Thanks for your feedback!
- martin
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- Prisma
The
Sorry Martin...
certutil.exe error has nothing to do with the WinSCP problem. Let's Encrypt has had yesterday and today several service problems with the OCSP, see picture.
Sorry Martin...
- Prisma
I ran this command:
It produced this output:
certutil -verify -urlfetch cert.pem
It produced this output:
Aussteller:
CN=Let's Encrypt Authority X3
O=Let's Encrypt
C=US
Namenshash (sha1): 7ee66ae7729ab3fcf8a220646c16a12d6071085d
Namenshash (md5): c0350a4a6f6b94d938b5003a57bb4867
Antragsteller:
CN=www.mydomain.de
Namenshash (sha1): 0a45f24e027192b7863afb1e0896e88a94c74305
Namenshash (md5): 6bdef80a3a02c62b498e6a554094b1ed
Zertifikatseriennummer: 034dde82f2a0e66c92ee29ebede3fa80e6c7
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 13 Hours, 20 Minutes, 36 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 13 Hours, 20 Minutes, 36 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotBefore: 11.05.2017 02:38
NotAfter: 09.08.2017 02:38
Subject: CN=www.mydomain.de
Serial: 034dde82f2a0e66c92ee29ebede3fa80e6c7
SubjectAltName: DNS-Name=mydomain.de, DNS-Name=mydomain.eu, DNS-Name=www.mydomain.de, DNS-Name=www.mydomain.eu
Cert: c4ea64889db020e794a247293944a18b5ec3177b
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Zertifikat abrufen ----------------
Überprüft "Zertifikat (0)" Zeit: 0
[0.0] http://cert.int-x3.letsencrypt.org/
---------------- Zertifikat abrufen ----------------
Keine URLs "Keine" Zeit: 0
---------------- Basissperrliste veraltet ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat-OCSP ----------------
Überprüft "OCSP" Zeit: 0
[0.0] http://ocsp.int-x3.letsencrypt.org/
--------------------------------
CRL (null):
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
ThisUpdate: 17.05.2017 03:00
NextUpdate: 24.05.2017 03:00
CRL: 8892a5c37e9e1b18b6d7cf54acdc6d86e0809e95
Issuance[0] = 2.23.140.1.2.1
Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
Application[0] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
Application[1] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
NotBefore: 17.03.2016 18:40
NotAfter: 17.03.2021 18:40
Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial: 0a0141420000015385736a0b85eca708
Cert: e6a3b45b062d509b3382282d196efe97d5956ccb
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Zertifikat abrufen ----------------
Überprüft "Zertifikat (0)" Zeit: 0
[0.0] http://apps.identrust.com/roots/dstrootcax3.p7c
---------------- Zertifikat abrufen ----------------
Überprüft "Basissperrliste (aa)" Zeit: 0
[0.0] http://crl.identrust.com/DSTROOTCAX3CRL.crl
---------------- Basissperrliste veraltet ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat-OCSP ----------------
Überprüft "OCSP" Zeit: 0
[0.0] http://isrg.trustid.ocsp.identrust.com
--------------------------------
CRL (null):
Issuer: E=pki-ops@IdenTrust.com, CN=DST CA X3 OCSP Signer, OU=DST, O=Digital Signature Trust, C=US
ThisUpdate: 18.05.2017 11:26
NextUpdate: 19.05.2017 11:26
CRL: eb82fdefaeabf9244e9c8fc1c052797fa08edd94
Issuance[0] = 2.23.140.1.2.1
Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
Application[0] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail
Application[1] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
Application[3] = 1.3.6.1.5.5.7.3.8 Zeitstempel
Application[4] = 1.3.6.1.4.1.311.10.3.4 Verschlüsselndes Dateisystem
Application[5] = 1.3.6.1.4.1.311.10.3.12 Dokumentsignatur
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
NotBefore: 30.09.2000 23:12
NotAfter: 30.09.2021 16:01
Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial: 44afb080d6a327ba893039862ef8406b
Cert: dac9024f54d8f6df94935fb1732638ca6ad77c13
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Zertifikat abrufen ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat abrufen ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat-OCSP ----------------
Keine URLs "Keine" Zeit: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail
Application[1] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
Application[3] = 1.3.6.1.5.5.7.3.8 Zeitstempel
Application[4] = 1.3.6.1.4.1.311.10.3.4 Verschlüsselndes Dateisystem
Application[5] = 1.3.6.1.4.1.311.10.3.12 Dokumentsignatur
Exclude leaf cert:
Chain: 8b7ab36ece90ebb699b18f9d2bfafc4c6bc4d40f
Full chain:
Chain: 7e00edb48331966cc2699a2c8e01ce0e21803e4d
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotBefore: 11.05.2017 02:38
NotAfter: 09.08.2017 02:38
Subject: CN=www.mydomain.de
Serial: 034dde82f2a0e66c92ee29ebede3fa80e6c7
SubjectAltName: DNS-Name=mydomain.de, DNS-Name=mydomain.eu, DNS-Name=www.mydomain.de, DNS-Name=www.mydomain.eu
Cert: c4ea64889db020e794a247293944a18b5ec3177b
Das Objekt oder die Eigenschaft wurde nicht gefunden. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
------------------------------------
CertUtil: -verify-Befehl ist fehlgeschlagen: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Das Objekt oder die Eigenschaft wurde nicht gefunden.
- Prisma
Hello Martin,
using certutil.exe I got also an error. So, relying on Windows Cert Store it's no wonder that winscp doesn't accept the cert. I documented it here:
https://community.letsencrypt.org/t/ms-certutil-verify-fails-for-cert-pem-and-fullchain-pem-why/34276
I think this is nothing under our control.
The only thing I wonder is, that certutil throws another error: 0x80092004 CRYPT_E_NOT_FOUND ...
using certutil.exe I got also an error. So, relying on Windows Cert Store it's no wonder that winscp doesn't accept the cert. I documented it here:
https://community.letsencrypt.org/t/ms-certutil-verify-fails-for-cert-pem-and-fullchain-pem-why/34276
I think this is nothing under our control.
The only thing I wonder is, that certutil throws another error: 0x80092004 CRYPT_E_NOT_FOUND ...
- martin
Re: [Bug] FTPS Intermediate Certificate not trusted when using Windows Cert Store
Error 80092013 is CRYPT_E_REVOCATION_OFFLINE.
So it's not that the certificate is not trusted as such. It's that, it was not possible to check, if it is on revocation list or not.
That may help you with investigation.
So it's not that the certificate is not trusted as such. It's that, it was not possible to check, if it is on revocation list or not.
That may help you with investigation.
- Prisma
Which info do you else need?
If you use your own let's encrypt certificate, it should be easy to reproduce.
But via PM I could also give you more un-anonymized info if needed.
This is rather urgent, because our old certificate will become invalid in short and we want to use let's encrypt in future.
If you use your own let's encrypt certificate, it should be easy to reproduce.
But via PM I could also give you more un-anonymized info if needed.
This is rather urgent, because our old certificate will become invalid in short and we want to use let's encrypt in future.
- Prisma
Root CA Details
- Prisma
Proof that Windows really trusts the cert
- Prisma
ProFTPD configuration
- Prisma
With cacert.pem aside
- Prisma
[No-Bug] FTPS Intermediate Certificate not trusted when using Windows Cert Store
Hello Martin,
I obviously found a heavy bug. As short as possible:
An intermediate certificate is not trusted (and so the whole server certificate), when it's only referenced through the root CA and not stored within the "trusted intermediate CAs".
When you take the root CA certificate, put it into a cacert.pem aside a winscp.exe (which normally isn't there), the complete chain is trusted.
I assume, when a cacert.pem exists, WinSCP lets OpenSSL check the trust and doesn't use Windows Cert Store.
This is proof enough for me that it only depends on WinSCPs certificate handling when using windows cert store and it's not a bad ftp server configuration.
But anyway, all information and documentation you should need I'll give you with a lot of files:
I obviously found a heavy bug. As short as possible:
An intermediate certificate is not trusted (and so the whole server certificate), when it's only referenced through the root CA and not stored within the "trusted intermediate CAs".
When you take the root CA certificate, put it into a cacert.pem aside a winscp.exe (which normally isn't there), the complete chain is trusted.
I assume, when a cacert.pem exists, WinSCP lets OpenSSL check the trust and doesn't use Windows Cert Store.
This is proof enough for me that it only depends on WinSCPs certificate handling when using windows cert store and it's not a bad ftp server configuration.
But anyway, all information and documentation you should need I'll give you with a lot of files: