GnuTLS error -50

[GigaTech]

Hi All,

If i setup with self signed certificate everything works fine.

I then change the cert to "Provide a X.509 certificate" that has been generated by Win-Acme via Lets Encrypt
- Private Key File = C:\xxx\yyy\zzz.co.uk-key.pem
- Certificate Key File = C:\xxx\yyy\zzz.co.uk-crt.pem
- Key Password = <TheCorrectKey>

The info below populates correctly

Apply/OK and then try to connect, receive this error in red

GnuTLS error -50 in gnutls_certificate_set_x509_key_mem2: The request is invalid.

Code: Select all

<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Response] 220-FileZilla Server 1.5.1
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Response] 220-Please visit https://filezilla-project.org/
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Response] 220 Welcome To FTP Server
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Command] AUTH TLS
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Error] GnuTLS error -50 in gnutls_certificate_set_x509_key_mem2: The request is invalid.
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Response] 504 TLS handshaking failed!
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Command] AUTH SSL
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Response] 504 TLS handshaking failed!
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Command] USER XXXXXXXXXXXXXXXXXX
<13/10/2022 17:57:31> FTP Session 101 XXX.XXX.XXX.XXX [Response] 503 Use AUTH first.
<13/10/2022 17:57:31> FTP Server [Status] Session 101 ended gracefully.

FileZilla Server 1.5.1
FileZilla Client 3.6.1.0

The provided cert is working fine for IIS and other applications, services and devices

Any Ideas?

Thanks in advance

[botg]

Does the Windows user account the FileZilla Server service runs under (SYSTEM by default) have permission to access the key/cert files?

[GigaTech]

Hi,Thanks for your help

this is how it was

2022-10-13 22_16_11-Terminals 4.0.1 (Files store).png (141.86 KiB) Viewed 1675 times

and if I stop the FileZilla server service, change the logon account to <DomainName>\Administrator and the password, which is a member of the Administrators group shown above and has 'full control' of the certs folder

I get the same error message, GnuTLS error -50

This is a clean install of Windows Server 2016 Std, with ports opened in the firewall...

Thanks.

[GigaTech]

Hi, I have also just verified the password and key file... I am using the correct password, phew...

Download and extract OpenSSL for windows (there are many versions, pick one that you are comfortable with, from google)
https://sourceforge.net/projects/openssl-for-windows/

run this command

Code: Select all

C:\Temp\OpenSSL-1.1.1q\openssl pkey -in C:\Temp\<YOUR_PRIVATE_KEY_FILE>.pem -passin pass:<YOUR_PASSWORD> -noout

if the password is correct it return nothing (go figure)
to verify, I deleted a couple of chrs off the password and run the command again. this time gives some errors

Code: Select all

2752:error:006065:PEM routines:PEM_do_header:bad decrypt:..

Many Thanks

[botg]

Are there any non-ASCII characters in your password?

What algorithm is used to protect the key with a password? What algorithm is the key itself using?

If you open both the key and certificate files in a text editor, do they both start with a PEM header, e.g. something like ---------BEGIN CERTIFICATE-------- or ---------BEGIN PRIVATE KEY-------

[GigaTech]

Hi, Thanks for your time

WinAcme 'settings.json' - https://www.win-acme.com/reference/settings

Code: Select all

  "Security": {
    "RSAKeyBits": 3072,
    "ECCurve": "secp384r1",
    "PrivateKeyExportable": false,
    "EncryptConfig": true
  },
  "Store": {
    "PemFiles": {
      "DefaultPath": "C:\\_Data\\Software\\SSL\\Certificates",      <<-- Double \\ required for the config - there is an UNDERSCORE in the path
      "DefaultPassword": "XXXXXXXXXXXXXXXXXXXX"                     <<-- AlphaNumberic Only, 20 Long
    }
  },

XXXXXXX.XXXXXXXXXX.co.uk-key.pem

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,0579thisisnottherealdata7f988b2d

Uf20thisisnottherealdataDfyDf5XkyG96543kljh098jhg9867sd674aBw2hu
Uf20thisisnottherealdataDfyDf5XkyG96543kljh098jhg9867sd674aBw2hu

XXXXXXX.XXXXXXXXXX.co.uk-crt.pem

Code: Select all

-----BEGIN CERTIFICATE-----
Uf20thisisnottherealdataDfyDf5XkyG96543kljh098jhg9867sd674aBw2hu
Uf20thisisnottherealdataDfyDf5XkyG96543kljh098jhg9867sd674aBw2hu

[botg]

DEK-Info: AES-256-CBC,0579thisisnottherealdata7f988b2d

The data after the comma, does the original contain lower-case characters? If so, what happens if you change the lowercase chars into uppercase chars?

[GigaTech]

Yes it does contain lower case chars

changed all to upper, save as different filename, changed FZ settings to the new key filename, restarted the FileZilla service

boom, working

how to fix permanently?

Thanks for your time on this issue

[botg]

how to fix permanently?

Add 2 lines of code to GnuTLS. Please stand by.

[botg]

The 2 line patch has been filed upstream: https://gitlab.com/gnutls/gnutls/-/issues/1415

[GigaTech]

Thanks for your time on this issue.

what eta do you think to an update of FZ?

[botg]

When it's done.