Discussion:
certificated validation
Szépe Viktor
2014-06-10 23:55:23 UTC
Permalink
Could you help me how to solve to "Not trusted: no issuer was found" error?
Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy)
4.5.1 does the same.
Also with fresh ca bundle
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt

You can try running lftp eu1.solid-hosting.net yourself without a password.

Thank you!


openssl says it is OK

# openssl s_client -connect eu1.solid-hosting.net:21 -starttls ftp
-CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network,
CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
eu1.solid-hosting.net
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=eu1.solid-hosting.net
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=PositiveSSL CA 2
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---



# lftp eu1.solid-hosting.net
lftp ***@eu1.solid-hosting.net:~> set ssl:ca-file
/etc/ssl/certs/ca-certificates.crt

lftp ***@eu1.solid-hosting.net:~> debug

lftp ***@eu1.solid-hosting.net:~> ls /
---- Connecting to eu1.solid-hosting.net (94.23.121.230) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- 220-You are user number 1 of 100 allowed.
<--- 220-Local time is now 00:24. Server port: 21.
<--- 220-This is a private system - No anonymous login
<--- 220-IPv6 connections are also welcome on this server.
<--- 220 You will be disconnected after 3 minutes of inactivity.
---> FEAT
<--- 211-Extensions supported:
<--- EPRT
<--- IDLE
<--- MDTM
<--- SIZE
<--- MFMT
<--- REST STREAM
<--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<--- MLSD
<--- AUTH TLS
<--- PBSZ
<--- PROT
<--- TVFS
<--- ESTA
<--- PASV
<--- EPSV
<--- SPSV
<--- ESTP
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: OU=Domain Control
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
ERROR: Certificate verification: Not trusted: no issuer was found

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found

Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Trusted
**** Certificate verification: Not trusted: no issuer was found
---- Closing control socket
ls: Fatal error: Certificate verification: Not trusted: no issuer was found

Szépe Viktor
--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, XX. kerület
Alexander V. Lukyanov
2014-06-11 06:56:48 UTC
Permalink
Post by Szépe Viktor
Could you help me how to solve to "Not trusted: no issuer was found" error?
Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy)
4.5.1 does the same.
Also with fresh ca bundle
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt
You can try running lftp eu1.solid-hosting.net yourself without a password.
Thank you!
openssl says it is OK
You can try to compile lftp with openssl (configure --with-openssl) and see if it helps.

--
Alexander.
Szépe Viktor
2014-06-12 18:55:43 UTC
Permalink
Your software is very tricky. After --with-ssl=yes openssl is not
denoted (in the bottom line) but doing some TLS operation!

After set ssl:ca-path /etc/ssl/certs/ OR set ssl:ca-file
/etc/ssl/certs/ca-certificates.crt
lftp says:
<--- 234 AUTH TLS successful
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
Certificate depth: 0; subject: /OU=Domain Control
Validated/OU=PositiveSSL/CN=s1.tarhelydiktator.eu; issuer:
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=PositiveSSL CA 2
ERROR: Certificate verification: unable to get local issuer certificate
**** SSL_connect: unable to get local issuer certificate

Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes you won't reach the password prompt.

Thank you!


# /home/viktor/src/lftp-4.5.2/src/lftp --version
LFTP | Version 4.5.2 | Copyright (c) 1996-2014 Alexander V. Lukyanov

LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LFTP. If not, see <http://www.gnu.org/licenses/>.

Send bug reports and questions to the mailing list <***@uniyar.ac.ru>.

Libraries used: Readline 6.2, Expat 2.1.0, zlib 1.2.7
Post by Alexander V. Lukyanov
Post by Szépe Viktor
Could you help me how to solve to "Not trusted: no issuer was found" error?
Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy)
4.5.1 does the same.
Also with fresh ca bundle
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt
You can try running lftp eu1.solid-hosting.net yourself without a password.
Thank you!
openssl says it is OK
You can try to compile lftp with openssl (configure --with-openssl) and see if it helps.
--
Alexander.
Szépe Viktor
--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, XX. kerület
Daniel Fazekas
2014-06-12 21:27:20 UTC
Permalink
Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation!
Stripping symbols from the lftp binary can cause the openssl version information to go missing from the version output.
Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes you won't reach the password prompt.
It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a necessary intermediate certificate was left out.

$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu
verify error:num=21:unable to verify the first certificate
verify return:1

Also fails with curl compiled with NSS:

$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]
AUTH SSL
< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control Validated
* start date: Jun 07 00:00:00 2014 GMT
* expire date: Jun 07 23:59:59 2015 GMT
* common name: s1.tarhelydiktator.eu
* issuer: CN=PositiveSSL CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.


