Error about invalid certificate is incorrect

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
trstillzilla
504 Command not implemented
Posts: 6
Joined: 2019-03-08 23:42

Error about invalid certificate is incorrect

#1 Post by trstillzilla » 2019-03-08 23:52

I keep getting the Server's certificate is unknown or expired.
The SSL certificate is valid and has not expired.
Clicking on the ssl verification (the lock icon) it shows:

Issued by: COMODO RSA Domain Validation Secure Server
Valid From 11/7/2018 to 11/8/2019

How can I avoid this erroneous error?
Thank you

xeon
226 Transfer OK
Posts: 127
Joined: 2009-08-19 03:18

Re: Error about invalid certificate is incorrect

#2 Post by xeon » 2019-03-09 13:12

FileZilla doesn't validate certificates using a CA store like most other software, so it will always show new certificates as "unknown" until you choose to accept and trust it for future sessions.

You'll need to somehow contact your hosting provider to obtain the correct fingerprint for each new certificate and compare it against the one showing in FileZilla before accepting it, in order to do a proper manual validation.

trstillzilla
504 Command not implemented
Posts: 6
Joined: 2019-03-08 23:42

Re: Error about invalid certificate is incorrect

#3 Post by trstillzilla » 2019-03-22 16:52

Thanks for the information.
But, the ability to select "Always Trust Certificate is grayed out.
How can a accept the certificate?

Thank you,
Tom Stilley

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Error about invalid certificate is incorrect

#4 Post by botg » 2019-03-22 17:32

If the checkbox to always trust the certificate is disabled then there is something very wrong with the certificate or the other certificates in the chain. Look for the text in red.

trstillzilla
504 Command not implemented
Posts: 6
Joined: 2019-03-08 23:42

Re: Error about invalid certificate is incorrect

#5 Post by trstillzilla » 2019-03-22 17:51

The red text in Filezilla says Valid to: 6/24/2018 5:56:10 PM - Certificate expired.
But, that is bogus.
The geotrust certificate on the site says: Valid from: 9/19/2018 to 10/3/2019.

Using the SSL checker site: https://www.sslshopper.com/ssl-checker.html
Says:

www.hfsoffshore.com resolves to 89.107.62.192
Server Type: Microsoft-IIS/10.0
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by DigiCert.
The certificate will expire in 194 days.
The hostname (www.hfsoffshore.com) is correctly listed in the certificate.

Notice the 3rd line:
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

There is no reason this certificate from geotrust should not be trusted.

Thank you,
Tom Stilley

User avatar
boco
Contributor
Posts: 24685
Joined: 2006-05-01 03:28
Location: Germany

Re: Error about invalid certificate is incorrect

#6 Post by boco » 2019-03-22 21:40

Please note that the configured certificates for HTTP vs. FTP services can differ, being different services, after all. The certificate chain must not only be updated for the website (HTTP server), but must be updated in the FTP server software as well.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

trstillzilla
504 Command not implemented
Posts: 6
Joined: 2019-03-08 23:42

Re: Error about invalid certificate is incorrect

#7 Post by trstillzilla » 2019-03-22 21:48

Thanks again.
I will look at this. But, this seems to be pretty obvious that this is bug in Filezilla.
I notice a lot of users are having the same problem with this bogus expired certificate message and the inability to bypass it.
I use 2 other FTP programs on the same server and never have a problem even when using SSL connections and FTPS
Hopefully the Filezilla can fix this or allow a workaround to eliminate this problem for many of their users.

Thanks again,
Tom Stilley

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Error about invalid certificate is incorrect

#8 Post by botg » 2019-03-23 11:49

trstillzilla wrote:
2019-03-22 21:48
I notice a lot of users are having the same problem with this bogus expired certificate message and the inability to bypass it.
It's not bogus, the certificate clearly is expired. Simple as that.
I use 2 other FTP programs on the same server and never have a problem even when using SSL connections and FTPS
Looks like these other two programs are very insecure and should not be used.

trstillzilla
504 Command not implemented
Posts: 6
Joined: 2019-03-08 23:42

Re: Error about invalid certificate is incorrect

#9 Post by trstillzilla » 2019-03-23 13:03

Everything you can look into about the SSL certificates say they are not expired and they are valid and current certificates.
You can run any test and it shows they are not expired. This is on multiple sites with different SSL certificates.
This is obviously a false error.
I can accept if there is no plan to correct it.
But blaming it on the certificate is basically an insult to my intelligence and over 30 years in the IT business and trying to dodge the problem.
No need to keep making excuses by replying to this post.
I accept it is just working the way it is and no plans to correct it.

Thank you

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Error about invalid certificate is incorrect

#10 Post by botg » 2019-03-23 17:01

But blaming it on the certificate is basically an insult to my intelligence and over 30 years in the IT business and trying to dodge the problem.
With a statement like that I don't think insulting your intelligence is necessary.
No need to keep making excuses by replying to this post.
Apology accepted.

trstillzilla
504 Command not implemented
Posts: 6
Joined: 2019-03-08 23:42

Re: Error about invalid certificate is incorrect

#11 Post by trstillzilla » 2019-03-23 17:44

I have given you undeniable proof, several times, that the certificates are valid.
If you prefer to make insults rather than acknowledge a proven problem with the software, then let's not waste any more of each other's time.
Reply with whatever you want. It will not be seen by me.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Error about invalid certificate is incorrect

#12 Post by botg » 2019-03-23 18:27

Code: Select all

user@localhost:~$  gnutls-cli -p 443 www.hfsoffshore.com
Processed 128 CA certificate(s).
Resolving 'www.hfsoffshore.com:443'...
Connecting to '89.107.62.192:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=www.hfsoffshore.com,O=Harbor Financial Services LLC,L=Plano,ST=Texas,C=US,serialNumber=696-604,jurisdictionOfIncorporationStateOrProvinceName=Alabama,jurisdictionOfIncorporationCountryName=US,businessCategory=Private Organization', issuer `CN=GeoTrust EV RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0c6be8402df9d80a6265cb7a430c8f3d, RSA key 4096 bits, signed using RSA-SHA256, activated `2018-09-20 00:00:00 UTC', expires `2019-10-03 12:00:00 UTC', pin-sha256="5ajGeQ7oHfhEr+cE0GWHmbXq/l8MN+17MEG6KIdgZ/4="
        Public Key ID:
                sha1:612ce8fb7048c255a994d80ad9923a13f7c97026
                sha256:e5a8c6790ee81df844afe704d0658799b5eafe5f0c37ed7b3041ba28876067fe
        Public Key PIN:
                pin-sha256:5ajGeQ7oHfhEr+cE0GWHmbXq/l8MN+17MEG6KIdgZ/4=

- Certificate[1] info:
 - subject `CN=GeoTrust EV RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x03feef1bb5b648349a20950f8bc69753, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-11-06 12:22:46 UTC', expires `2027-11-06 12:22:46 UTC', pin-sha256="yWulDX8E5Q0XG4+9jVDljmO2FvAVzIRhn2MppW4vyUM="
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-X25519)-(RSA-SHA1)-(AES-256-GCM)
- Session ID: 6A:1D:00:00:69:62:B3:6E:47:2E:ED:A8:9F:5D:73:3F:E3:85:32:D0:14:AB:22:8E:07:F5:1D:EF:8C:01:B1:0D
- Options: extended master secret, safe renegotiation, OCSP status request,
- Handshake was completed


Code: Select all

user@localhost:~$  gnutls-cli -p 990 www.hfsoffshore.com
Processed 128 CA certificate(s).
Resolving 'www.hfsoffshore.com:990'...
Connecting to '89.107.62.192:990'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=trstillg@gmail.com,OU=IT,O=HFSFTP,L=Denver,ST=CO,C=US,CN=89.107.62.192', issuer `EMAIL=trstillg@gmail.com,OU=IT,O=HFSFTP,L=Denver,ST=CO,C=US,CN=89.107.62.192', serial 0x5914c09f, RSA key 4096 bits, signed using RSA-SHA256, activated `2017-06-24 23:56:10 UTC', expires `2018-06-24 23:56:10 UTC', pin-sha256="fke/J6vfhmaeNkfxqs30/UqAUGdEIAu1QgoinnBmgAo="
        Public Key ID:
                sha1:d7803f54bf168f769f18914f3536b0fa9b686712
                sha256:7e47bf27abdf86669e3647f1aacdf4fd4a80506744200bb5420a229e7066800a
        Public Key PIN:
                pin-sha256:fke/J6vfhmaeNkfxqs30/UqAUGdEIAu1QgoinnBmgAo=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
Care to explain this?

User avatar
boco
Contributor
Posts: 24685
Joined: 2006-05-01 03:28
Location: Germany

Re: Error about invalid certificate is incorrect

#13 Post by boco » 2019-03-24 01:01

As I suspected: The FTP software (FTPS port 990) returns a different, invalid certificate. The HTTPS service (HTTPS port 443) returns the good one.

Fact one: The HTTPS certificate is good.
Fact two: The FTP certificate is invalid and obviously not the same.

Certificates are configured by service, not by domain. Any domain's services (and even subdomains') can send a different certificate.

So, you must make sure the FTP server software sends the correct certificate. Right now, it doesn't (or there is some weird caching going on).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Post Reply