unsorted certificate chain

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Craigm1
504 Command not implemented
Posts: 7
Joined: 2021-06-08 21:38
First name: Craig

unsorted certificate chain

#1 Post by Craigm1 » 2021-06-08 22:06

Question about FTPs. For the most part ours works great, except for this error during the connection "Server sent unsorted certificate chain in violation of the TLS specification" - This error does not prevent any client functionality, but it is red and scary! ;)

I've done my reading on these forums, using SSLshopper certificate, the chain checks out fine. Given that the chain checks out, i'm unsure how to proceed in correcting that errors?

it's a wildcard cert btw, if that matters. Also self-hosting our FTP

Names Obfuscated in screenshot intentionally
cert.png
cert.png (104.99 KiB) Viewed 4127 times

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: unsorted certificate chain

#2 Post by botg » 2021-06-09 06:39

How did you check that the chain checks out fine?

Note that you must check explicitly against the FTP server. HTTP servers and FTP servers are different programs with independent configurations. Even if the certificates are correctly configured in one, it says nothing about the other.

Craigm1
504 Command not implemented
Posts: 7
Joined: 2021-06-08 21:38
First name: Craig

Re: unsorted certificate chain

#3 Post by Craigm1 » 2021-06-09 12:04

Thank you for the reply.

I checked it out by pointing the SSLshopper to the FTP server on port 990. When i compare the results from the SSLShopper link to the certs in the PEM file, they match in order from top to bottom. so i assumed the results where correct.

This is the link with my domain removed, i could PM it unedited.
https://www.sslshopper.com/ssl-checker.html#hostname=<host>.<domain>.com:990

This is the chain result that comes from the SSLShopper cert chain checker. in text form. I attached a screenshot in my first post

Common name: *.<redacted>.com
SANs: *.<redacted>.com, <redacted>.com
Valid from September 1, 2020 to September 5, 2021
Serial Number: 9<removed>7
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Secure Certificate Authority - G2

Organization: Starfield Technologies, Inc. Org. Unit: Starfield Class 2 Certification Authority
Location: US
Valid from June 29, 2004 to June 29, 2034
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Starfield Technologies, Inc.

Common name: Starfield Root Certificate Authority - G2
Organization: Starfield Technologies, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 3740804 (0x391484)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Technologies, Inc.

Common name: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: http://certs.starfieldtech.com/repository/
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Root Certificate Authority - G2
Last edited by Craigm1 on 2021-06-09 13:25, edited 1 time in total.

Craigm1
504 Command not implemented
Posts: 7
Joined: 2021-06-08 21:38
First name: Craig

Re: unsorted certificate chain

#4 Post by Craigm1 » 2021-06-09 12:07

I just realized in my PEM file, the first entry is

----BEGIN PRIVATE KEY-----
<a private key>
---- END PRIVATE KEY-----

and then beneath that private key the cert chain starts.. isn't that wrong, my private key is in a .KEY file?

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: unsorted certificate chain

#5 Post by boco » 2021-06-09 12:38

Both key and cert CAN be in the same file, that's what FileZilla Server does with its self-signed stuff, IIRC.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Craigm1
504 Command not implemented
Posts: 7
Joined: 2021-06-08 21:38
First name: Craig

Re: unsorted certificate chain

#6 Post by Craigm1 » 2021-06-10 20:02

Oh good, i was afraid for a sec that the private key was at risk because i had it misconfigured...

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: unsorted certificate chain

#7 Post by botg » 2021-06-11 07:32

The certificate blocks in the file need to be ordered from the server certificate to root.

Looking at your chain, the issuer string listed on your server certificate is not found in the certificate that follows it immediately. I have my doubts as to the quality of the chain checker you used.

Edit: I ran a quick test with an intentionally mismatched chain. That chain checker you used is definitely broken.
rofl.png
rofl.png (91.35 KiB) Viewed 4069 times

jstech012
504 Command not implemented
Posts: 6
Joined: 2021-09-01 16:54
First name: J
Last name: S

Re: unsorted certificate chain

#8 Post by jstech012 » 2021-09-01 18:05

I have connected to this site using OPenSSL:
removed domain name<mydomain>.com
Here is result. Can you assist deciphering this?

depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.<mydomain>.com
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: unsorted certificate chain

#9 Post by botg » 2021-09-02 08:31

Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
The chain needs to be sorted. Following an issuer line (starting with i:) there must be a matching subject line (starting with s: after the certificate number).

Had the server sent a properly sorted chain, it would look something like this:
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority

jstech012
504 Command not implemented
Posts: 6
Joined: 2021-09-01 16:54
First name: J
Last name: S

Re: unsorted certificate chain

#10 Post by jstech012 » 2021-09-02 11:36

Thanks for all of your help and explanation.

Is there a way I can manipulate this myself using OpenSSL? I am extracting the PEM and KEY from a .pfx in OpenSSL.
Or is this cert just malformed when we purchase it?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: unsorted certificate chain

#11 Post by botg » 2021-09-03 07:31

If it's a PEM containing multiple certs, you can simply reorder the certificate blocks in any text editor.

jstech012
504 Command not implemented
Posts: 6
Joined: 2021-09-01 16:54
First name: J
Last name: S

Re: unsorted certificate chain

#12 Post by jstech012 » 2021-11-07 14:54

Hello Botg;
Just wanted to say thanks again for all of your assistance. I was delayed in resolving this issue, but finally got back around to it.
Resorted the cert blocks as you suggested, and viola!
0 s:CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority

no more ugly red unsorted chain error!

Appreciate your patience and kind help!

Post Reply