[Guide] Install duplicati 2 in a jail in FreeNAS 9.3

[Marc Allard]

Hello,

Now that with MS Office Home you have 1 To free space with onedrive I have decided to backup the very important datas in one more place (in one computer, on an external HDD and now on a cloud storage provider).
To do that, I have installed Ducplicati in a jail in Freenas 9.3 so in case someone is interested here is how I did.
there are probably better ways to do it .
All is done as root

1) You must create a jail (standard) and go in the jail (jls and jexec X csh or jexec -name )

2) Install mono
pkg install mono
3) Install libiconv (needed for mono but it is not installed in step 1)
pkg install libiconv
4) you must import the certificates for the SSL (or one drive will not work).
You can either add the option
--accept-any-ssl-certificate=True in your jobs (all of them)
or do
mozroots --import --sync
mozroots --import --ask-remove --machine
mozroots --import --sync --machine
certmgr -ssl -m https://onedrive.live.com

Perhaps some commands are not necessary but I did that and it is working.

5) Download duplicati and uncompress it somewhere (I did it from windows to test if it was working) and I copied the directory in the jail.
6) Auto start duplicati
vi /etc/rc.local
#Add in the file
/usr/local/bin/mono /mnt/Duplicati/Duplicati.Server.exe --webservice-port=8200 --webservice-interface=any --webservice-password=secret_password &

#ESC :wq to leave vi

the & is necessary (of the jail will block the startup of the other jails.
chmod 755 /etc/rc.local (to make the file executable)

After that from any computer you can connect to the ip of the jail (port 8200 and configure the jobs).
http://XXXXXXXX:8200
The password is specified in the command line (so secret_password)

I hope it will help someone in the same case as me.
Marc

 

[BeeFGee]

Thanks for this guide Marc! It helped me a lot. I did this with FreeNas 9.10.2.

So here's my update on the procedure:

1. Install a standard FreeNAS jail
2. Install mono. Dependencies are resolved automatically
   pkg install mono
3. Either run Duplicati with --accept-any-ssl-certificate=True, add this option in the backup job, or import SSL Certificates so Duplicati can connect to OneDrive:
   cert-sync /etc/ssl/cert.pem
certmgr -ssl -m https://onedrive.live.com
   cert-sync replaced mozroots from the previous guide.
4. Download & unzip duplicati, e.g. to /opt/duplicati
5. Autostart duplicati by putting the following code in /etc/rc.local e.g. via vi /etc/rc.local:
   
   Code:

   /usr/local/bin/mono /opt/duplicati/Duplicati.Server.exe --webservice-port=8200 --webservice-interface=any &

6. Go to http://<your-ip>:8200/ and set a configuration password and configure jobs.

 

[BetYourBottom]

I like this tutorial but I'm having trouble with adding my cert. I want to use Google Drive but I keep getting the message "Certificate Signature is INVALID".

I remember it working with the old mozroots method but I'm a little concerned with the idea of adding tons of certs that are unnecessary for this to work.

EDIT: Even using the mozroots method isn't allowing to work. No matter what the cert is considered invalid and I can't connect to Google Drive.

 

[BeeFGee]

I configured a Google Drive test-backup with this configuration and it worked just fine. Do you have a proxy or firewall in between your duplicati machine and the internet?

If you're paranoid about adding all the CA certificates to your cert store, you can use certmgr like mentioned above to only add the ones you really need.

 

[BetYourBottom]

I configured a Google Drive test-backup with this configuration and it worked just fine. Do you have a proxy or firewall in between your duplicati machine and the internet?

If you're paranoid about adding all the CA certificates to your cert store, you can use certmgr like mentioned above to only add the ones you really need.

No proxy, and I don't think any firewall that wouldn't be typical on a home setup.

My 2 issues with certmgr is that I get that "Certificate Signature is INVALID" message with it and I don't know of a good way to confirm the hash for it before accepting.

 

[BeeFGee]

Ah you get the message with certmgr. Of course. If you didn't include the CA which signed the SSL certificate before the signature will be invalid.

So if you still don't want to update the CA certificates, try this:

Browse to https://drive.google.com and check the site's certificate (e.g. in Chrome by pressing F12 for developer tools and choosing the "Security" tab).
There you can check the hash. But if you trust this one, you could also add the Root-CAs to your store and this would work out of the box on the duplicati system - which is a good idea, because the server certificate I checked is only valid for 2 months.

