vsftpd does not give a valid certificate using CA cert

Question

When setting up vsftpd we have problems with it not providing a trusted connection us a basic pem certificate container using just our private key and certificate.

We created our pem file with the following commands.

cat somecert.com.crt >> somepem.pem
cat somecertkey.com.key >> somepem.pem

SSL Certificate config vsftpd.conf

/etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
rsa_cert_file=/etc/httpd/ssl/somepem.pem

When connecting using lftp in debug mode I saw that we giving a certificate with out enough info to be establish the full chain of authority. To ensure it was trusted.

lftp -d -u user:pass myserver.com
....
ERROR: Certificate verification: Not trusted
**** Certificate verification: Not trusted
---- Closing control socket

Answer 1

I need to get the full chain of authority and add it to the pem certificate container Thanks to stackExchange there are some nice solutions to this problem.

echo connect | openssl s_client -connect myserver.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

From that we can now update the certificate we created to include the full chain of authority.

We need to update the config of the vsftpd

vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
rsa_private_key_file=/etc/httpd/ssl/somepem.pem
rsa_cert_file=/etc/vsftpd/ssl/cert.pem

Test using lftp

lftp -d -u user:pass myserver.com

Certificate: C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\, Inc.,OU=http://certificates.starfieldtech.com/repository,CN=Starfield Secure Certification > Authority,serialNumber=10688435
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Checking against: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Trusted
Certificate: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Issued by: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Trusted

It is important to pack the pem file correctly in the correct order.
how-do-i-make-my-own-bundle-file-from-crt-files

Creating a .pem with the Entire SSL Certificate Trust Chain

Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt). Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

1. The Primary Certificate - your_domain_name.crt
2. The Intermediate Certificate - DigiCertCA.crt
3. The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look > like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Answer 2

You could always configure your ftp client to ignore certificates. Which is insecure, and should be avoided. Do this at your own risk. http://anils-tips.blogspot.com/2011/05/lftp-fatal-error-certificate.html

lftp user@test.ftp.com:/directory
Password:
cd: Fatal error: Certificate verification: Not trusted

To disable certificate verification in lftp, completely.
This is not a good idea if you are concerned about security

cat ~/.lftp/rc
set ssl:verify-certificate no

or
If you just want to do this for one specific host you can.

lftp -e "set ssl:verify-certificate no" user@test.ftp.com:/directory