TrustFailure error when using Backblaze B2

Seems like Backblaze is using Let’sEncrypt certificates.
In the certificate chain they are sending is a certificate (ISRG Root X1) that leads up to an expired root CA (DST Root CA X3).
Some time ago, that intermediate CA “ISRG Root X1” has been re-issues as a root CA and added to all browsers. (DST Root CA X3 Expiration (September 2021) - Let's Encrypt) And those browsers (and recent openssl based stuff) ignore the certificate in the chain sent by the server and use the first matching certificate in their trust store instead of walking the server-sent chain until the end.

It seems like Mono, the thing Duplicati is build on, is using BoringSSL, which does not do that and fails validation. (See here: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL · Issue #21233 · mono/mono · GitHub). So, no matter if you remove the expired root CA from the mono trust store, and add the new “ISRG Root X1” root CA, it will not work.

I did some test to a couple of other Let’s Encrypt based sites, and they al give the same issue. So it seems related maybe to the “certbot” stuff from Let’s Encrypt still sending that faulty intermediate CA certificate.

Meanwhile I also opened a ticket with Backblaze, hoping they can fix it from their side somehow.

Only workaround for now, it seems, is enabling the accept-any-ssl-certificate option in duplicati.

3 Likes