unsorted certificate chain
Moderator: Project members
unsorted certificate chain
Question about FTPs. For the most part ours works great, except for this error during the connection "Server sent unsorted certificate chain in violation of the TLS specification" - This error does not prevent any client functionality, but it is red and scary!
I've done my reading on these forums, using SSLshopper certificate, the chain checks out fine. Given that the chain checks out, i'm unsure how to proceed in correcting that errors?
it's a wildcard cert btw, if that matters. Also self-hosting our FTP
Names Obfuscated in screenshot intentionally
I've done my reading on these forums, using SSLshopper certificate, the chain checks out fine. Given that the chain checks out, i'm unsure how to proceed in correcting that errors?
it's a wildcard cert btw, if that matters. Also self-hosting our FTP
Names Obfuscated in screenshot intentionally
Re: unsorted certificate chain
How did you check that the chain checks out fine?
Note that you must check explicitly against the FTP server. HTTP servers and FTP servers are different programs with independent configurations. Even if the certificates are correctly configured in one, it says nothing about the other.
Note that you must check explicitly against the FTP server. HTTP servers and FTP servers are different programs with independent configurations. Even if the certificates are correctly configured in one, it says nothing about the other.
Re: unsorted certificate chain
Thank you for the reply.
I checked it out by pointing the SSLshopper to the FTP server on port 990. When i compare the results from the SSLShopper link to the certs in the PEM file, they match in order from top to bottom. so i assumed the results where correct.
This is the link with my domain removed, i could PM it unedited.
https://www.sslshopper.com/ssl-checker.html#hostname=<host>.<domain>.com:990
This is the chain result that comes from the SSLShopper cert chain checker. in text form. I attached a screenshot in my first post
Common name: *.<redacted>.com
SANs: *.<redacted>.com, <redacted>.com
Valid from September 1, 2020 to September 5, 2021
Serial Number: 9<removed>7
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: Starfield Class 2 Certification Authority
Location: US
Valid from June 29, 2004 to June 29, 2034
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Starfield Technologies, Inc.
Common name: Starfield Root Certificate Authority - G2
Organization: Starfield Technologies, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 3740804 (0x391484)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Technologies, Inc.
Common name: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: http://certs.starfieldtech.com/repository/
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Root Certificate Authority - G2
I checked it out by pointing the SSLshopper to the FTP server on port 990. When i compare the results from the SSLShopper link to the certs in the PEM file, they match in order from top to bottom. so i assumed the results where correct.
This is the link with my domain removed, i could PM it unedited.
https://www.sslshopper.com/ssl-checker.html#hostname=<host>.<domain>.com:990
This is the chain result that comes from the SSLShopper cert chain checker. in text form. I attached a screenshot in my first post
Common name: *.<redacted>.com
SANs: *.<redacted>.com, <redacted>.com
Valid from September 1, 2020 to September 5, 2021
Serial Number: 9<removed>7
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: Starfield Class 2 Certification Authority
Location: US
Valid from June 29, 2004 to June 29, 2034
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Starfield Technologies, Inc.
Common name: Starfield Root Certificate Authority - G2
Organization: Starfield Technologies, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 3740804 (0x391484)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Technologies, Inc.
Common name: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: http://certs.starfieldtech.com/repository/
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Root Certificate Authority - G2
Last edited by Craigm1 on 2021-06-09 13:25, edited 1 time in total.
Re: unsorted certificate chain
I just realized in my PEM file, the first entry is
----BEGIN PRIVATE KEY-----
<a private key>
---- END PRIVATE KEY-----
and then beneath that private key the cert chain starts.. isn't that wrong, my private key is in a .KEY file?
----BEGIN PRIVATE KEY-----
<a private key>
---- END PRIVATE KEY-----
and then beneath that private key the cert chain starts.. isn't that wrong, my private key is in a .KEY file?
Re: unsorted certificate chain
Both key and cert CAN be in the same file, that's what FileZilla Server does with its self-signed stuff, IIRC.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: unsorted certificate chain
Oh good, i was afraid for a sec that the private key was at risk because i had it misconfigured...
Re: unsorted certificate chain
The certificate blocks in the file need to be ordered from the server certificate to root.
Looking at your chain, the issuer string listed on your server certificate is not found in the certificate that follows it immediately. I have my doubts as to the quality of the chain checker you used.
Edit: I ran a quick test with an intentionally mismatched chain. That chain checker you used is definitely broken.
Looking at your chain, the issuer string listed on your server certificate is not found in the certificate that follows it immediately. I have my doubts as to the quality of the chain checker you used.
Edit: I ran a quick test with an intentionally mismatched chain. That chain checker you used is definitely broken.
Re: unsorted certificate chain
I have connected to this site using OPenSSL:
removed domain name<mydomain>.com
Here is result. Can you assist deciphering this?
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.<mydomain>.com
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
removed domain name<mydomain>.com
Here is result. Can you assist deciphering this?
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.<mydomain>.com
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
Re: unsorted certificate chain
The chain needs to be sorted. Following an issuer line (starting with i:) there must be a matching subject line (starting with s: after the certificate number).Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
Had the server sent a properly sorted chain, it would look something like this:
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
Re: unsorted certificate chain
Thanks for all of your help and explanation.
Is there a way I can manipulate this myself using OpenSSL? I am extracting the PEM and KEY from a .pfx in OpenSSL.
Or is this cert just malformed when we purchase it?
Is there a way I can manipulate this myself using OpenSSL? I am extracting the PEM and KEY from a .pfx in OpenSSL.
Or is this cert just malformed when we purchase it?
Re: unsorted certificate chain
If it's a PEM containing multiple certs, you can simply reorder the certificate blocks in any text editor.
Re: unsorted certificate chain
Hello Botg;
Just wanted to say thanks again for all of your assistance. I was delayed in resolving this issue, but finally got back around to it.
Resorted the cert blocks as you suggested, and viola!
0 s:CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
no more ugly red unsorted chain error!
Appreciate your patience and kind help!
Just wanted to say thanks again for all of your assistance. I was delayed in resolving this issue, but finally got back around to it.
Resorted the cert blocks as you suggested, and viola!
0 s:CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
no more ugly red unsorted chain error!
Appreciate your patience and kind help!