vsftpd does not give a valid certificate using CA cert

ssl ftp ssl-certificate tls vsftpd
8,744

I need to get the full chain of authority and add it to the pem certificate container Thanks to stackExchange there are some nice solutions to this problem.

echo connect | openssl s_client -connect myserver.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

From that we can now update the certificate we created to include the full chain of authority.

We need to update the config of the vsftpd

vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
rsa_private_key_file=/etc/httpd/ssl/somepem.pem
rsa_cert_file=/etc/vsftpd/ssl/cert.pem

Test using lftp

lftp -d -u user:pass myserver.com

Certificate: C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\, Inc.,OU=http://certificates.starfieldtech.com/repository,CN=Starfield Secure Certification > Authority,serialNumber=10688435
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Checking against: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Trusted
Certificate: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Trusted

It is important to pack the pem file correctly in the correct order.
how-do-i-make-my-own-bundle-file-from-crt-files

Creating a .pem with the Entire SSL Certificate Trust Chain

Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt). Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

  1. The Primary Certificate - your_domain_name.crt
  2. The Intermediate Certificate - DigiCertCA.crt
  3. The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look > like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Share:
8,744

Related videos on Youtube

nelaaro
Author by

nelaaro

Application Engineer, Web Developer, Drupal CMS, and Coldfusion.

Updated on September 18, 2022

Comments

  • nelaaro
    nelaaro over 1 year

    When setting up vsftpd we have problems with it not providing a trusted connection us a basic pem certificate container using just our private key and certificate.

    We created our pem file with the following commands.

    cat somecert.com.crt >> somepem.pem
    cat somecertkey.com.key >> somepem.pem

    SSL Certificate config vsftpd.conf

    /etc/vsftpd/vsftpd.conf
    ssl_enable=YES
    ssl_tlsv1=YES
    rsa_cert_file=/etc/httpd/ssl/somepem.pem

    When connecting using lftp in debug mode I saw that we giving a certificate with out enough info to be establish the full chain of authority. To ensure it was trusted.

    lftp -d -u user:pass myserver.com
    ....
    ERROR: Certificate verification: Not trusted
    **** Certificate verification: Not trusted
    ---- Closing control socket

  • Steffen Ullrich
    Steffen Ullrich over 9 years
    Why not completely remove SSL? This is about the same security as you get with your proposal to disable certificate validation. No validation means easy man-in-the-middle attacks.
  • nelaaro
    nelaaro over 9 years
    Because some time you just want to get it done so you can leave the office. Which is why I put the correct way to do things first and then as a last attempt you can end here to just make things work.
  • Steffen Ullrich
    Steffen Ullrich over 9 years
    I agree that sometimes one has to use a temporary and insecure workaround. But this should be explicitly marked as such and not as "you could always...." without pointing out that this is only a workaround and which problems it has.
  • nelaaro
    nelaaro over 9 years
    @SteffenUllrich you are correct. I should have take more time to explain the security implications. Thank you for your help

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

curl FTPS with client certificate to a vsftpd
vsftpd: 500 OOPS: could not bind listening IPv4 socket
Received TLS alert from the server: Handshake failed (40)
How do I use the openssl command to decode a public key .PEM file?
How do I determine where an SSL certificate is being served from?
vsftpd fails to start (status=2)
ProFTPD - Failed to retrieve directory listing while using TLS
VSFTPD specific ciphers
client SSL certificate verify error: (27:certificate not trusted)
How to configure public-key authentication with vsftpd?