"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"

Hi guys,

I’ve been using Duplicati for several years now, currently Duplicati - 2.0.2.1_beta_2017-08-01.

I’m using it to back up files to, among other targets, my Strato HiDrive cloud space using WebDAV. A few weeks ago I noticed that often, but not always, Duplicati would abort the backup with the error message “Die zugrunde liegende Verbindung wurde geschlossen: Für den geschützten SSL/TLS-Kanal konnte keine Vertrauensstellung hergestellt werden.” The message is in German because my Windows is German, I guess, although the Duplicati UI is set to English. I assume the English equivalent is “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”.

The WebDAV connection itself tests fine when I do a “Test Connection” in the “Backup destination” section of Duplicati. Customer support at Strato also tells me that the WebDAV connection itself is fine. The rest of the config you can see in the attached screenshot (I just changed the user name).

The strange thing is that I don’t get this error all the time, about 3 out of 4 backups fail, so it doesn’t seem to be a general configuration problem. But the more data I have to back up, the more likely it is Duplicati aborts the backup with this error.

If anyone could shed some light as to what’s going wrong, that would be great!

Thanks in advance for your help,

Stephan

It seems you have specified a specific hash. If Strato has different certificates on different servers, you can easily hit multiple certificates.

The option is meant to support users who have self-signed certificates, and should not be used against commercial providers, as they will certainly have valid SSL certificates.

There is another user here who reports a similar error message:

Hi Kenneth,

thanks for your quick reply!

So, I took out the --accept-specified-ssl-hash option for a test.

  • If I then click “Test connection”, I get:
Failed to connect: The server certificate had the error RemoteCertificateNameMismatch and the hash EF67AB90F5786B8F6EDAC0FBD1EB0B09136426C0 If you trust this certificate, use the commandline option --accept-specified-ssl-hash=EF67AB90F5786B8F6EDAC0FBD1EB0B09136426C0 to accept the server certificate anyway. You can also attempt to import the server certificate into your operating systems trust pool.
  • If I proceed anyway and run the backup, I get the similar error again:
Fatal error
System.Net.WebException: Die zugrunde liegende Verbindung wurde geschlossen: Für den geschützten SSL/TLS-Kanal konnte keine Vertrauensstellung hergestellt werden.. ---> System.Security.Authentication.AuthenticationException: Das Remotezertifikat ist laut Validierungsverfahren ungültig.
   bei System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   bei System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei Duplicati.Library.Main.BackendManager.List()
   bei Duplicati.Library.Main.Operation.FilelistProcessor.RemoteListAnalysis(BackendManager backend, Options options, LocalDatabase database, IBackendWriter log, String protectedfile)
   bei Duplicati.Library.Main.Operation.FilelistProcessor.VerifyRemoteList(BackendManager backend, Options options, LocalDatabase database, IBackendWriter log, String protectedfile)
   bei Duplicati.Library.Main.Operation.BackupHandler.PreBackupVerify(BackendManager backend, String protectedfile)
   bei Duplicati.Library.Main.Operation.BackupHandler.Run(String[] sources, IFilter filter)

What best to do?

All the best,

Stephan

Since the server is public, you can maybe try SSL labs and see if there is an issue with the certificate:
https://www.ssllabs.com/ssltest/analyze.html?d=webdav.hidrive.strato.com&latest

When I try with the basic url, I get that the root CA is Thawte:

It seems that your operating system is perhaps missing the Thawte certificate? Or maybe you hit another server than me?

EDIT: it reports IP 85.214.3.67

I also get 85.214.3.67. In my Certificate manager, I find “thawte Primary Root CA” and a few others from Thawte.

I have this problem on all my 3 computers where I use Duplicati with HiDrive, one Windows 7, one Windows 8, and one Windows 10 machine. They all exhibit the same behavior…

I’m a bit lost at what to do next. If you’d like a test account on my HiDrive could space, I can set up a separate account for you.

