FileZilla Forums

Posted: **2021-10-15 00:17**

FTP connections were working until about a week ago (maybe 2 weeks tops).
Suddenly connections refused with this log:

Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Error: Failed to extract certificate trust path
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".

Server version is Pure-FTPd 1.0.43

Server is up, connection path and user id/password correct.
Login and transfers work if TLS is turn off.

Posted: **2021-10-15 07:24**

What's the hostname?

Posted: **2021-10-15 17:59**

Host is ftp.<username>.appboxes.co

Connections and downloads work when using plain FTP.

Posted: **2021-10-17 09:38**

Hello,

I'm currently facing the same issue : I used to connect successfully to my TLS enabled FTP server (pure-ftpd, version 1.0.36-3.2 running on Debian 8.10) without any issue until yesterday when I updated to FileZilla 3.56.0, running on Archlinux.

When connecting, this error is displayed :

Code: Select all

2021-10-17 11:02:48 35911 1 Statut : Résolution de l'adresse de XXXXX
2021-10-17 11:02:48 35911 1 Statut : Connexion à XXXXXXX:21...
2021-10-17 11:02:48 35911 1 Statut : Connexion établie, attente du message d'accueil...
2021-10-17 11:02:48 35911 1 Réponse : 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
2021-10-17 11:02:48 35911 1 Réponse : 220-You are user number 1 of 9 allowed.
2021-10-17 11:02:48 35911 1 Réponse : 220-Local time is now 09:02. Server port: 21.
2021-10-17 11:02:48 35911 1 Réponse : 220-This is a private system - No anonymous login
2021-10-17 11:02:48 35911 1 Réponse : 220 You will be disconnected after 15 minutes of inactivity.
2021-10-17 11:02:48 35911 1 Commande : AUTH TLS
2021-10-17 11:02:48 35911 1 Réponse : 234 AUTH TLS OK.
2021-10-17 11:02:48 35911 1 Statut : Initialisation de TLS...
2021-10-17 11:02:48 35911 1 Erreur : Failed to extract certificate trust path
2021-10-17 11:02:48 35911 1 Statut : Échec de la tentative de connexion avec "ECONNABORTED - Connexion annulée".
2021-10-17 11:02:48 35911 1 Erreur : Impossible d'établir une connexion au serveur
2021-10-17 11:02:48 35911 1 Statut : Attente avant nouvel essai...
2021-10-17 11:02:52 35911 1 Erreur : Tentative de connexion interrompue par l'utilisateur

I've attached the full Filezilla log, with debug mode enabled.

For the record, I've tried to downgrade the minimum required TLS version to 1.0 with no success.

The same server is working perfectly when using curl to connect (from the same computer) :

Code: Select all

[antoine@archlinux ~]$ curl -v -uXXXX:XXXX ftp://XXXXXX --ftp-ssl
*   Trying XXXXX:21...
* Connected to XXXXX (XXXXXXX) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 9 allowed.
< 220-Local time is now 09:04. Server port: 21.
< 220-This is a private system - No anonymous login
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: CN=XXXXXX
*  start date: Oct 11 01:27:10 2021 GMT
*  expire date: Jan  9 01:27:09 2022 GMT
*  subjectAltName: host "XXXXXXXX" matched cert's "XXXXXX"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> USER XXXXX
< 331 User XXXXX OK. Password required
> PASS XXXXX
< 230 OK. Current directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
* Request has same path as previous transfer
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Extended Passive mode OK (|||30002|)
*   Trying XXXXXXX:30002...
* Connecting to XXXXXX (XXXXXX) port 30002
* Connected to XXXXXX (XXXXXX) port 21 (#0)
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: CN=XXXXXXXX
*  start date: Oct 11 01:27:10 2021 GMT
*  expire date: Jan  9 01:27:09 2022 GMT
*  subjectAltName: host "XXXXXXXX" matched cert's "XXXXXXX"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
drwxrwxr-x    2 991        986              4096 Mar 11  2018 XXXXXX
[...]

For information, I'm using a Let's Encrypt emitted certificate. Could this issue be related to the CA recent root expiration ? (https://scotthelme.co.uk/lets-encrypt-o ... xpiration/).

Antoine

Posted: **2021-10-17 10:28**

I have also had feedback from customers who have upgraded Filezilla and now get the same error when connecting to a business FTP server (pure-ftpd), which had been working fine for several years.

Also the same "Failed to extract certificate trust path" error in the logs.

We use an wildcard certificate, issued by AlphaSSL, but we also tested with another wildcard cert from Sectigo (our previous one was expiring soon), but it didn't help.

I asked the users for some more details (OS used, etc), I'll post them here as soon as I have them.

Posted: **2021-10-18 11:29**

Please don't obfuscate hostnames and IP addresses. It makes reproducing the issue impossible.

Posted: **2021-10-18 14:45**

Host is ftp.alanseed.appboxes.co

Posted: **2021-10-18 14:54**

There does not appear to be a working FTP server at that hostname.

Posted: **2021-10-18 15:04**

Sorry, I should have mentioned it needs a different port:

ftp.alanseed.appboxes.co

Port 10618

Posted: **2021-10-19 07:45**

Same problem here with FileZilla 3.55.1 (was working just fine a few weeks, or so, ago).

I tested a few servers (explicit FTPS connection), and at least in my case the common factor seems to be cPanel servers. I wasn't able to successfully connect to any cPanel hosted hosts.

Vastaus: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Vastaus: 220-You are user number 1 of 50 allowed.
Vastaus: 220-Local time is now 10:32. Server port: 21.
Vastaus: 220-This is a private system - No anonymous login
Vastaus: 220-IPv6 connections are also welcome on this server.
Vastaus: 220 You will be disconnected after 15 minutes of inactivity.
Komento: AUTH TLS
Vastaus: 234 AUTH TLS OK.
Tila: Alustetaan TLS...
Virhe: Failed to extract certificate trust path
Tila: Yhteysyritys epäonnistui osoitteeseen "ECONNABORTED - Yhteys keskeytetty".

Posted: **2021-10-19 08:50**

Tomorrow, not today, please try tomorrow's but not today's nightly build from https://filezilla-project.org/nightly.php

Posted: **2021-10-20 07:37**

2021-10-20 nightly build fixed the problem! Initializing TLS and verifying certificate is now working.

Posted: **2021-10-20 17:15**

The nightly binary build of 2021-10-20 works!

Attempting to build via Arch Linux pacman system didn't work (using a modified version of the PKGBUILD - https://github.com/archlinux/svntogit-c ... k/PKGBUILD - to point at the nightly build instead of release)

Not a big deal, Arch will pick up this working build when it is officially released

Thanks for fixing this so quickly!

FileZilla Forums

Failed to extract certificate trust path

Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path

Re: Failed to extract certificate trust path