• 3

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

vsftpd does not give a valid certificate using CA cert

When setting up vsftpd we have problems with it not providing a trusted connection us a basic pem certificate container using just our private key and certificate.

We created our pem file with the following commands.

cat somecert.com.crt >> somepem.pem
cat somecertkey.com.key >> somepem.pem

SSL Certificate config vsftpd.conf


When connecting using lftp in debug mode I saw that we giving a certificate with out enough info to be establish the full chain of authority. To ensure it was trusted.

lftp -d -u user:pass myserver.com
ERROR: Certificate verification: Not trusted
**** Certificate verification: Not trusted
---- Closing control socket

I need to get the full chain of authority and add it to the pem certificate container Thanks to stackExchange there are some nice solutions to this problem.

echo connect | openssl s_client -connect myserver.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

From that we can now update the certificate we created to include the full chain of authority.

We need to update the config of the vsftpd

vim /etc/vsftpd/vsftpd.conf

Test using lftp

lftp -d -u user:pass myserver.com

Certificate: C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\, Inc.,OU=http://certificates.starfieldtech.com/repository,CN=Starfield Secure Certification > Authority,serialNumber=10688435
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Checking against: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Certificate: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority

It is important to pack the pem file correctly in the correct order.

Creating a .pem with the Entire SSL Certificate Trust Chain

Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt). Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

  1. The Primary Certificate - your_domain_name.crt
  2. The Intermediate Certificate - DigiCertCA.crt
  3. The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look > like this:

(Your Primary SSL certificate: your_domain_name.crt)
(Your Intermediate certificate: DigiCertCA.crt)
(Your Root certificate: TrustedRoot.crt)

Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

  • 2
Reply Report

You could always configure your ftp client to ignore certificates. Which is insecure, and should be avoided. Do this at your own risk. http://anils-tips.blogspot.com/2011/05/lftp-fatal-error-certificate.html

lftp user@test.ftp.com:/directory
cd: Fatal error: Certificate verification: Not trusted

To disable certificate verification in lftp, completely.
This is not a good idea if you are concerned about security

cat ~/.lftp/rc
set ssl:verify-certificate no

If you just want to do this for one specific host you can.

lftp -e "set ssl:verify-certificate no" user@test.ftp.com:/directory

  • -2
Reply Report
      • 1
    • Why not completely remove SSL? This is about the same security as you get with your proposal to disable certificate validation. No validation means easy man-in-the-middle attacks.
    • Because some time you just want to get it done so you can leave the office. Which is why I put the correct way to do things first and then as a last attempt you can end here to just make things work.
    • I agree that sometimes one has to use a temporary and insecure workaround. But this should be explicitly marked as such and not as "you could always...." without pointing out that this is only a workaround and which problems it has.
    • @SteffenUllrich you are correct. I should have take more time to explain the security implications. Thank you for your help

Trending Tags