OAuth connection test for Amazon Cloud Drive fails with SSL error on QNAP NAS

[ElRico]

I have:

• searched open and closed issues for duplicates
• tested my SSL/TLS configuration with TlsText.exe

---

Version info

Duplicati Version: 2.0.1.53_experimental_2017-03-13
Operating System: QNAP firmware 4.2.4 Build 20170313
Mono: QMono 4.6.2.7
Backend: Amazon Cloud Drive

Bug description

When I create a new backup with Amazon Cloud Drive as the backend and test the connection, it fails with the SSL error described below. I did import the Mozilla CA certificates via mozroots.exe and I have successfully checked SSL/TLS functionality via TlsTest.exe (see debug log section). I assume the 403 error on the web test of drive.amazonaws.com is expected, since I'm not calling any API endpoint. Setting export MONO_TLS_PROVIDER=legacy did not fix the issue either. There appear to be possibly related issues on Synology NAS devices: #2412 and #2258.

Steps to reproduce

• Create a new backup
• Select Amazon Cloud Drive as backend
• Enter path and Auth ID
• Click on Test Connection

Actual result: The error message in the debug log section.
Expected result: A successful connection test.

debug log

The error message:
Duplicati.Library.Utility.SslCertificateValidator+InvalidCertificateException: The server certificate had the error RemoteCertificateChainErrors and the hash 0047308A604D6C0206590E8BCED45041E8C5D2A1 If you trust this certificate, use the commandline option --accept-specified-ssl-hash=0047308A604D6C0206590E8BCED45041E8C5D2A1 to accept the server certificate anyway. You can also attempt to import the server certificate into your operating systems trust pool. You may want to import a set of trusted certificates into the Mono certificate store. Use the command: cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives Read more: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync at Duplicati.Library.Utility.SslCertificateValidator.Deactivate () [0x00048] in <df389ec2993a4c5d84cc50d023650ee9>:0 at Duplicati.Library.Utility.SslCertificateValidator.Dispose () [0x0000b] in <df389ec2993a4c5d84cc50d023650ee9>:0 at Duplicati.Library.Modules.Builtin.HttpOptions.Dispose () [0x0003e] in <aa6ffe4eb9c34c81a1cb8f93ea411ac4>:0 at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.TestConnection (System.String url, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x001c3] in <ea04d3246d8b40a8b87fd599cff89cc3>:0 at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.POST (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x000af] in <ea04d3246d8b40a8b87fd599cff89cc3>:0 at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x002ad] in <ea04d3246d8b40a8b87fd599cff89cc3>:0

TlsTest.exe output:

[/share/MD0_DATA/.qpkg] # Qmono/bin/mono Duplicati/Duplicati/utility-scripts/TlsTest.exe --stream https://drive.amazonaws.com

https://drive.amazonaws.com
[/share/MD0_DATA/.qpkg] # Qmono/bin/mono Duplicati/Duplicati/utility-scripts/TlsTest.exe --web https://drive.amazonaws.com

https://drive.amazonaws.com
FAILED: #-2146233079
System.Net.WebException: The remote server returned an error: (403) Forbidden.
  at System.Net.HttpWebRequest.EndGetResponse (System.IAsyncResult asyncResult) [0x00064] in <bd46d4d4f7964dfa9beea098499ab597>:0
  at System.Net.HttpWebRequest.GetResponse () [0x0000e] in <bd46d4d4f7964dfa9beea098499ab597>:0
  at TlsTest.GetWebPage (System.String url) [0x0009e] in <ada6ab32a8944bbd9818de7a9a9a8112>:0
  at TlsTest.Main (System.String[] args) [0x0029c] in <ada6ab32a8944bbd9818de7a9a9a8112>:0
[/share/MD0_DATA/.qpkg] # Qmono/bin/mono Duplicati/Duplicati/utility-scripts/TlsTest.exe --web https://github.com

https://github.com
[/share/MD0_DATA/.qpkg] # Qmono/bin/mono Duplicati/Duplicati/utility-scripts/TlsTest.exe --stream https://github.com

https://github.com

[kenkendk]

The OAuth part is using https://duplicati-oauth-handler.appspot.com, so you can use TlsTest.exe against that.

On Synology, I was able to fix it by using:

cert-sync /etc/ssl/certs/ca-certificates.crt

But I had to dig a little to find cert-sync.

[ElRico]

Running TlsTest.exe on https://duplicati-oauth-handler.appspot.com returns the error described in the wiki.

[/share/MD0_DATA/.qpkg] # Qmono/bin/mono Duplicati/Duplicati/utility-scripts/TlsTest.exe --stream https://duplicati-oauth-handler.appspot.com

https://duplicati-oauth-handler.appspot.com
[Subject]
  CN=*.appspot.com, O=Google Inc, L=Mountain View, S=California, C=US

[Issuer]
  CN=Google Internet Authority G2, O=Google Inc, C=US

[Not Before]
  4/12/2017 3:32:46 PM

[Not After]
  7/5/2017 3:28:00 PM

[Thumbprint]
  833BFC331AB9A0DFDCE5806AE6BC27C8BA2199F3


        Valid From:  4/12/2017 3:32:46 PM
        Valid Until: 7/5/2017 3:28:00 PM

Error #-2146762486: CERT_E_CHAINING 0x800B010A

Alas neither mozroots nor cert-sync are fixing this. What is weird is that certmgr claims that the CA certificate signature is invalid:

[/share/MD0_DATA/.qpkg] # Qmono/bin/certmgr -ssl -v https://duplicati-oauth-handler.appspot.com
Mono Certificate Manager - version 4.6.2.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing certificates from 'https://duplicati-oauth-handler.appspot.com' into the user stores.

X.509 Certificate v3
   Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
   Issued to:   C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
   Valid from:  5/21/2002 4:00:00 AM
   Valid until: 8/21/2018 4:00:00 AM
   *** WARNING: Certificate signature is INVALID ***
Import this certificate into the CA store ?n
Certificate not imported into store CA.

No certificate were added to the stores.

In either case this doesn't look like an issue specific to Duplicati, so I'm closing this.

[ElRico]

For future reference, I've kinda figured this out. Using openssl s_client -connect duplicati-oauth-handler.appspot.com:443, I saw that the certificate chain included a retired Equifax certificate as root. Since it is not being distributed anymore, I got hold of a copy from this page and added it to the machine trust store via certmgr -add -c -m Trust Equifax.crt. Why this is still required I can't say.

[Thenollyon]

After struggling with this on my Synology, I was finally able to get this to work with the cert-sync suggestion. My trouble was that I didn't perform the step as sudo. Perhaps this was the wrong approach?

sudo /var/packages/Mono/target/usr/local/bin/cert-sync /etc/ssl/certs/ca-certificates.crt

I could run cert-sync after connecting to ssh, but looking closely to the verbose import, there were errors during the cert-sync process. Once I ran cert-sync as sudo, I saw a successful import. Duplicati is now working with Amazon Cloud correctly. I was able to remove accept any ssl and I am no longer getting the Not Allowed error.

Running a backup now... Will report if I get any other errors.

[ElRico]

Thanks for the tip, @Thenollyon. I was running cert-sync as root, so on the QNAP that wouldn't fix the issue I'm afraid.

[kenkendk]

@ElRico appspot.com is run by Google, so I would assume they are not using expired certificates?

[ElRico]

The certificate is not expired per se, i.e. it's expiry date hasn't passed yet. It might be a Mono specific issue, since cURL is happy to connect without the retired Equifax CA certificate.

[rodalpho]

This still isn't fixed-- just hit the issue today. Importing the Equifax cert addressed it, but this should be clearly documented so others don't have to visit this github issue to get Duplicati working.