Failed to extract certificate trust path

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
alan1world1
500 Command not understood
Posts: 5
Joined: 2021-10-14 23:43
First name: A
Last name: C

Failed to extract certificate trust path

#1 Post by alan1world1 » 2021-10-15 00:17

FTP connections were working until about a week ago (maybe 2 weeks tops).
Suddenly connections refused with this log:

Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Error: Failed to extract certificate trust path
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".

Server version is Pure-FTPd 1.0.43

Server is up, connection path and user id/password correct.
Login and transfers work if TLS is turn off.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Failed to extract certificate trust path

#2 Post by botg » 2021-10-15 07:24

What's the hostname?

alan1world1
500 Command not understood
Posts: 5
Joined: 2021-10-14 23:43
First name: A
Last name: C

Re: Failed to extract certificate trust path

#3 Post by alan1world1 » 2021-10-15 17:59

Host is ftp.<username>.appboxes.co

Connections and downloads work when using plain FTP.

antoine
500 Command not understood
Posts: 1
Joined: 2021-10-17 09:08
First name: Antoine

Re: Failed to extract certificate trust path

#4 Post by antoine » 2021-10-17 09:38

Hello,

I'm currently facing the same issue : I used to connect successfully to my TLS enabled FTP server (pure-ftpd, version 1.0.36-3.2 running on Debian 8.10) without any issue until yesterday when I updated to FileZilla 3.56.0, running on Archlinux.

When connecting, this error is displayed :

Code: Select all

2021-10-17 11:02:48 35911 1 Statut : Résolution de l'adresse de XXXXX
2021-10-17 11:02:48 35911 1 Statut : Connexion à XXXXXXX:21...
2021-10-17 11:02:48 35911 1 Statut : Connexion établie, attente du message d'accueil...
2021-10-17 11:02:48 35911 1 Réponse : 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
2021-10-17 11:02:48 35911 1 Réponse : 220-You are user number 1 of 9 allowed.
2021-10-17 11:02:48 35911 1 Réponse : 220-Local time is now 09:02. Server port: 21.
2021-10-17 11:02:48 35911 1 Réponse : 220-This is a private system - No anonymous login
2021-10-17 11:02:48 35911 1 Réponse : 220 You will be disconnected after 15 minutes of inactivity.
2021-10-17 11:02:48 35911 1 Commande : AUTH TLS
2021-10-17 11:02:48 35911 1 Réponse : 234 AUTH TLS OK.
2021-10-17 11:02:48 35911 1 Statut : Initialisation de TLS...
2021-10-17 11:02:48 35911 1 Erreur : Failed to extract certificate trust path
2021-10-17 11:02:48 35911 1 Statut : Échec de la tentative de connexion avec "ECONNABORTED - Connexion annulée".
2021-10-17 11:02:48 35911 1 Erreur : Impossible d'établir une connexion au serveur
2021-10-17 11:02:48 35911 1 Statut : Attente avant nouvel essai...
2021-10-17 11:02:52 35911 1 Erreur : Tentative de connexion interrompue par l'utilisateur
I've attached the full Filezilla log, with debug mode enabled.

For the record, I've tried to downgrade the minimum required TLS version to 1.0 with no success.

The same server is working perfectly when using curl to connect (from the same computer) :

Code: Select all

[antoine@archlinux ~]$ curl -v -uXXXX:XXXX ftp://XXXXXX --ftp-ssl
*   Trying XXXXX:21...
* Connected to XXXXX (XXXXXXX) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 9 allowed.
< 220-Local time is now 09:04. Server port: 21.
< 220-This is a private system - No anonymous login
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: CN=XXXXXX
*  start date: Oct 11 01:27:10 2021 GMT
*  expire date: Jan  9 01:27:09 2022 GMT
*  subjectAltName: host "XXXXXXXX" matched cert's "XXXXXX"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> USER XXXXX
< 331 User XXXXX OK. Password required
> PASS XXXXX
< 230 OK. Current directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
* Request has same path as previous transfer
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Extended Passive mode OK (|||30002|)
*   Trying XXXXXXX:30002...
* Connecting to XXXXXX (XXXXXX) port 30002
* Connected to XXXXXX (XXXXXX) port 21 (#0)
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: CN=XXXXXXXX
*  start date: Oct 11 01:27:10 2021 GMT
*  expire date: Jan  9 01:27:09 2022 GMT
*  subjectAltName: host "XXXXXXXX" matched cert's "XXXXXXX"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
drwxrwxr-x    2 991        986              4096 Mar 11  2018 XXXXXX
[...]
For information, I'm using a Let's Encrypt emitted certificate. Could this issue be related to the CA recent root expiration ? (https://scotthelme.co.uk/lets-encrypt-o ... xpiration/).

