vsftpd does not give a valid certificate using CA cert
I need to get the full chain of authority and add it to the pem certificate container Thanks to stackExchange there are some nice solutions to this problem.
echo connect | openssl s_client -connect myserver.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
From that we can now update the certificate we created to include the full chain of authority.
We need to update the config of the vsftpd
vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
rsa_private_key_file=/etc/httpd/ssl/somepem.pem
rsa_cert_file=/etc/vsftpd/ssl/cert.pem
Test using lftp
lftp -d -u user:pass myserver.com
Certificate: C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\, Inc.,OU=http://certificates.starfieldtech.com/repository,CN=Starfield Secure Certification > Authority,serialNumber=10688435
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Checking against: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Trusted
Certificate: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Trusted
It is important to pack the pem file correctly in the correct order.
how-do-i-make-my-own-bundle-file-from-crt-files
Creating a .pem with the Entire SSL Certificate Trust Chain
Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt). Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
- The Primary Certificate - your_domain_name.crt
- The Intermediate Certificate - DigiCertCA.crt
- The Root Certificate - TrustedRoot.crt
Make sure to include the beginning and end tags on each certificate. The result should look > like this:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
Save the combined file as your_domain_name.pem. The .pem file is now ready to use.
Related videos on Youtube
nelaaro
Application Engineer, Web Developer, Drupal CMS, and Coldfusion.
Updated on September 18, 2022Comments
-
nelaaro over 1 year
When setting up vsftpd we have problems with it not providing a trusted connection us a basic pem certificate container using just our private key and certificate.
We created our pem file with the following commands.
cat somecert.com.crt >> somepem.pem
cat somecertkey.com.key >> somepem.pemSSL Certificate config vsftpd.conf
/etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
rsa_cert_file=/etc/httpd/ssl/somepem.pemWhen connecting using lftp in debug mode I saw that we giving a certificate with out enough info to be establish the full chain of authority. To ensure it was trusted.
lftp -d -u user:pass myserver.com
....
ERROR: Certificate verification: Not trusted
**** Certificate verification: Not trusted
---- Closing control socket -
Steffen Ullrich over 9 yearsWhy not completely remove SSL? This is about the same security as you get with your proposal to disable certificate validation. No validation means easy man-in-the-middle attacks.
-
nelaaro over 9 yearsBecause some time you just want to get it done so you can leave the office. Which is why I put the correct way to do things first and then as a last attempt you can end here to just make things work.
-
Steffen Ullrich over 9 yearsI agree that sometimes one has to use a temporary and insecure workaround. But this should be explicitly marked as such and not as "you could always...." without pointing out that this is only a workaround and which problems it has.
-
nelaaro over 9 years@SteffenUllrich you are correct. I should have take more time to explain the security implications. Thank you for your help