Home / server / Questions / 661870
In Process
nelaaro
Asked: 2015-01-24 06:00:21 +0800 CST

vsftpd does not give a valid certificate using CA cert

  • 772

When setting up vsftpd we have problems with it not providing a trusted connection us a basic pem certificate container using just our private key and certificate.

We created our pem file with the following commands.

cat somecert.com.crt >> somepem.pem
cat somecertkey.com.key >> somepem.pem

SSL Certificate config vsftpd.conf

/etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
rsa_cert_file=/etc/httpd/ssl/somepem.pem

When connecting using lftp in debug mode I saw that we giving a certificate with out enough info to be establish the full chain of authority. To ensure it was trusted.

lftp -d -u user:pass myserver.com
....
ERROR: Certificate verification: Not trusted
**** Certificate verification: Not trusted
---- Closing control socket

ssl

2 Answers

  1. I need to get the full chain of authority and add it to the pem certificate container Thanks to stackExchange there are some nice solutions to this problem.

    echo connect | openssl s_client -connect myserver.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

    From that we can now update the certificate we created to include the full chain of authority.

    We need to update the config of the vsftpd

    vim /etc/vsftpd/vsftpd.conf
    ssl_enable=YES
    ssl_tlsv1=YES
    rsa_private_key_file=/etc/httpd/ssl/somepem.pem
    rsa_cert_file=/etc/vsftpd/ssl/cert.pem

    Test using lftp

    lftp -d -u user:pass myserver.com

    Certificate: C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\, Inc.,OU=http://certificates.starfieldtech.com/repository,CN=Starfield Secure Certification > Authority,serialNumber=10688435
    Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
    Checking against: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
    Trusted
    Certificate: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
    Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
    Trusted

    It is important to pack the pem file correctly in the correct order.
    how-do-i-make-my-own-bundle-file-from-crt-files

    Creating a .pem with the Entire SSL Certificate Trust Chain

    Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt). Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

    1. The Primary Certificate - your_domain_name.crt
    2. The Intermediate Certificate - DigiCertCA.crt
    3. The Root Certificate - TrustedRoot.crt

    Make sure to include the beginning and end tags on each certificate. The result should look > like this:

    -----BEGIN CERTIFICATE-----
    (Your Primary SSL certificate: your_domain_name.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Intermediate certificate: DigiCertCA.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Root certificate: TrustedRoot.crt)
    -----END CERTIFICATE-----

    Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

    • 2

  2. You could always configure your ftp client to ignore certificates. Which is insecure, and should be avoided. Do this at your own risk. http://anils-tips.blogspot.com/2011/05/lftp-fatal-error-certificate.html

    lftp [email protected]:/directory
    Password:
    cd: Fatal error: Certificate verification: Not trusted

    To disable certificate verification in lftp, completely.
    This is not a good idea if you are concerned about security

    cat ~/.lftp/rc
    set ssl:verify-certificate no

    or
    If you just want to do this for one specific host you can.

    lftp -e "set ssl:verify-certificate no" [email protected]:/directory

    • -1