 

[BetYourBottom]

Ah you get the message with certmgr. Of course. If you didn't include the CA which signed the SSL certificate before the signature will be invalid.

So if you still don't want to update the CA certificates, try this:

Browse to https://drive.google.com and check the site's certificate (e.g. in Chrome by pressing F12 for developer tools and choosing the "Security" tab).
There you can check the hash. But if you trust this one, you could also add the Root-CAs to your store and this would work out of the box on the duplicati system - which is a good idea, because the server certificate I checked is only valid for 2 months.

Well the way certmgr is showing things, it seems to show the highest level cert to the lowest. I know how to check the hash on Chrome but I can't get it to show via certmgr.

I'd love to add the Root-CAs but I don't know how, I thought that's what cert-sync or mozroots was supposed to do.

I've tried the cert-sync instructions, the mozroot instructions, and accepting all the certs that show up when I run certmgr on https://drive.google.com but none of those resolve this issue.

I tried using the Duplicati options but after setting it to accept the first hash, it had another hash that caused issues. The only method that can get it to work is accept-any-ssl-certificate, however, that seems like a nasty way of fixing things and rather insecure.

 

[BeeFGee]

This is really strange. One more thing I can think of: certmgr is just importing the system's certs to the mono cert store. So if your system certs are not up2date, this might cause the problems. However, mozroots should download the certs and then include them - so dunno if this helps, but you might give it a shot.
ca_root_nss contains the Mozilla CA certs and they will be installed in the /etc/ssl/cert.pem file. I'm using v3.29 of ca_root_nss. So either install or update it with pkg
Cmds have to run in the jail of course...
# Install the package / not necessary if installed
pkg install ca_root_nss
# Update pkg database and upgrade all packages
pkg update && pg upgrade

 

[BetYourBottom]

# Install the package / not necessary if installed
pkg install ca_root_nss
# Update pkg database and upgrade all packages
pkg update && pg upgrade

I've checked and ca_root_nss is installed by default and the commands that I run on my first try make sure that it's already up to date. So it's not that that is causing the issue.

I've also tried manually dumping the certs via Windows and the F12 menu in Chrome. Then importing the cert files directly and it still hates Google.

 

[NationalJohnsO]

Thanks for the install guide, I am having trouble with the google drive cert now and don't want to use accept-any

When I run cert-sync /etc/ssl/cert.pem I get the following errors for all the certificates:

Code:

Warning: Could not import C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
System.PlatformNotSupportedException: Operation is not supported on this platform.
  at System.Security.Cryptography.X509Certificates.X509Helper2.GetSubjectNameHash (System.Security.Cryptography.X509Certificates.X509CertificateImpl impl) [0x00000] in <65d66c5eaa6a48038257422d3c294dab>:0
  at System.Security.Cryptography.X509Certificates.X509Helper2.GetSubjectNameHash (System.Security.Cryptography.X509Certificates.X509Certificate certificate) [0x00006] in <65d66c5eaa6a48038257422d3c294dab>:0
  at Mono.Security.X509.X509Store.ImportNewFormat (Mono.Security.X509.X509Certificate certificate) [0x0000c] in <11d29b2234814f928385c7f3dec82910>:0
  at Mono.Security.X509.X509Store.Import (Mono.Security.X509.X509Certificate certificate) [0x00019] in <11d29b2234814f928385c7f3dec82910>:0
  at Mono.Tools.CertSync.ImportToStore (Mono.Security.X509.X509CertificateCollection roots, Mono.Security.X509.X509Store store) [0x00054] in <d77a5a10d8a742e3a2d75d51c7ceb6fc>:0

How do I fix this?

 

[ajdales]

Hi Marc, thanks for the guide. I can't honestly say it has helped me yet (I have only discovered Duplicati recently) but this guide will probably help me to setup my backups. I am wondering if you have switched to FreeNAS 11 yet and if you would do things differently (with bhyve) or not.

Thanks André

 

[JoeB]

Anyone know how to import Baclblaze-B2 cert? No matter what option i start with, i get a "RemoteCertificateChainErrors" message when tesing the connection.


EDIT: Seems to be a bug in Duplicati, the test button always fails, but the backup runs successfully.

 

[talz13]

I'm having the same issue on cert-sync with the errors like this:

Warning: Could not import C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
System.PlatformNotSupportedException: Operation is not supported on this platform.

