currently i am using both HTTP and HTTPS on my page so in case there is problem with SSL certificate, people can try HTTP only version.
But my CMS enforce HTTPS on part of the website (login forms, order forms).

I just found that Google in Webmaster tools says it found many duplicate pages without canonical tag.

I assume it is HTTPS vs HTTP

I do not know if i should somehow set canonical tag to point to HTTP or HTTPS?

It seem to me that better/more reliable way would be canonical tag to point to HTTPS only version because bots will not end up in loop where canonical direct them to HTTP, but server redirect them to HTTPS on some pages. As a downside of this approach i am afraid that if HTTPS stop working (not renewed certificate or other bug in SSL on server), then bots will immediately stop having access and deindex my pages.