To sum up, in my testing:
cl01.webspacecontrol.com:
openssl: OK
gnutls: OK
nss: OK

eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK

s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails

Not a fault of lftp in either case.
Szépe Viktor
2014-06-12 23:19:59 UTC
Permalink
Thank you for your answer!
Yes, this is a "left out intermediate cert" (but it is included on
Windows 7) lftp work with openssl

My original question was that the stock Debain/wheezy lftp (compiled
with gnutls) couldn't verify a valid cert.

# lftp -u '***,***' eu1.solid-hosting.net -e 'debug'
lftp ***@eu1.solid-hosting.net:~> set ftp:ssl-force 1
lftp ***@eu1.solid-hosting.net:~> set ssl:ca-file
/etc/ssl/certs/ca-certificates.crt
lftp ***@eu1.solid-hosting.net:~> ls
---- Connecting to eu1.solid-hosting.net (94.23.121.230) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
.
.
.
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: OU=Domain Control
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Trusted
**** Certificate verification: Not trusted: no issuer was found
---- Closing control socket
ls: Fatal error: Certificate verification: Not trusted: no issuer was found


gnutls-cli 3 works:

echo "AUTH TLS"
echo "press: ENTER + Ctrl+D"
# gnutls-cli 3.2.15
gnutls-cli --verbose --crlf
--x509cafile=/etc/ssl/certs/ca-certificates.crt --starttls --port 21
eu1.solid-hosting.net

- Status: The certificate is trusted.
- Description: (TLS1.2)-(RSA)-(AES-128-GCM)
- Session ID:
F4:FE:58:66:16:DB:95:A7:54:EA:C0:D7:7D:8D:A3:39:C8:76:D5:A2:23:FC:53:91:26:B7:D8:13:75:2C:85:6C
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL


It seems to be a gnutls problem because
gnutls-cli (GnuTLS) 2.8.6 fails:


- The hostname in the certificate matches 'eu1.solid-hosting.net'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL

But after compiling lftp with gnutls 3

Libraries used: Readline 6.2, Expat 2.1.0, GnuTLS 3.2.15, zlib 1.2.7

the problem persists. It is very strange that to root ca is not
trusted by lftp:

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found

Could it be that
set ssl:ca-file /etc/ssl/certs/ca-certificates.crt
is useless?

Please help!
Post by Daniel Fazekas
Post by Szépe Viktor
Your software is very tricky. After --with-ssl=yes openssl is not
denoted (in the bottom line) but doing some TLS operation!
Stripping symbols from the lftp binary can cause the openssl version
information to go missing from the version output.
Post by Szépe Viktor
Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes you won't reach the password prompt.
It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a
necessary intermediate certificate was left out.
$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=21:unable to verify the first certificate
verify return:1
$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]
Post by Szépe Viktor
AUTH SSL
< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain
Control Validated
* start date: Jun 07 00:00:00 2014 GMT
* expire date: Jun 07 23:59:59 2015 GMT
* common name: s1.tarhelydiktator.eu
* issuer: CN=PositiveSSL CA 2,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
openssl: OK
gnutls: OK
nss: OK
eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK
s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails
Not a fault of lftp in either case.
_______________________________________________
lftp mailing list
http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Szépe Viktor
--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, XX. kerület
Szépe Viktor
2014-06-12 23:39:12 UTC
Permalink
Maybe I've found the cause:

The "Issued by:" and the "Checking against:" is looping.
Firstly: PositiveSSL<->AddTrust then: AddTrust<->PositiveSSL


Certificate: OU=Domain Control
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
ERROR: Certificate verification: Not trusted: no issuer was found


Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found


Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Trusted
Post by Daniel Fazekas
Post by Szépe Viktor
Your software is very tricky. After --with-ssl=yes openssl is not
denoted (in the bottom line) but doing some TLS operation!
Stripping symbols from the lftp binary can cause the openssl version
information to go missing from the version output.
Post by Szépe Viktor
Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes you won't reach the password prompt.
It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a
necessary intermediate certificate was left out.
$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=21:unable to verify the first certificate
verify return:1
$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]
Post by Szépe Viktor
AUTH SSL
< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain
Control Validated
* start date: Jun 07 00:00:00 2014 GMT
* expire date: Jun 07 23:59:59 2015 GMT
* common name: s1.tarhelydiktator.eu
* issuer: CN=PositiveSSL CA 2,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
openssl: OK
gnutls: OK
nss: OK
eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK
s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails
Not a fault of lftp in either case.
_______________________________________________
lftp mailing list
http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Szépe Viktor
--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, XX. kerület
Loading...