Resolved Backup fails since update to Plesk Obsidian 18.0.26: "Unable to validate the remote backup"

[TomBoB]

have a look at this.

"I added --tlsv1.1 [to the curl command] and it uploads successfully each time "

seems indeed an issue at Hetzner.

But must say, we use Hetzner storageboxes for some servers and the FTP backup (up to 180GB; incremental daily, full weekly) works without a problem.
Only difference I can spot is we don't use the standard curl version but a newer one from a third party vendor.

 

[Tjerk Visser]

I am having the same isseu. Tried several ftp storage locations. Even took a contract with strato Hidrive to make sure my strato server and the ftp location are on the same network.

OS	Ubuntu 18.04.4 LTS
Product	Plesk Obsidian Versie 18.0.26, laatste update op 2020-04-22 19:54

Zoeken naar updates
Gecontroleerd op 2020-05-4 19:43.

Can anybody give a clue? Thanks

 

[Tjerk Visser]

I am having the same isseu. Tried several ftp storage locations. Even took a contract with strato Hidrive to make sure my strato server and the ftp location are on the same network.

OS	Ubuntu 18.04.4 LTS
Product	Plesk Obsidian Versie 18.0.26, laatste update op 2020-04-22 19:54

Zoeken naar updates
Gecontroleerd op 2020-05-4 19:43.

Can anybody give a clue? Thanks

Update, if i don;t use FTPS the error is gone.

 

[Rar9]

Hetzner is working on fixing their TLSv1.3 issue. Fingers crossed they will get it fixed soon

 

[DenisG]

We have added option to /usr/local/psa/admin/conf/panel.ini to limit maximum TLS version

[pmm]
; Maximum TLS version. Possible values:
; 12 - TLS 1.2
; 13 - TLS 1.3
ftpMaxTlsVersion = 13

The option will be available since Plesk 18.0.27

 

[john_in_Toronto]

I have the exact same issues and error messages since May 5'20.

My server is:
Ubuntu 16.04.6 LTS
Plesk Obsidian
Version 18.0.26

On May 4'20 my Plesk automatically updated from 18.0.24 to 18.0.26 and now "EVERY" attempt to do an FTP backup,(scheduled and manual), fails!!

The backup system has worked perfectly for years.

Obviously 18.0.26 is defective.

Is it possible to REMOVE the 18.0.26 patch from my system?

 

[DenisG]

Is it possible to REMOVE the 18.0.26 patch from my system?

No, it is not possible. We have added validation of remote backups in 18.0.26 to make sure you can restore your data when it is required.

 

[hansitheking]

We have added option to /usr/local/psa/admin/conf/panel.ini to limit maximum TLS version

The option will be available since Plesk 18.0.27

To test if my FTP-Storage provider Strato HiDrive does have any basic TLS 1.3 issues I tested it with some examples. It is working with a empty file and even with a 1 GB and 2 GB .img file. The Log shows the output for a 1 MB File. Therefore, I think the option in 18.0.27 won’t fix it for me.

