SSL/TLS error in commandline but not in test or gui?

I have a webdav connection to German Telekom Magenta Cloud. There was a migration the last days so the server URL changed and I had to generate a new password for webdav.

Tested connection and worked outside duplicati.

Then changed in Duplicati and if I use the test button in the GUI the test is ok:

If I start the backup from the web-gui the backup starts, counts files aso. and finishes (also a success is reported to duplicati-monitoring) and I see new files in the cloud space

“Gerade eben” means “Less than 1 minute ago” in English!

BUT: If I start the same backup from the command line I get a SSL/TLS secure channel error:

C:\Users\server>"C:\Program Files\Duplicati 2\Duplicati.CommandLine.exe" backup "webdavs://
Backup started at 12.12.2021 16:48:46
Checking remote backup ...
  Listing remote folder ...
  Listing remote folder ...
  Listing remote folder ...
  Listing remote folder ...
  Listing remote folder ...
Fatal error => The request was aborted: Could not create SSL/TLS secure channel.

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at Duplicati.Library.Main.BackendManager.List()
   at Duplicati.Library.Main.Operation.FilelistProcessor.RemoteListAnalysis(BackendManager backend, Options options, LocalDatabase database, IBackendWriter log,
   at Duplicati.Library.Main.Operation.FilelistProcessor.VerifyRemoteList(BackendManager backend, Options options, LocalDatabase database, IBackendWriter log, I
   at Duplicati.Library.Main.Operation.BackupHandler.PreBackupVerify(BackendManager backend, String protectedfile)
   at Duplicati.Library.Main.Operation.BackupHandler.<RunAsync>d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at CoCoL.ChannelExtensions.WaitForTaskOrThrow(Task task)
   at Duplicati.Library.Main.Controller.<>c__DisplayClass14_0.<Backup>b__0(BackupResults result)
   at Duplicati.Library.Main.Controller.RunAction[T](T result, String[]& paths, IFilter& filter, Action`1 method)
   at Duplicati.Library.Main.Controller.Backup(String[] inputsources, IFilter filter)
   at Duplicati.CommandLine.Commands.Backup(TextWriter outwriter, Action`1 setup, List`1 args, Dictionary`2 options, IFilter filter)
   at Duplicati.CommandLine.Program.ParseCommandLine(TextWriter outwriter, Action`1 setup, Boolean& verboseErrors, String[] args)
   at Duplicati.CommandLine.Program.RunCommandLine(TextWriter outwriter, TextWriter errwriter, Action`1 setup, String[] args)

Any idea?

The Batchfile was running since years and I changed the URL which included the password.

To be sure I also copied all command line arguments from the gui of Duplicati and I have this one:

"C:\Program Files\Duplicati 2\Duplicati.CommandLine.exe" 
--exclude=[\\\\some excludes here\\.*] 
--exclude=[\\\\some excludes here\\.*] 

Did you set either --accept-any-ssl-certificate or --accept-specified-ssl-hash in the GUI job by chance?

No. I copied all options from the “Commandline” dialog (edit as text). There is no --accept-any-ssl-certificate or --accespt-specified-ssl-hash.

As a workaround I added my 2 clouds to my rclone client and changed the Duplicati Job to rclone.

But I would prefer the webdav-solutions because there I have all the connection seetings in the Duplicati database and do not need files from rclone.

Well that’s certainly a mystery!

If your goal is to trigger jobs from the command line while still using the web UI, I suggest an alternate workaround… use the excellent duplicati-client command line utility instead of the one included with Duplicati.

The one included with Duplicati doesn’t integrate at all with the running web server instance. It was designed to be completely standalone.

1 Like

Thank you. I will have a look at it but I do not use CLI and Webgui parallel!

I normally only use the CLI (I have made my own scheduler which fits my needs a lot better that the service of duplicati).

I use the WEBGUI only sometimes for changes of the configuration and my scheduler reads all the options for the commandline from the Duplicati database and builds a batch file that is executed.

I just tried if I get the same error in the webgui than i got from the CLI and was astonished that I did not get the error?!?

Guessing a bit here, but that won’t quote things that need quoting for Command Prompt.
You could compare what you made that way with what Export As Command-line makes.

You could also try passing the Export URL to Duplicati.CommandLine.BackendTool.exe.
Can it do the list that had failed for Duplicati.CommandLine.exe?

1 Like

It is nothing with quoting. I have set all quotes. I now broke it down to the backend tool!

“Duplicati.CommandLine.BackendTool.exe” GET “webdavs://”

or LIST instead of GET without file shows the same SSL/TLS error.


I had problems some weeks ago with the new version BackEndTool and local files and there it worked with old duplicati version but not with current and here now I have the same!

Backend shows the SSL-Failure
Backend WORKS without SSL-Failure => Files are listed

The installed version is but I have a copy of in local temp folder.

If i call the LIST command with the SSL-error is shown (fist statement in Program Files), if I call the LIST command with the older (second statement in my local temp folder) it lists the files

So is there maybe another bug in the BackendTool?

Not everybody knows odd rules. Wrapping in quotes isn’t enough for, e.g. backslash at end.
Still, this usually just gets Duplicati very confused about the line, and yours isn’t clearly that.

You opened that issue, and it was thought fixed Nov 11 but there hasn’t been a release since.

Unlike the other one, this one is not unique to BackendTool because you got it on a regular run.
These inconsistent results, though (e.g. GUI versus CLI on same version) are rather puzzling.

Some Internet reports attribute this particular error message to a mismatch with server’s TLS.
According to SSL Labs, uses TLS 1.2 and nothing else higher (1.3) or lower.
You could test running CLI backup with allowed-ssl-versions=Tls12 to see if it somehow helps.
You could also see if a different command, e.g. test, somehow runs. That still needs dbpath.

Another SSL/TLS test would be the one from Mono project, which would be running command:

csharp -e ‘new System.Net.WebClient ().DownloadString (“”)’

1 Like


Added --allowed-ssl-versions=Tls12 to the commandline and it started counting files and I got Backup completed successfully! So it seems everything is ok.

Why the job started from the GUI does not need this allowed-sll-versions and why the old version of the backend tool works?!? Don’t know.

With this option i can switch back my job from rclone to webdav.