsyncEnumerable.<ToListAsync>g__Core|424_0[TSource](IAsyncEnumerable`1 source, CancellationToken cancellationToken) in /_/Ix.NET/Source/System.Linq.Async/System/Linq/Operators/ToList.cs:line 36
   at Duplicati.Library.Main.Backend.BackendManager.ListOperation.ExecuteAsync(IBackend backend, CancellationToken cancelToken)
   at Duplicati.Library.Main.Backend.BackendManager.Handler.Execute[TResult](PendingOperation`1 op, CancellationToken cancellationToken)
   at Duplicati.Library.Main.Backend.BackendManager.Handler.Execute(PendingOperationBase op, CancellationToken cancellationToken)
   at Duplicati.Library.Main.Backend.BackendManager.Handler.ExecuteWithRetry(PendingOperationBase op, CancellationToken cancellationToken)
   at Duplicati.Library.Main.Backend.BackendManager.ListAsync(CancellationToken cancelToken)
   at Duplicati.Library.Main.Operation.FilelistProcessor.RemoteListAnalysis(IBackendManager backendManager, Options options, LocalDatabase database, IDbTransaction transaction, IBackendWriter log, IEnumerable`1 protectedFiles, IEnumerable`1 strictExcemptFiles, VerifyMode verifyMode)
   at Duplicati.Library.Main.Operation.FilelistProcessor.VerifyRemoteList(IBackendManager backend, Options options, LocalDatabase database, IDbTransaction transaction, IBackendWriter log, IEnumerable`1 protectedFiles, IEnumerable`1 strictExcemptFiles, Boolean logErrors, VerifyMode verifyMode)
   at Duplicati.Library.Main.Operation.BackupHandler.PreBackupVerify(Options options, BackupResults result, IBackendManager backendManager)
   at Duplicati.Library.Main.Operation.BackupHandler.RunAsync(String[] sources, IBackendManager backendManager, IFilter filter)
   at Duplicati.Library.Main.Controller.<>c__DisplayClass22_0.<<Backup>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Duplicati.Library.Utility.Utility.Await(Task task)
   at Duplicati.Library.Main.Controller.RunAction[T](T result, String[]& paths, IFilter& filter, Func`3 method)
   at Duplicati.Library.Main.Controller.Backup(String[] inputsources, IFilter filter)
   at Duplicati.Server.Runner.RunInternal(Connection databaseConnection, EventPollNotify eventPollNotify, INotificationUpdateService notificationUpdateService, IProgressStateProviderService progressStateProviderService, IApplicationSettings applicationSettings, IRunnerData data, Boolean fromQueue)

I also tried to use Google Drive as backup destination. Here i don’t get this ssl error message but the following error message:

“Error listing content: The operation has timed out.“

Any idea what the issue may be?

There seems to be something broken with the linux 2.2.0 version and SSL handling for certain providers. I have similar issues with the B2 (Backblaze) - mentioned here: Backups fail with "The SSL connection could not be established" - #3 by Pawel_Wrona .

It even fails at the “Test connection” with this SSL error. Exactly the same configuration with 2.1.0.5 this works fine. I’ve also tested Windows version 2.2.0 of duplicati and it’s fine there.

And I also use Google (Google Cloud), where everything is working fine.

ok, thank you for the info. Downgrading to 2.1.0.5 does not work for me, because than i get an error message that the database version is not supported (because its already upgraded to version 9 and 2.1.0.5 needs version 8 (or lower)).

So theres currently no other workaround, right?

You can downgrade to 2.1.0.5 by following these instructions (including downgrading the database version): Downgrade from 2.2 to 2.1.05 | Duplicati

In my experience though - you need to downgrade the “local” DB to 13, not 14 in order for 2.1.0.5 to work

So instead of:

duplicati-database-tool downgrade --server-version=8 --local-version=14

I’ve run:

duplicati-database-tool downgrade --server-version=8 --local-version=13

I’ve the exactly same problem. If there is a solution in future I’m glad to use that too. I don’t want to revert back if there will be another way. For my purpose it doesn’t matter if the backup doesn’t work for some weeks.

Thank you. Great. Downgrade to Version 2.1.0.5 worked and my backups are running again.

