When do I need --server-cert-fingerprint?

I connected from a Linux box to my repo server with kopia repository connect server --url https://kopia:443 and it worked without any issues.

So here are my 2 questions:

  • why would I have to specify --server-cert-fingerprint, if it worked without it? so when is this fingerprint needed?
  • after rebooting, the repository was still connected. how? I never created a systemd unit file, nor did I add a script that runs at startup. this is great. I just don’t understand how this is possible.

P.S.: The documentation is also wrong: It states:

$ kopia repository status
kopia: error: operation supported only on direct repository, try --help

This is not the case. I am getting the following on my client:

# kopia repository status
Config file:         /root/.config/kopia/repository.config

Description:         API Server: https://kopia:443
Hostname:            cator01ps
Username:            root
Read-only:           false
Format blob cache:   15m0s

I think that using a secured connection is the default with Kopia and you must specifically chose to not use a secure connection on the repo server.

As for your 2nd question, always remember, that Kopia (remote client) doesn’t pertain a persistent connection to the remote repo. Being “connected” means, that there is a valid repository config in place. The KC usually stores this in ~/.config/kopia on UNIX-like systems, unless you specifiy it otherwise. A reboot won’t remove these files, so Kopia Client can still connect to the remote repo after a reboot. If you want to invalidate the connection, user kopia repo disconnect, or remove the config files.


Thanks for the reply, but I don’t understand what your statement has to do with my question:

I am creating a secure connection, since I am connecting to https:// so I am still not sure, why or when I would need the fingerprint. Because I didn’t specify it, despite it always been mentioned in all docs, but it worked without it.

Ah, this makes sense now. Cheers

I figured it out. I ran a bunch of tests.

The fingerprint is only needed for self-signed certs, whose CAs are not in the operating system’s trust store.

Kopia is a great piece of software and I am impressed how nicely it works. But the documentation is probably one of the worst I have ever seen. It’s outdated, inconsistent, the command line reference only shows a verbatim copy of the --help page, but no explanations whatsoever. (e.g. what values can I use for an argument)
The only way to figure out how Kopia really works is to spend hours and hours for trial and error.


Fully agree. It is very nice piece of software and had great start but now seems stalled.

Yep, I think this project might be dead. The dev doesn’t merge any PRs and the only commits in the past months are dependency updates.
I will monitor this project for another year. If nothing changes, I’ll switch to something that is actively developed.

The same - thought initially that it can be my fav backup software - but since then I changed mind. However good initial design and implementation without ongoing dev it rots. For backups I need something solid - does not even have to be funky.


would you mind to add it to the documentation? It’s straightforward and will help others having the same issue.


I would add it to the doc, if there was any indication that this project wasn’t dead. I am not going to waste my time beating a dead horse. (see my previous comment)

I think the community needs assurance what is happening with this project. I am already looking for alternatives, even though I really like kopia. But there is no use in entrusting my data to an unmaintained product.

thanks for that insight - otherwise would’ve wasted a lot of time myself here …