Running on FreeNAS 9.10, and get the TrustFailure errors when trying to connect to Google Drive, both in testing the connection as well as when trying to start the actual backup...


Edit:

I didn't notice that I was supposed to put the --accept-any-ssl-certificate=True on the actual backup job, and was trying to put it on the startup command line. After adding that to the backup job, it's started properly now. Not sure what to think of the security implications....

 

[bluff]

Salve ho un problema nel creare l'autostart di Duplicati.

creando il file rc.local ed assegnandogli i permessi chmod 755 non parte.

il commando scritto nel file rc.local è il seguente
/usr/local/bin/mono /usr/src/Duplicati/Duplicati.Server.exe --webservice-port=8200 --webservice-interface=any --webservice-password=secret &

se avvio direttamente il file rc.local Duplicati si avvia.

 

[nigma]

Hi,

I cannot get auto start to work correctly (running manually from command line is working fine). Using the rc.local option doesn't seem to do anything so also tried to with a file in /usr/local/etc/rc.d/ that looks like below:

Code:

#!/bin/sh
# PROVIDE: duplicati . /etc/rc.subr
name="duplicati"
rcvar=${name}_enable
 start_cmd="${name}_start"
stop_cmd=":"
 duplicati_start()
{	 if checkyesno ${rcvar}; then	  
/usr/local/bin/mono /root/duplicati/Duplicati.Server.exe --webservice-port=8200 --webservice-interface=any --server-datafolder=/root/.duplicati &	
fi
}
 load_rc_config ${name}
run_rc_command "$1"

If I then try " service duplicati start" I get the below error. Simply running from the command line works fine, so seems an issue when trying to run this automatically.


root@backblaze_1:/usr/home/backblaze # service duplicati start
root@backblaze_1:/usr/home/backblaze #
Unhandled Exception:
System.ComponentModel.Win32Exception (0x80004005): ApplicationName=’/root/duplicati/Duplicati.Server.exe’, CommandLine=’"–webservice-port=8200" “–webservice-interface=any” “–server-datafolder=/root/.duplicati”’, CurrentDirectory=’’, Native error= Cannot find the specified file
at System.Diagnostics.Process.StartWithCreateProcess (System.Diagnostics.ProcessStartInfo startInfo) [0x002dc] in :0
at System.Diagnostics.Process.Start () [0x0003a] in :0
at (wrapper remoting-invoke-with-check) System.Diagnostics.Process:Start ()
at System.Diagnostics.Process.Start (System.Diagnostics.ProcessStartInfo startInfo) [0x0001b] in :0
at Duplicati.Library.AutoUpdater.UpdaterManager.RunFromMostRecentSpawn (System.Reflection.MethodInfo method, System.String[] cmdargs, Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy) [0x00196] in :0
at Duplicati.Library.AutoUpdater.UpdaterManager.RunFromMostRecent (System.Reflection.MethodInfo method, System.String[] cmdargs, Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy) [0x0001b] in :0
at Duplicati.Server.Program.Main (System.String[] args) [0x00014] in <62a3c38a5c9c4c6181771976288a28b1>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.ComponentModel.Win32Exception (0x80004005): ApplicationName=’/root/duplicati/Duplicati.Server.exe’, CommandLine=’"–webservice-port=8200" “–webservice-interface=any” “–server-datafolder=/root/.duplicati”’, CurrentDirectory=’’, Native error= Cannot find the specified file
at System.Diagnostics.Process.StartWithCreateProcess (System.Diagnostics.ProcessStartInfo startInfo) [0x002dc] in :0
at System.Diagnostics.Process.Start () [0x0003a] in :0
at (wrapper remoting-invoke-with-check) System.Diagnostics.Process:Start ()
at System.Diagnostics.Process.Start (System.Diagnostics.ProcessStartInfo startInfo) [0x0001b] in :0
at Duplicati.Library.AutoUpdater.UpdaterManager.RunFromMostRecentSpawn (System.Reflection.MethodInfo method, System.String[] cmdargs, Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy) [0x00196] in :0
at Duplicati.Library.AutoUpdater.UpdaterManager.RunFromMostRecent (System.Reflection.MethodInfo method, System.String[] cmdargs, Duplicati.Library.AutoUpdater.AutoUpdateStrategy defaultstrategy) [0x0001b] in :0
at Duplicati.Server.Program.Main (System.String[] args) [0x00014] in <62a3c38a5c9c4c6181771976288a28b1>:0


Thanks