Warning - No Certificates Found

Backup is working, but I get the following warning:

2020-04-17 16:08:33 -04 - [Warning-Duplicati.Library.Modules.Builtin.CheckMonoSSL-MissingCerts]: No certificates found, you can install some with one of these commands: cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives curl -O https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem #for MacOS Read more: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync

Backup target is an external (SFTP) SSH target. Not sure why this is needed since the target isn’t an S3 cloud provider.

Mono version: 6.6.0.161
Duplicati version: 2.0.5.1
Gentoo

It looks like it does this check regardless of what back end you’re using. Even though you aren’t using TLS, the most straightforward way to get rid of this error is to just install the certs per the recommendation.

You’re right, I don’t like it, but you were right.

1 Like

Even if you don’t utilize a back end that implements TLS, I’m thinking the certs are useful for other reasons: autoupdater, sending reports to secure https, sending email alerts to TLS-enabled mail services, etc.

Can someone help me on macOS Big Sur… the instructions seem to cut off too soon…

1 Like

@Roger_Peters - same for me here. Got a new Mac mini M1.

The mentioned cmd for the terminal doesn’t work. Can anybody help us out?

curl -O https://curl.haxx.se/ca/cacert.pem; cert-sync --user cacert.pem; rm cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   299  100   299    0     0    148      0  0:00:02  0:00:02 --:--:--   148
Mono Certificate Store Sync - version 6.12.0.0
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

No certificates were found.

:face_with_monocle: Any developers available?
It’s not optimal providing wrong/outdated installation advisories.

What does “cut off too soon mean”? Does it mean you wound up at

Look at cacert.pem file that you downloaded. If it looks like the below, try again with new URL it gave.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://curl.se/ca/cacert.pem">here</a>.</p>
<hr>
<address>Apache Server at curl.haxx.se Port 80</address>
</body></html>

My guess is that the world changed after Duplicati was released, but testing is needed to confirm fix.

The journey to a curl domain

Starting on November 4, 2020 curl.se is the new official home site for the curl project. The curl.haxx.se name will of course remain working for a long time more and I figure we can basically never shut it down as there are so many references to it spread out over the world. I intend to eventually provide redirects for most things from the old name to the new.

The problem with redirects is that curl doesn’t follow them unless the -L or --location option is given.
That can be tried instead of changing the original URL. Maybe as people try this, say which you used.

FAQ: Security from the Mono project shows how to check certificates without Duplicati, but also says:

(Recommended) Starting with Mono 3.12.0 a new tool called cert-sync is included which syncs Mono’s certificate store with the system certificate store. It should run automatically when you install the official Mono packages. Make sure the ca-certificates-mono package is installed.

so a question would be how you installed Mono. I can’t help much on directions, as I don’t have a Mac.

The Mono project references are probably referring to their own Download page. Maybe a third option.

Make sure that the mono you got or macOS gave is at least version 5 (soon 5.10) in mono --version.

1 Like

Thanks @ts678 - that was indeed the solution.
But to learn something:
I want to understand, where do you get the information, that the source has changed?

I’m struggeling to find the cacert.pem because (for me - a normal user) there is no destination path in the curl command. So where does it downloaded/stored?

For now I just believed your statement - changed the URL - everythings works. :ok_hand: :+1:

That the world changes on a daily basis is obligatory - but two main questions remain (again - for me - a normal user!)
First - why has nobody changed the documentation in the tool after nearly a half year?
As easy I changed the command it’s also easy within the tool?!?

Second - why can’t that (cacert.pem installation) be done within the installer? Thats honestly what I expected of a professional tool. Everything a user needs to run a tool MUST be delivered within the installer. Thats the usecase for a installer. Providing normal users simple solutions to run apps.

It seems that I run mono on version 6.12

maddeen@da3m0n ~ % mono --version
Mono JIT compiler version 6.12.0.107 (2020-02/a22ed3f094e Wed Oct 28 07:48:22 EDT 2020)

Web research, probably including opening a browser to https://curl.haxx.se then seeing it redirect me.
After that, testing the old curl line, reading man curl, and seeing line doesn’t ask to handle a redirect.
I wrote up the findings earlier here.

I don’t understand. The path isn’t built-in, it’s supplied to the command, and you changed what you gave.

Nobody reported an issue. Would you like to report it? File it here. Unfortunately might have missed Beta.
The current Beta was released in January 2020. The release rates (and everything) are resource-limited.

It’s not so much the change as the entire release process takes planning, work, and phased testing. The “safer” changes like messages accumulate along with less safe changes, and all are tested as a bundle.

If you want the latest changes plus possible breakage, a Canary release is more frequent than the Beta.
Forum Releases category has the announcements. There’s a Canary release today. Beta may be soon. That post gives a view of how a phased release is done, rather cautiously, to avoid unwanted breakages.

Sometimes there’s not much of an installer. Some Linux OS can run a script. I’m not sure about macOS. There’s more of an installer than there used to be (thanks to Catalina security), but I’m not familiar with it.

Another view is mono should take of this, and application shouldn’t have to. Please see me quoting mono:

The final sentence is possibly the hole some people are falling into. The mono package comes in different subsets, somewhat described at Download, and not all have ca-certificates-mono. You can ask your OS whether you have that, although mono packaging may vary from OS to OS, so it’s hard to figure out…

I don’t have a Mac, but you can post everything you know about how you installed mono, and maybe some person familiar with the area can help here. Duplicati’s manual only talks about a .pkg file and Homebrew.
I suppose you could see if you have a cert-sync command on your system as part of your mono install…

Not exactly. Most systems have ways for an installation package to say what things it requires, so the OS can then get them. The end result is similar. On Linux, one possible improvement would be to require ca-certificates-mono be ensured available (which might solve the certificate issue, per mono document), however I don’t know why the Duplicati manual didn’t originally list that under its Prerequisites. Possibly it should, and the automated version of the prerequisites should also be made. Feel free to suggest this as an Issue which development can look into, as time permits. There’s more to do than volunteers to do it…

EDIT:

There’s an issue in today’s Canary that might cause a new one. A message fix is waiting to be accepted.

1 Like

Thanks for the detailed information.
Seems that there are just different expectations for development.

I’m responsible (project lead) for different apps at my work, and - what I said above - are my personal expectations to my dev team to keep up a high user acceptance

  1. Validate installation guides on EVERY new release - no matter if its a canary, beta or stable. Review your documentary - always.

  2. Never plan such a lot of canary releases without building another beta.
    Currently from 2.0.5.102 to 2.0.5.113 are 10 canary releases but not even one new beta.
    As you said correctly - the beta is over one year old. A lot of bugs in the beta are already fixed but there is no new beta :frowning:
    Users still need to search for the fixes over a lot of topics in the forum. e.g. DynamicLoader-Issue.

  3. Always provide anything a user needs to run your application. As I said - there is no difference if I need to run a cmd or if the correct cacert.pem is provided by the tool.

But to be honest - it was not “smart” to deprecated a stable release and cancelling the support to it but on the other hand doesn’t have a stable replacement.
Hopefully there will be a stable release soon. Thanks again - have a nice weekend.

Expectations are good. What would you do if you had a tiny fraction of the people you currently have?

There is a real shortage of volunteers here, and without people to do the work, things are sub-optimal.
If you would like to help, help is needed in pretty much all areas. You need docs read? Volunteer to do.
Some other things need more skills or experience. As a lead, you know about that challenge, I’m sure.

There is a wish for frequent Beta releases (and for Stable), but all of this is constrained by resources.

The need to search the forum is a tough one, but has been discussed. What is your solution for this? Previously, the idea of a knowledgebase of typical issues arose, but a study of sampled forum topics concluded that many of the topics were pretty unique. Even if someone wrote up common ones, user searching would probably still be required in potentially yet another information repository to maintain.

Duplicati FAQ is an old one that predates the forum and the manual, and probably isn’t well-used now. Reading through a linear list of topics also doesn’t scale well. I thought perhaps a new forum category would provide a more contemporary answer, and allow easier searching and linking, but it needs help.

If you’re referring to Duplicati 1.3.4 from 2013, Block-based storage engine explains the issues it had. Developing the replacement system was apparently too much for one part-time developer to do while simultaneously giving first-class support on the old one. Another example of the resource limitation…

2 Likes

2.0.5.114_canary_2021-03-10 releases message change piggybacked on an urgent fix.
That’s three day turnaround after your testing. Now we continue on path to next Beta…

1 Like