Just to close out from my end - this turned to be nothing wrong with Duplicati. It was caused by unexpected/not-correct DNS malware blocking - see here: SSL errors (e.g. The SSL connection could not be established) on linux duplicati 2.2.0.0 with B2/Backblaze backend · Issue #6617 · duplicati/duplicati · GitHub

Did you ever get this fixed" “properly”? I have exactly the same problem.

If not, do I run the database tool in the 2.2.0.5 docker first and then edit the compose to pull the 2.1.0.5 version?

I actually did the same and it’s working again.

I bit the bullet and ran the command above using docker exec -it <2.2.0.5 container name> to downgrade the database and the pulled the 2.1.0.5 version - working again now. Fingers crossed for a proper fix.

What provider and architecture? Original post had duplicati/duplicati ArmV7.
I don’t know what test setups the Duplicati devs have, but specifics will help.
If anybody’s on LSIO, results might still be informative on what spot got bad.
Ditto for anybody not Docker at all, in which case system info may be useful.

So aside from a Backblaze issue that may be separate, this is all OneDrive?
I’d note that there’s another maybe wider SSL certificate topic in forum lately.
Having one that can be well-isolated if possible might help narrow bug down.

Personally I don’t do Docker, and OneDrive is doing well for me on Windows.

My issue is on a rpi4(?) running openmediavault with duplicati in a docker container

Should be 2.2.0.1 container not 2.2.0.5!

What image (provider, architecture) for container?
I think Pi 4 is documented to run 64 bit BCM2711.
It looks like OMV advises using the 64 bit version.
I’m not sure what Docker should be. I don’t use it.

I pull from duplicati/duplicati (ie I don’t specify any architecture and I now set the version to 2.1.0.5 though).

uname -i gives aarch64

PackageTypeId : linux-arm7-cli.docker

I’d this the info you asked for?

Let me know if you need anything else…

Is that all from the container, or is some of that from OMV?
It looks like one thinks it’s 64 bit, and arm7 would be 32 bit.

The reason I ask is because of the developer reporting that

and cites

SSL connection could not be established (32 bit client, Debian Trixie, caused by change of libssl3 to libssl3t64.) #6554

but it’s a Canary test release, so be careful if you test it. Let’s check in Docker:

https://hub.docker.com/r/duplicati/duplicati/tags has a 2.2.0.101-canary tag, but maybe you can instead find a way to get 2.2.0.1 stable arm64.

I might be totally off here, but I’m just trying to go by what developer has said.
One thing that’s a little odd is why 2.1.0.5 is better. It’s the same .NET, but I’m uncertain whether Linux in container updated and so fell into cited libssl issue.

seems to fit symptom of dotnet issue below, as linked in Duplicati issue.

HTTPS requests fail on Ubuntu 24.04 Noble ARM32 due to bundled certs “NotTimeValid” error #101444

After Microsoft was done working issue, their report on it was the following:

Breaking change: .NET 9 is Y2038 compatible (Arm32 glibc); .NET 8 is not #9285

which seems to say they think .NET 8 on Debian 13 will have SSL problem.

How would Duplicati Docker get to Debian 13? It looks to just pick up latest:

Debian 13 (Trixie) went Stable on Aug 9, 2025, and 13.0 hit Docker Aug 12.
New OS might break duplicati-2.1.2.0_beta_2025-08-20, 2.2.0.0 Stable, etc.
It may explain why downgrading to 2.1.0.5 helps – the Linux version is older.

So there’s my theory, and one can see support for it in the Microsoft article…
They also seem to be saying that this only affects 32 bit, so try 64 if possible.

Sorry uname is from omv, the other is from duplicati (so within the docker container).

I don’t specify a platform in my compose file. Do you think it’s worth a try to force arm64 (although I would have thought it would have done this based on the host os).

Great detective work btw! Definitely looks like the potential culprit.

I don’t know what else you have in Docker (and I don’t do Docker), but I’m encouraging safe experimentation to see if you can get your backup back.

In terms of what gets automatically picked up, is the Docker engine 64-bit?
Maybe packages tool knows? Or reportedly try file -L /proc/PID/exe?

The output is

/proc/PID/exe: cannot open \`/proc/PID/exe’ (No such file or directory)