Invalid security certificate

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Meta
500 Command not understood
Posts: 2
Joined: 2009-02-09 03:24

Invalid security certificate

#1 Post by Meta » 2009-02-09 03:44

Hello,
I am not new to computers, but brand new to FTP servers.
I have been able to setup my FTP server to use SSL/TLS and everything is peachy.
My only issue (albeit a small one) is that when I connect the first time using FireFTP, it gives me the following warning message:
[ip address] uses an invalid security certificate.

- The certificate is only valid for [Name].
- The certificate does not come from a trusted source.

This could be a problem with the server's configuration,
or it could be someone trying to impersonate the server.

If you have connected to this server successfully in the past,
the error may be temporary, and you can try again later.
Now, I can click Add Exception and it'll work. But I was just wondering if there was a way to set up my certificate so that it doesn't show that error message. Is it possible? Is that what certificate authorities are for? Is it possible for a "self-signed certificate" (if I understand cryptographic terminology properly) to be valid/secure so as to suppress the warning?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Invalid security certificate

#2 Post by botg » 2009-02-09 08:32

Yes, not really and not really.

CAs only purpose is to get your money. All nice and shiny, but why should I trust some certificate only because some CA trusts it? Unless I have personally reviewed that particular CA in detail and in person, I don't trust it.

Self-signed certificates are actually more secure than certificates signed by a CA. If I get a self-signed cert promt, I call the server administrator so that he can verify the fingerprint of the certificate. Then I do know the certificate is legit.
Browsers manufacturers on the other hand seem to get payed money by the CAs so that their root certificates get included.

They even invent some special certificate classes once in a while that get sold for 100 times the price which can make the browser's address bar change color. They are only interested in profits, not actual security.

Meta
500 Command not understood
Posts: 2
Joined: 2009-02-09 03:24

Re: Invalid security certificate

#3 Post by Meta » 2009-02-09 14:54

Cool! Thanks for the explanation.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: Invalid security certificate

#4 Post by boco » 2009-02-09 19:25

Knowing http://www.cacert.org/ yet? They're giving out free certs.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Invalid security certificate

#5 Post by botg » 2009-02-09 22:17

And no browser has them included for various dubious reasons. The truth is that CAcert does not have the money to pay browser vendors for inclusion.

forthelove
500 Command not understood
Posts: 1
Joined: 2009-03-26 19:41
First name: John
Last name: Hamborg

Re: Invalid security certificate

#6 Post by forthelove » 2009-03-26 19:47

i started having troubles viewing my Linksys router after i created a security cert. for my newly created filezilla FTP server. I began a search to solve this issue. so i could access my Router again.

Code: Select all

Secure Connection Failed


An error occurred during a connection to 192.168.1.1.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem.
I found this post on geting a certificate from cacert.org... only to get this error LOL... I blame firefox...

Code: Select all

Secure Connection Failed
        

www.cacert.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)


    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

          Or you can add an exception…

Goddamnit...

mistyPotato
500 Command not understood
Posts: 3
Joined: 2006-12-12 18:47

Re: Invalid security certificate

#7 Post by mistyPotato » 2009-04-08 19:07

Yeah,

Yet ANOTHER example of filthy rich, greedy corporate American CEO's and their trusty equally greedy lawyers strangling the little guy to make sure that every dime goes in the THEIR pockets.

God forbid we could get a FREE certificate. (or the cure for cancer be released) OH NO!

Too much M-O-N-E-Y to be made.

Is it any wonder this Country is on the fast path to Hell?

nomnex
504 Command not implemented
Posts: 10
Joined: 2009-04-03 05:38

Re: Invalid security certificate

#8 Post by nomnex » 2009-04-08 22:59

botg wrote: If I get a self-signed cert promt, I call the server administrator so that he can verify the fingerprint of the certificate.
Q1. When a certificate has been created with FileZilla server, how can I check its fingerprint (XP Pro here)? I can do that locally using the client and clicking the lock, but I don't know how to view the certificate.crt file's information otherwise.

Q2. The MD5 and SHA-1 retrun different values when I check my certificat.crt file from the OS, and the MD5 and SHA-1 displayed on the certificate GUI when I open it in the client (also FZ). Can they be different values?

Q3. When creating a certificate, the Private key file and the certificate file are both contained in the certificate.crt file. I don't understand the function/purpose of the key password (in the SSL/TLS settings) and when do I need it.

Thanks

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Invalid security certificate

#9 Post by botg » 2009-04-09 06:51

1) Certificate management tools like the commandline openssl tool
2) The signature hashes are over the raw certificate, if you hash the file you also hash headers and the base64 encoding.
3) Certificates created with a password outside of FZS.

nomnex
504 Command not implemented
Posts: 10
Joined: 2009-04-03 05:38

Re: Invalid security certificate

#10 Post by nomnex » 2009-04-09 09:41

botg wrote:1) Certificate management tools like the commandline openssl tool
Is there a GUI certificate management (link)? The MS certificate console is not compatible with .crt files

2 & 3 thanks

Edit: the openssl documentation is interesting but a little head of my level of understanding. The easiest way I found to find the cert. fingerprint is to open it in the FZ client and to copy it, or take a print screen.

Post Reply