Duplicacy with minio and SSL

jaydee · 8 December 2018 17:46

Hi, I just started a trial of Duplicacy GUI running on Windows 10. I am currently using Duplicati with minio and have it working successfully but I’d like to see if Duplicacy can replace it. However, I am having trouble configuring Duplicacy to work with my minio server. My minio server is running on another computer on the network and is secured using a self-signed certificate. This is working in Duplicati. In Duplicati I have the accept-any-ssl-certificate advanced option set.

Here is what I entered for Duplicacy config:
Region: default
Endpoint: 192.168.1.45:9001
Bucket: TestBucket
Directory: TestDirectory
Access ID: ABC
Access key: DEF

The Access ID and key are copied and pasted from my Duplicati config. I have tried with the Use TLS checkbox checked and unchecked.

When checked, I get “ERROR RequestError: send request failed” when I try to go to the next setup screen.

When Use TLS is unchecked, I get to the next screen where I enter a Repository ID and storage password. I enter these values and click Done and then get “ERROR Failed to configure the storage: Forbidden: Forbidden”.

I looked around on the machine for a log file that might have more detail on the error but couldn’t find one. I’m not sure what I’m doing wrong here. Could someone point me in the right direction?

Thanks very much!

saspus · 8 December 2018 20:37

I would start with running duplicacy in the command line with -d flag to initialize the storage. This will enable verbose logging to console and should perhaps help triage it further.

jaydee · 8 December 2018 21:14

That helped @saspus, thank you! The error it shows is “x509: certificate signed by unknown authority”. So I’m guessing Duplicacy does not work with self-signed certs? If that’s the case it would mean that I can’t use it to back up to a remote computer over the internet since the channel would not be secure? Or is it ok if I use the Duplicacy encryption?

saspus · 8 December 2018 23:34

This would be a question for @gchen to clarify whether it is a bug (I.e. self-signed certs should be allowed with a warning and whether duplicacy has any control over it), but I’d guess that since it is using OS API as long as that self-signed certificate is trusted by your os it shall be OK. (On MacOS this means explicitly trusting it in the keychain).

If that does not work on windows (not sure if it is any different) - you can always deploy your own PKI and import your own Root CA (eg via easy-rsa). It then will be indistinguishable from commercial certificates and frankly easier to manage if you have more than one self-signed certificate to deal with.

Yes, all encryption occurs client-side; private key never leaves client machine. So you don’t really need to encrypt traffic in my opinion.

gchen · 9 December 2018 04:02

Duplicacy doesn’t have control over the certificates. It is the Go http library that determines where to look for those certificates (usually under the OS-specific locations).

You can use the prefix minio:// for the storage url to avoid https connections.

jaydee · 9 December 2018 19:42

Thanks @saspus and @gchen. I can try with minio:// to avoid https. However, I found the following info via Google about accessing minio over the internet without https:

“If you decide not to [secure minio using https] your ‘AccessKey’ will be revealed to the public in the HTTP headers. While ‘SecretKey’ is not travelling directly in the stream, people with enough computing resource can relatively easily deduce it from your network traffic, which means they could be able to gain access to and delete your backup files. A valid SSL certificate not only encrypts your whole traffic between the client and the server, but also guarantees that the host you are talking to is actually the host who owns the DNS name you are connecting to so you are not uploading backup files to an unknown server.”

That quote is from this post: Setting up self-hosted Minio on Windows 10 with automatically renewing SSL certificate - How-To - Duplicati

I’m going to try the SSL certificate instructions there and see if it works with Duplicacy.

saspus · 9 December 2018 20:13

While technically true, why would anyone go through all that hassle just to delete your backup files? Does not sound plausible at all, unless as an evil prank

The point is that duplicacy is using OS facilities to work with encryption; so whatever works with windows should be fine.

I sort of suspect it is impossible to make self-signed certificate trusted on windows (edge keeps nagging me about my self-signed ones every time), but if you import your Root Ca into Trusted System Certificates zone all should work fine.

I would advise against using acme/letsencrypt - because it does not add any value for you and yet adds hassle of periodic renewals. In addition, both of my firewalls since recently mark LEtsEncrypt certificate as “security event”. Not an issue, but meh…