curl -v -s -S --ftp-pasv --ssl -k -u hidriveusername -T test.1m.img 'ftp://ftp.hidrive.strato.com/users/hidriveusername/'
Enter host password for user 'hidriveusername':
*   Trying 85.214.3.73...
* TCP_NODELAY set
* Connected to ftp.hidrive.strato.com (85.214.3.73) port 21 (#0)
< 220 Another visitor. Stay a while...
> AUTH SSL
< 234 AUTH SSL OK.
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Unknown (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2731 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: C=DE; ST=Berlin; L=Berlin; O=Strato AG; OU=Rechenzentrum; CN=ftp.hidrive.strato.com
*  start date: Dec  9 00:00:00 2019 GMT
*  expire date: Jan 11 12:00:00 2021 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018
*  SSL certificate verify ok.
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> USER hidriveusername
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [217 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [217 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 331 FTP login okay, send password.
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> PASS Stiffen7-Yarn-1Yuki
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 230 User logged in, proceed.
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> PBSZ 0
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 200 PBSZ=0
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> PROT P
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 200 Switched to protected data transfer mode.
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> PWD
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 257 "/" is current directory.
* Entry path is '/'
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> CWD users
* ftp_perform ends with SECONDARY: 0
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 250 Directory changed to /users
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> CWD hidriveusername
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 250 Directory changed to /users/hidriveusername
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> EPSV
* Connect data stream passively
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 500 Syntax error, command unrecognized.
* Failed EPSV attempt. Disabling EPSV
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> PASV
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 227 Entering Passive Mode (85,214,3,73,250,176).
*   Trying 85.214.3.73...
* TCP_NODELAY set
* Connecting to 85.214.3.73 (85.214.3.73) port 64176
* Connected to ftp.hidrive.strato.com (85.214.3.73) port 21 (#0)
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> TYPE I
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 200 Using BINARY mode to transfer data.
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> STOR test.1m.img
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 150 Opening BINARY mode SSL data connection.
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL re-using session ID
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Unknown (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2731 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* old SSL session ID is stale, removing
* Server certificate:
*  subject: C=DE; ST=Berlin; L=Berlin; O=Strato AG; OU=Rechenzentrum; CN=ftp.hidrive.strato.com
*  start date: Dec  9 00:00:00 2019 GMT
*  expire date: Jan 11 12:00:00 2021 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018
*  SSL certificate verify ok.
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
[...]
* We are completely uploaded and fine
* Remembering we are in dir "users/hidriveusername/"
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
} [1 bytes data]
* TLSv1.3 (OUT), TLS alert, Client hello (1):
} [2 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< 226 Transfer complete. Closing data connection.
* Connection #0 to host ftp.hidrive.strato.com left intact

 

[DenisG]

I'll try to test Strato HiDrive.

 

[rodrigomc2000]

Same problem here using the remote cloud backup to my dropbox business:

Export error: Number of volumes 0 does not match expected ones 1. The remote backup may not be restored.; Unable to validate the remote backup. It may not be restored. Error: Failed to exec pmm-ras: Repository error: File 'backup_rodrigo.com.br_2005070327_2005080325.tar' not found

CentOS Linux 7.8.2003 (Core)ProdutoPlesk Obsidian
Version 18.0.26, last update 30/04/2020 01:02 AM

 

[obendev]

Does the FTP Server support AllowStoreRestart?

 

[bgv20]

Same problem here, tested with vsftp and proftpd servers, same error.
Forcen BINARY mode transfer.

No solution yet. No backup since last update.

 

[rodrigomc2000]

Please guys, update plesk to fix this problem! we are in risk with our websites without full backup... We are also paying monthly for this addon (backup using dropbox) and its not working?

 

[D3nnis3n]

The spam the failed backups are sending every day are going on my nerves. Backup and Restore worked fine before that patch, please fix this!

 

[DenisG]

I cannot reproduce the issue neither Strato's HiDrive nor Dropbox. Try to check your routes via mtr command

mtr -s 1000 -r -c 1000 your.storage.host

 

[hansitheking]

I did the update to 18.0.27 yesterday and added the "fftpMaxTlsVersion = 12" to my panel.ini, therefore I didn´t had the error tonight.

[pmm]
ftpForbidReuseConnection = 1
ftpMaxTlsVersion = 12

This night I will test it without "ftpMaxTlsVersion = 12" to see what happens.

 

[D3nnis3n]

I'll test as well.

 

[D3nnis3n]

Changing to ftpMaxTlsVersion = 12 did not help, i still get the same error.

 

[bgv20]

[pmm]
ftpForbidReuseConnection = 1
ftpMaxTlsVersion = 12

Above values, works like a charm.

We quit ftpMaxTlsVersion = 12 config item and tested everything again. Of course, this time ftps connection was made using TLS 1.3, ftp server supports it. Same problem as before. Some bytes "get lost", ftps connection restarts on random file (multivolume) and backup cannot get validated.

At this point, thank you Plesk for introducing ftpMaxTlsVersion parameter in 18.0.27 release. In our case, problem was solved.

Some reading related to this issue: (Section: TLS 1.3 vs the Man-in-the-Middle):

Protecting against Man-In-The-Middle Attacks

Make sure nobody gets in the middle of your connections SSL/TLS forms the bedrock of modern web security by combining asymmetric and symmetric cryptography in order to achieve secrecy and...

www.thesslstore.com

 

[D3nnis3n]

I did not have ftpForbidReuseConnection = 1, it wasn't introduced to fix it, is it required?