All the best,

Stephan

In your screenshot you have a different hostname. Does this hostname point to the same IP as well? If I look up the server name with nslookup I get a single IP (the same), but I was wondering if it looks different from your machine?

That put me on the right track :). Actually, it’s not a different hostname, it’s the syntax as mentioned here: HowTo: Strato HiDrive - Duplicati . This syntax, i.e. using “username.webdav.hidrive.strato.com” for the server name, seems to have worked until a month or so ago.

I took the username part out and now it seems to work. I just tried an approx. 6GB backup and didn’t get the error.

So maybe it’s best to either edit the info on the old Duplicati HowTo page, or delete it. But since Strato HiDrive is quite popular it would be a pity if people wouldn’t find the info online that it does play nicely with Duplicati :).

Thanks again,

Stephan

I have updated the page to mention the changes.

I have on my TODO that I should make similar guides for Duplicati 2.0 but it is a loooong list :slight_smile:

1 Like

Thanks! I just wonder though whether people might not notice the additional text it and just go by the screenshot, which still has the username portion…

All the best,
Stephan

The real solution is to make the guides for 2.0 like the ones René did for 1.3.x.

Hi all – first post here!

I am receiving the exact same error message as mentioned in the title of this thread. I have pointed Duplicati on my Windows 10 laptop to my OwnCloud server via WebDAV. After about five minutes of it working on my 100+ GB backup, it errors out with the above message. I am also using a self-signed certificate and the “–accept-specified-ssl-hash” option in Duplicati. I also tried the option to accept all certificates, the symptoms were the same. I have experimented with various different WebDAV paths in the configuration of my backup (OwnCloud supports various different, working ways of expressing the WebDAV/DAV path). The “Test” button confirmed all of them to work. But the backup fails after a few minutes again.

Is there a way to just tell Duplicati to retry automatically when it fails? It seems like as soon as there is an error, it abandons the backup.

I am using Dynamic DNS for an ‘external’ connection, I am not connecting to my OwnCloud server through my LAN, although I am on the same network right now.

My OwnCloud server is Ubuntu 16.04. My Windows 10 backup client and my Ubuntu server are actually in the same room for these tests. so I am also leaving room for the possibility that my router is a factor here (an ASUS RT‑AC68U with newest firmware).

Any help or pointers are appreciated. I am switching from CrashPlan to Duplicati/OwnCloud for allowing myself and my family to back up remotely to my server.

P.S.:

  • Volume size for the backup is set to 100MB.
  • Duplicati client is the latest version “2.0.2.1_beta_2017-08-01”
  • OwnCloud is version 9.1

Duplicati retries 5 times automatically.

I think the problem is that “something” resets the SSL validation code, and that only gets installed when the backup starts, so once it has been removed it keeps failing. We should fix that.

If you want, you can get a free valid SSL certificate from LetsEncrypt:
https://letsencrypt.org/

1 Like

Speedy response :slight_smile: I’ll try that right now and report back momentarily – thank you :slight_smile:

Works great so far! New certs installed via certbot and the backup is in full swing – thanks a lot! :slight_smile:

BTW: A good way of showing your appreciation for a post is to like it: just press the :heart: button under the post.

If you asked the original question, you can also mark an answer as the accepted answer which solved your problem using the tick-box button you see under each reply.

All of this also helps the forum software distinguish interesting from less interesting posts when compiling summary emails.

Since Crashplan dropped their product for consumers, i’m trying Duplicati. I have a WEBDAV server (QNAP TS239 Pro 2+) running, Duplicati on Windows (2.0.21) & QNAP (QNAP TS439 Pro) (2.0.2.1_beta_2017-08-01). The QNAP package is doing fine and backups to the WEBDAV server.

But with Windows (7) i can’t establish a connection because of this error. Even with accept-any-ssl-certificate, the same result. Since it works on the QNAP, i hope i can fix it on the Windows client.

Regards, Heronimus

That sounds like your Windows 7 is missing some updated root certificates.
There is an SO post that sounds just like it with a suggestion for a fix: