-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth connection test for Amazon Cloud Drive fails with SSL error on QNAP NAS #2431
Comments
The OAuth part is using On Synology, I was able to fix it by using:
But I had to dig a little to find |
Running TlsTest.exe on https://duplicati-oauth-handler.appspot.com returns the error described in the wiki.
Alas neither mozroots nor cert-sync are fixing this. What is weird is that certmgr claims that the CA certificate signature is invalid:
In either case this doesn't look like an issue specific to Duplicati, so I'm closing this. |
For future reference, I've kinda figured this out. Using |
After struggling with this on my Synology, I was finally able to get this to work with the cert-sync suggestion. My trouble was that I didn't perform the step as sudo. Perhaps this was the wrong approach?
I could run cert-sync after connecting to ssh, but looking closely to the verbose import, there were errors during the cert-sync process. Once I ran cert-sync as sudo, I saw a successful import. Duplicati is now working with Amazon Cloud correctly. I was able to remove accept any ssl and I am no longer getting the Not Allowed error. Running a backup now... Will report if I get any other errors. |
Thanks for the tip, @Thenollyon. I was running cert-sync as root, so on the QNAP that wouldn't fix the issue I'm afraid. |
@ElRico appspot.com is run by Google, so I would assume they are not using expired certificates? |
The certificate is not expired per se, i.e. it's expiry date hasn't passed
yet. It might be a Mono specific issue, since cURL is happy to connect
without the retired Equifax CA certificate.
|
This still isn't fixed-- just hit the issue today. Importing the Equifax cert addressed it, but this should be clearly documented so others don't have to visit this github issue to get Duplicati working. |
I have:
Version info
Duplicati Version: 2.0.1.53_experimental_2017-03-13
Operating System: QNAP firmware 4.2.4 Build 20170313
Mono: QMono 4.6.2.7
Backend: Amazon Cloud Drive
Bug description
When I create a new backup with Amazon Cloud Drive as the backend and test the connection, it fails with the SSL error described below. I did import the Mozilla CA certificates via mozroots.exe and I have successfully checked SSL/TLS functionality via TlsTest.exe (see debug log section). I assume the 403 error on the web test of drive.amazonaws.com is expected, since I'm not calling any API endpoint. Setting
export MONO_TLS_PROVIDER=legacy
did not fix the issue either. There appear to be possibly related issues on Synology NAS devices: #2412 and #2258.Steps to reproduce
Actual result: The error message in the debug log section.
Expected result: A successful connection test.
debug log
The error message:
Duplicati.Library.Utility.SslCertificateValidator+InvalidCertificateException: The server certificate had the error RemoteCertificateChainErrors and the hash 0047308A604D6C0206590E8BCED45041E8C5D2A1 If you trust this certificate, use the commandline option --accept-specified-ssl-hash=0047308A604D6C0206590E8BCED45041E8C5D2A1 to accept the server certificate anyway. You can also attempt to import the server certificate into your operating systems trust pool. You may want to import a set of trusted certificates into the Mono certificate store. Use the command: cert-sync /etc/ssl/certs/ca-certificates.crt #for Debian based systems cert-sync /etc/pki/tls/certs/ca-bundle.crt #for RedHat derivatives Read more: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync at Duplicati.Library.Utility.SslCertificateValidator.Deactivate () [0x00048] in <df389ec2993a4c5d84cc50d023650ee9>:0 at Duplicati.Library.Utility.SslCertificateValidator.Dispose () [0x0000b] in <df389ec2993a4c5d84cc50d023650ee9>:0 at Duplicati.Library.Modules.Builtin.HttpOptions.Dispose () [0x0003e] in <aa6ffe4eb9c34c81a1cb8f93ea411ac4>:0 at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.TestConnection (System.String url, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x001c3] in <ea04d3246d8b40a8b87fd599cff89cc3>:0 at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.POST (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x000af] in <ea04d3246d8b40a8b87fd599cff89cc3>:0 at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x002ad] in <ea04d3246d8b40a8b87fd599cff89cc3>:0
TlsTest.exe output:
The text was updated successfully, but these errors were encountered: