Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Thanks for your feedback!
Prisma

The certutil.exe error has nothing to do with the WinSCP problem. Let's Encrypt has had yesterday and today several service problems with the OCSP, see picture.

Sorry Martin...
Prisma

I ran this command: certutil -verify -urlfetch cert.pem

It produced this output:
Aussteller:

    CN=Let's Encrypt Authority X3
    O=Let's Encrypt
    C=US
  Namenshash (sha1): 7ee66ae7729ab3fcf8a220646c16a12d6071085d
  Namenshash (md5): c0350a4a6f6b94d938b5003a57bb4867
Antragsteller:
    CN=www.mydomain.de
  Namenshash (sha1): 0a45f24e027192b7863afb1e0896e88a94c74305
  Namenshash (md5): 6bdef80a3a02c62b498e6a554094b1ed
Zertifikatseriennummer: 034dde82f2a0e66c92ee29ebede3fa80e6c7

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 13 Hours, 20 Minutes, 36 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 13 Hours, 20 Minutes, 36 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  NotBefore: 11.05.2017 02:38
  NotAfter: 09.08.2017 02:38
  Subject: CN=www.mydomain.de
  Serial: 034dde82f2a0e66c92ee29ebede3fa80e6c7
  SubjectAltName: DNS-Name=mydomain.de, DNS-Name=mydomain.eu, DNS-Name=www.mydomain.de, DNS-Name=www.mydomain.eu
  Cert: c4ea64889db020e794a247293944a18b5ec3177b
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Zertifikat (0)" Zeit: 0
    [0.0] http://cert.int-x3.letsencrypt.org/

  ----------------  Zertifikat abrufen  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Basissperrliste veraltet  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat-OCSP  ----------------
  Überprüft "OCSP" Zeit: 0
    [0.0] http://ocsp.int-x3.letsencrypt.org/

  --------------------------------
    CRL (null):
    Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
    ThisUpdate: 17.05.2017 03:00
    NextUpdate: 24.05.2017 03:00
    CRL: 8892a5c37e9e1b18b6d7cf54acdc6d86e0809e95
  Issuance[0] = 2.23.140.1.2.1
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
  Application[1] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  NotBefore: 17.03.2016 18:40
  NotAfter: 17.03.2021 18:40
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Serial: 0a0141420000015385736a0b85eca708
  Cert: e6a3b45b062d509b3382282d196efe97d5956ccb
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Zertifikat (0)" Zeit: 0
    [0.0] http://apps.identrust.com/roots/dstrootcax3.p7c

  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Basissperrliste (aa)" Zeit: 0
    [0.0] http://crl.identrust.com/DSTROOTCAX3CRL.crl

  ----------------  Basissperrliste veraltet  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat-OCSP  ----------------
  Überprüft "OCSP" Zeit: 0
    [0.0] http://isrg.trustid.ocsp.identrust.com

  --------------------------------
    CRL (null):
    Issuer: E=pki-ops@IdenTrust.com, CN=DST CA X3 OCSP Signer, OU=DST, O=Digital Signature Trust, C=US
    ThisUpdate: 18.05.2017 11:26
    NextUpdate: 19.05.2017 11:26
    CRL: eb82fdefaeabf9244e9c8fc1c052797fa08edd94
  Issuance[0] = 2.23.140.1.2.1
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
  Application[0] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail
  Application[1] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
  Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
  Application[3] = 1.3.6.1.5.5.7.3.8 Zeitstempel
  Application[4] = 1.3.6.1.4.1.311.10.3.4 Verschlüsselndes Dateisystem
  Application[5] = 1.3.6.1.4.1.311.10.3.12 Dokumentsignatur

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  NotBefore: 30.09.2000 23:12
  NotAfter: 30.09.2021 16:01
  Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
  Serial: 44afb080d6a327ba893039862ef8406b
  Cert: dac9024f54d8f6df94935fb1732638ca6ad77c13
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat abrufen  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat-OCSP  ----------------
  Keine URLs "Keine" Zeit: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail
  Application[1] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
  Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
  Application[3] = 1.3.6.1.5.5.7.3.8 Zeitstempel
  Application[4] = 1.3.6.1.4.1.311.10.3.4 Verschlüsselndes Dateisystem
  Application[5] = 1.3.6.1.4.1.311.10.3.12 Dokumentsignatur

Exclude leaf cert:
  Chain: 8b7ab36ece90ebb699b18f9d2bfafc4c6bc4d40f
Full chain:
  Chain: 7e00edb48331966cc2699a2c8e01ce0e21803e4d
  Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  NotBefore: 11.05.2017 02:38
  NotAfter: 09.08.2017 02:38
  Subject: CN=www.mydomain.de
  Serial: 034dde82f2a0e66c92ee29ebede3fa80e6c7
  SubjectAltName: DNS-Name=mydomain.de, DNS-Name=mydomain.eu, DNS-Name=www.mydomain.de, DNS-Name=www.mydomain.eu
  Cert: c4ea64889db020e794a247293944a18b5ec3177b
Das Objekt oder die Eigenschaft wurde nicht gefunden. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
------------------------------------
CertUtil: -verify-Befehl ist fehlgeschlagen: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Das Objekt oder die Eigenschaft wurde nicht gefunden.
martin

Re: [Bug] FTPS Intermediate Certificate not trusted when using Windows Cert Store

Error 80092013 is CRYPT_E_REVOCATION_OFFLINE.

So it's not that the certificate is not trusted as such. It's that, it was not possible to check, if it is on revocation list or not.

That may help you with investigation.
Prisma

Which info do you else need?

If you use your own let's encrypt certificate, it should be easy to reproduce.
But via PM I could also give you more un-anonymized info if needed.

This is rather urgent, because our old certificate will become invalid in short and we want to use let's encrypt in future.
Prisma

Root CA Details
Prisma

Proof that Windows really trusts the cert
Prisma

ProFTPD configuration
Prisma

With cacert.pem aside
Prisma

[No-Bug] FTPS Intermediate Certificate not trusted when using Windows Cert Store

Hello Martin,

I obviously found a heavy bug. As short as possible:

An intermediate certificate is not trusted (and so the whole server certificate), when it's only referenced through the root CA and not stored within the "trusted intermediate CAs".
When you take the root CA certificate, put it into a cacert.pem aside a winscp.exe (which normally isn't there), the complete chain is trusted.
I assume, when a cacert.pem exists, WinSCP lets OpenSSL check the trust and doesn't use Windows Cert Store.
This is proof enough for me that it only depends on WinSCPs certificate handling when using windows cert store and it's not a bad ftp server configuration.

But anyway, all information and documentation you should need I'll give you with a lot of files: