WindowsServer Issue? “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”

Lutzf · April 4, 2023, 3:03pm

Hi,

I´m new to Duplicati and made allready some testing. I don´t think it´s an Duplicati-Issue, but may you got some helpful hints.

I want to run it on a Windows Server 2012 and Backup on a Nextcloud via WebDAV.

while testing the connection it sais: “Failed to connect: Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden…” (“The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”)

installed: 2.0.6.3_beta_2021-06-17

but some sidefacts:
(WebClient Service is running)
Connection with Windows-Explorer does´nt work either
but Connection with WinSCP to WebDAV: works
Connection from Win10-Client in same Network with same Duplicati-Setup: works

I would appreciate any advice.

gpatel-fr · April 4, 2023, 4:42pm

Hello

are you talking about Server 2012 (the obsolete one) or Server 2012 R2 (the soon to be obsolete) ? if it’s the former, I’m not sure there is anything that can be done. If the latter, try to check your connection using Powershell with something like that:

[system.net.servicepointmanager]::securityprotocol=[system.net.securityprotocoltype]::Tls12
[system.net.servicepointmanager]::ServerCertificateValidationCallBack={$true}
$wc=New-Object System.Net.WebClient
$wc.OpenRead("https://yourserver/yourpath")

A third party client like Winscp use a Tls stack independant of the OS, while Duplicati based on MS tools is using the OS stack.

Lutzf · April 5, 2023, 1:55pm

ja of course 2012 R2

thanks, will check it later

Lutzf · April 11, 2023, 4:28pm

“die Anfrage wurde abgebrochen: Es konnte ein geschützter SSSL/TLS-Kanal erstellt werden…”
(the request was aborted: A protected SSSL/TLS channel could be created…)

ts678 · April 12, 2023, 11:55am

Any clues in Event Log when it fails, e.g. in System log, Schannel source? You could even set a filter.
Is the NextCloud system yours? Do you know what OS and web server it uses? Can you administer?
Is it on the Internet? If so, you likely need TLS 1.2. If not on Internet, using something older might do.

This seems to mean that there is disagreement about TLS between this system and the remote end.
Schannel is Windows’ TLS path. .NET Framework also uses it, and Duplicati uses .NET Framework.
Are you by any chance ready to use Wireshark? That would likely give a good view, but it’s involved.

gpatel-fr · April 12, 2023, 4:01pm

if it’s with the code snippet I posted, I can only generate an error if I specify TLS13. It’s failing on a Webdav server but with a 401 error, not a Tls error. There must be something problematic on your system, is it fully updated ? Can you try to visit a known good ssl site (try ssllabs.com) with Internet explorer and see what is displayed if you click the cert icon ?

Lutzf · April 14, 2023, 2:04pm

ya, Internet Explorer is may a good hint. Forgot this was part of the system… I even don´t reach the website with it (tls 12 is activatet) - I´m searching…

Lutzf · April 14, 2023, 2:24pm

ok, found a similar case with some other software - the (Web-)Server seem´s not to suppport the TLS Ciphers from the 2012R2 - and I´m not admin. (every further action is not worth the effort on the 2012)

Is there a chance to run Duplicati easy with it´s own TLS-Stack, not with the OS stack?

ts678 · April 14, 2023, 4:35pm

Not directly, but if Rclone WebDAV and its TLS stack works for you, Duplicati could use it.