SSL works only the first time

Hello!
I’m a new Duplicati user and I’m discovering its features.
For me is very useful the GUI and having a quick dashboard where I can manage everything: I installed Duplicati on my Linux VPS, which has no X windows, so I cannot use the browser from localhost, but I need to open the port and connect remotely.
For obvious security reasons, I had to operate via SSL.

I was able to let Duplicati use my certificate and my key, the problem is it works only the first time I start duplicati-server. If I restart duplicati-server I get this error:

# duplicati-server --webservice-sslcertificatefile=/var/duplicati/duplicaticertificate.pfx --webservice-sslcertificatepassword=mypassword

A serious error occurred in Duplicati: System.PlatformNotSupportedException: Operation is not supported on this platform.
  at Duplicati.Server.Database.ServerSettings.get_ServerSSLCertificate () [0x00115] in <c5f097a49c0a4f1fb0f93cf3f5f218b1>:0 
  at Duplicati.Server.WebServer.Server..ctor (System.Collections.Generic.IDictionary`2[TKey,TValue] options) [0x002a4] in <c5f097a49c0a4f1fb0f93cf3f5f218b1>:0 
  at Duplicati.Server.Program.StartWebServer (System.Collections.Generic.Dictionary`2[TKey,TValue] commandlineOptions) [0x00000] in <c5f097a49c0a4f1fb0f93cf3f5f218b1>:0 
  at Duplicati.Server.Program.RealMain (System.String[] _args) [0x00227] in <c5f097a49c0a4f1fb0f93cf3f5f218b1>:0 

Actually I managed to solve the issue by launching this query on the sqlite db

update option set value='' where Name='server-ssl-certificate';

just immediately before starting the server.
This could be a bug or my configuration is wrong somewhere?

I faced with the same error too! Did you find a solution for this?

May be another can help us?

Is this a Docker? What OS is this?

System.PlatformNotSupportedException #4223

This looks very similar to this issue: linuxserver/docker-duplicati#30 (where a workaround was found).

which is basically the same workaround that @Scare gave, except with a bit more detail on how to do it.
The currently open Duplicati issue has a docker label, but I’m not sure that’s right. I need the system info.

Added support for certificates under Linux #2314 is perhaps having trouble with its saves and/or restores.
Assuming you’re using something not Windows, mono was missing some functionality that Windows has.
Clearing the server-ssl-certificate value in the database probably avoids the attempt to read it back:

1 Like

Sorry. Later I found the solution with “update option set value=’’ where Name=‘server-ssl-certificate’;”

I added this string in /usr/lib/systemd/system/duplicati.service):
ExecStartPre=/usr/bin/sqlite3 /root/.config/Duplicati/Duplicati-server.sqlite “update option set value=’’ where Name=‘server-ssl-certificate’;”

Works fine!

1 Like

Good to hear the workaround works. From seeing systemd, I guess this is Linux. Is it a Docker as well?

I think you also use Windows. It might be interesting to see if the entry that you clear looks very different between the two of them, perhaps even with the same certificate (if that is possible). This might indicate whether the problem is on the saving of the server-ssl-certificate or the restore. You can probably output the original value using sqlite3 (which I don’t use, so can’t help with). If not, sqlitebrowser will do. Possibly it’s in your Linux repository. Beyond sanity-checking values, you could also move them around.

It isn’t Docker. It’s another VM (BitrixVM by Bitrix CMS, if you know).

Yes, I use D2 in majoirty cases and recently installed and setuped in CentOS. Later I wanted and added SSL to this site. But on Windows I don’t need SSL because I connect inside LAN.

I don’t understand, do you ask me to run “update option set value=’’ where Name=‘server-ssl-certificate’;” after running D2 on CentOS?

I didn’t know, but I’m guessing this is one of their self-hosted VMs that are CentOS, meaning Duplicati is seeing this problem on Linux but Docker is not required. If so, I’ll probably delete the docker issue label.

That’s not quite it. There’s not much point in clearing the value again. There may be a point in studying it however one can see values with sqlite3, and it can definitely be done with an SQLite database browser.

The hope is that since you can set up and get the problem, that you can look at it to help solve the issue.

You are now using a workaround of deleting a value. This should not be necessary, however it’s unclear whether the problem is in storing the value, reading it back, or something else. Because you have a few systems, I thought maybe you could investigate and post findings which would maybe encourage action.

For example, see if Windows works more the way you expect. If so, there is a Linux problem to look into. Ideal would be to use the same certificate, but I don’t know how feasible that is to have. In this ideal, see whether the certificate makes the same server-ssl-certificate value in the database. If not, maybe problems exist in saving the certificate value. If the value is the same, then the problem may be retrieval.

It’s entirely up to you if you wish to volunteer to help look, but volunteers are what make Duplicati happen.

Do you have certificate with EC or just RSA?
Problem is in BouncyCastle library and Linux support.
I can tak a look on that.

3 Likes

Hello. I don’t know neither Linux nor SQLite well, but I could make the select request and I saw the next: -2||server-ssl-certificate|MIACAQ***** (***** - another latin symbols and numbers). I tried to understand the code of D2 and see using (var stream = new System.IO.MemoryStream(Convert.FromBase64String(settings[CONST.SERVER_SSL_CERTIFICATE])))
store.Load(stream, null);

So I think D2 expects that will read base64string, but I see “-2||server-ssl-certificate|” before and it can be the reason of the error. But I could be wrong…

I have check in Windows. All OK, but in “option” I saw “server-ssl-certificate” was equal to only base64 string without any prefixes such “-2||server-ssl-certificate|”. So, I think, that’s the problem and the solution! Unfortunately, I can’t help to solve this problem any way.

As I see - RSA.

Perfectly!

Thanks for taking a look. It’s out of my area too, so thanks to @mnaiman for offering some expertise.

2 Likes

I have checked that code in separate console application on ubuntu

and result is base64 without any -2||server-ssl-certificate|

which commandline argument do you use to start Duplicati with certificate?

ExecStart=/usr/bin/duplicati-server --webservice-interface=any --webservice-port=8200 --webservice-sslcertificatefile=/etc/nginx/ssl/filename.pfx --webservice-sslcertificatepassword=PASS $DAEMON_OPTS

I managed to simulate on my machine too. For some reason problem is not saving, but restoring.
When checked using SQLite has stored here is ok without any prefixes. Can you confirm that?

Sorry. It’s my mistake because of my bad knowing mysql… This prefix is another column valules such ID or Name. But in Windows I can’t see this, so may be they were empty?

But I don’t understand. What should I check? After running “select” shows me the same picture.

This line is problem in Mono

Simple setting this is not supported in Mono(Linux) :confused:
Going to reinvent some workaround.

2 Likes

Ok, I have fix.
Its silly…
var cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12));

It cannot import certificate which it exported without password.

var cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12, “”), “”);

Now it works, with password “”

Nice, tested on my Linux docker instance and certificate persist.
If you want to test, I can provide binary Duplicati.Server.exe.

2 Likes