Linux client problem with DST Root CA X3

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
crawford-b
500 Command not understood
Posts: 2
Joined: 2022-01-07 16:59

Linux client problem with DST Root CA X3

#1 Post by crawford-b » 2022-01-07 17:19

Hello. When using Filezilla on Windows to access my Siteground ftp server, I have no problems. When using Filezilla on Linux (RHEL8) I can access the server, but only after being warned about the expiry of the DST certificate every time, repeatedly. I understand the DST problem and I asked Siteground to remove the long chain from their servers but they said their servers were fine and they didn't want to change anything. For some reason, the Linux Filezilla client isn't as tolerant as the Windows client, and will not let me click "Always accept..." In a sense, Filezilla is doing its job correctly to warn about the expiry, but how come it only does it on Linux? I have to click to accept the certificate on almost every operation, not just on logging in, and it's becoming annoying! I would appreciate any guidance. Screenshots attached. Thank you.
Attachments
The ISRG certificate, accepted.
The ISRG certificate, accepted.
Intermediate.png (92.89 KiB) Viewed 1722 times
The DST certificate, rejected.
The DST certificate, rejected.
DST Root.png (89.35 KiB) Viewed 1722 times

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Linux client problem with DST Root CA X3

#2 Post by botg » 2022-01-10 13:50

The expired certificate is in your system trust store, usually at /etc/ssl/certs. Remove it from there.

crawford-b
500 Command not understood
Posts: 2
Joined: 2022-01-07 16:59

Re: Linux client problem with DST Root CA X3

#3 Post by crawford-b » 2022-01-10 15:30

That did it! Thank you very much.
I had already attempted to remove the DST Root CA from my trust store but the command trust anchor --remove... didn't work.
This time I opened ca-bundle.trust.p11-kit in vim and manually deleted the DST entry, ran update-ca-trust extract and now Filezilla is happy.
Thank you.

Post Reply