SSL TLS support in Mono
If you are using a cloud-based service as the destination of your backups, such as Amazon S3, OneDrive, CloudDrive etc, you will need a set of trusted root certificates in Mono.
Various versions of Mono, and various Linux distributions have different ways of setting up support for SSL. This document collects various distributions and descriptions of how to install and debug SSL with Duplicati.
Technical note: Secure Socket Layer (SSL) is now largely replaced with Transport Layer Security (TLS), but for historical reasons https
connections are commonly referred to as SSL connections, even if they are TLS.
Since Mono 3.12.0 (Jan. 2015) SSL support should "just work" with Mono. It should work such that you operating systems list of trusted certificates is also trusted by Mono, and thus the list is always up to date.
Sadly, that is not always the case.
Duplicati includes the Mono tool tlstest
for debugging SSL connections.
You can test if SSL is working correctly with two commands:
mono TlsTest.exe --web https://github.com
mono TlsTest.exe --stream https://github.com
If you get no errors, SSL is working for you. You can replace the target URL to see if you get errors when you point to the service that you are using.
Failed responses usually end with:
Error #-2146762486: CERT_E_CHAINING 0x800B010A
This is a compiled list of instructions for getting SSL certificates working.
Installing the ca-certificates-mono
package will add certificates. If possible, use the Mono supplied Debian packages instead of the Mono packages in APT as they are really outdated. If you install the packages from the Mono repository, they generally fix the certificate issues automatically.
If that is not an option, the release notes from Mono suggest running cert-sync
:
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
If things still does not work, you can experiment with the environment variable:
MONO_TLS_PROVIDER=legacy
You need at least the mono-runtime
package and in some cases libmono-system-net-http4.0-cil
to get SSL/TLS working.
The bundled mozroots.exe
tool, imports certificates from Mozilla, and can help with the older versions:
sudo mono mozroots.exe --import --sync
On some setups, mozroots
fails to download the list, ironically because the links require SSL which is not working.
In this case, you can work around the issue with by downloading the list manually:
wget -O certdata.txt "http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
If you do not have wget
, but curl
instead, use:
curl -o certdata.txt "http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
Then use mozroots
with the --file
option:
sudo mono mozroots.exe --import --sync --file certdata.txt
The default Mono version is 3.2.8, which can run Duplicati, but lacks the cert-sync tools. Uninstall any Mono packages and then use the Mono supplied Debian packages, which will give you the latest version of Mono and the ca-certificates-mono
package which fixes SSL.
The default Mono version is 2.10.8, which is too old to run Duplicati. Uninstall any Mono packages and then use the Mono supplied Debian packages, which will give you the latest version of Mono and the ca-certificates-mono
package which fixes SSL.
The release notes from Mono suggest running cert-sync
:
sudo cert-sync /etc/pki/tls/certs/ca-bundle.crt
First, make sure FreeBSD actually has some recent CA certificates:
pkg install ca_root_nss
Then sync the certificates with Mono:
cert-sync /usr/local/share/certs/ca-root-nss.crt
Login and type:
sudo /usr/local/AppCentral/mono/bin/cert-sync /etc/ssl/certs/ca-certificates.crt
On Mono version 5.8.1.0.r6 the following command works:
sudo mono /usr/local/AppCentral/mono/lib/mono/4.5/cert-sync.exe /etc/ssl/certs/ca-certificates
.crt
The cert-sync
tool works on Synology, but it is not linked correctly, so you need to supply the full path:
sudo /var/packages/Mono/target/usr/local/bin/cert-sync /etc/ssl/certs/ca-certificates.crt