Antoine
Attachments
filezilla_censored.log
FileZilla session log - debug mode enabled
(5.06 KiB) Downloaded 41 times

Charley
500 Command not understood
Posts: 1
Joined: 2021-10-17 10:18
First name: Charley

Re: Failed to extract certificate trust path

#5 Post by Charley » 2021-10-17 10:28

I have also had feedback from customers who have upgraded Filezilla and now get the same error when connecting to a business FTP server (pure-ftpd), which had been working fine for several years.

Also the same "Failed to extract certificate trust path" error in the logs.

We use an wildcard certificate, issued by AlphaSSL, but we also tested with another wildcard cert from Sectigo (our previous one was expiring soon), but it didn't help.

I asked the users for some more details (OS used, etc), I'll post them here as soon as I have them.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Failed to extract certificate trust path

#6 Post by botg » 2021-10-18 11:29

Please don't obfuscate hostnames and IP addresses. It makes reproducing the issue impossible.

alan1world1
500 Command not understood
Posts: 5
Joined: 2021-10-14 23:43
First name: A
Last name: C

Re: Failed to extract certificate trust path

#7 Post by alan1world1 » 2021-10-18 14:45

Host is ftp.alanseed.appboxes.co

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Failed to extract certificate trust path

#8 Post by botg » 2021-10-18 14:54

There does not appear to be a working FTP server at that hostname.

alan1world1
500 Command not understood
Posts: 5
Joined: 2021-10-14 23:43
First name: A
Last name: C

Re: Failed to extract certificate trust path

#9 Post by alan1world1 » 2021-10-18 15:04

Sorry, I should have mentioned it needs a different port:

ftp.alanseed.appboxes.co

Port 10618

tmo6
500 Command not understood
Posts: 2
Joined: 2021-10-18 12:03
First name: Tmo

Re: Failed to extract certificate trust path

#10 Post by tmo6 » 2021-10-19 07:45

Same problem here with FileZilla 3.55.1 (was working just fine a few weeks, or so, ago).

I tested a few servers (explicit FTPS connection), and at least in my case the common factor seems to be cPanel servers. I wasn't able to successfully connect to any cPanel hosted hosts.
Vastaus: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Vastaus: 220-You are user number 1 of 50 allowed.
Vastaus: 220-Local time is now 10:32. Server port: 21.
Vastaus: 220-This is a private system - No anonymous login
Vastaus: 220-IPv6 connections are also welcome on this server.
Vastaus: 220 You will be disconnected after 15 minutes of inactivity.
Komento: AUTH TLS
Vastaus: 234 AUTH TLS OK.
Tila: Alustetaan TLS...
Virhe: Failed to extract certificate trust path
Tila: Yhteysyritys epäonnistui osoitteeseen "ECONNABORTED - Yhteys keskeytetty".

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Failed to extract certificate trust path

#11 Post by botg » 2021-10-19 08:50

Tomorrow, not today, please try tomorrow's but not today's nightly build from https://filezilla-project.org/nightly.php

tmo6
500 Command not understood
Posts: 2
Joined: 2021-10-18 12:03
First name: Tmo

Re: Failed to extract certificate trust path

#12 Post by tmo6 » 2021-10-20 07:37

2021-10-20 nightly build fixed the problem! Initializing TLS and verifying certificate is now working.

alan1world1
500 Command not understood
Posts: 5
Joined: 2021-10-14 23:43
First name: A
Last name: C

Re: Failed to extract certificate trust path

#13 Post by alan1world1 » 2021-10-20 17:15

The nightly binary build of 2021-10-20 works!

Attempting to build via Arch Linux pacman system didn't work (using a modified version of the PKGBUILD - https://github.com/archlinux/svntogit-c ... k/PKGBUILD - to point at the nightly build instead of release)

Not a big deal, Arch will pick up this working build when it is officially released

Thanks for fixing this so quickly!

Post Reply