Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.

Advertisement

cspell
Joined:
Posts:
4

Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.

I am using WinSCP to send a file automatically using SFTP. It's been working great but then the other day it started failing due to a certificate error. Here is the snippet from the log below. Any ideas how we can overcome this? I saw a post about a bug in this area but seems it's fixed.
We are using the latest WinSCP build 7995. Thanks in advance for any insight!

Summary: Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.
. 2018-01-17 22:16:01.619
. 2018-01-17 22:16:01.619 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2018-01-17 22:16:01.619
. 2018-01-17 22:16:01.619 Continue connecting and store the certificate? ()
. 2018-01-17 22:16:11.620 Peer certificate rejected
. 2018-01-17 22:16:11.620 Disconnected from server
. 2018-01-17 22:16:11.620 Connection failed.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,661
Location:
Prague, Czechia

Re: Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.

Please attach a complete log.

Also I assume you mean FTPS, not SFTP. There are no certificates in SFTP.

Reply with quote

cspell
Joined:
Posts:
4

Re: Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.

martin wrote:

Please attach a complete log.

Also I assume you mean FTPS, not SFTP. There are no certificates in SFTP.

Thanks for the reply, yes I do mean FTPS sorry bout that.
Here is the full snippet from the log with some identifying info scrubbed. I can't upload the whole log, there is too much to scrub, hopefully this will help. One thing to note, I launched WinSCP and connected to the site and since then the auto connection via the script started working again.

2018-01-18 22:15:30.226 Connecting to xyz.domain.com ...
. 2018-01-18 22:15:30.404 Connected with ftp.xyz.domain.com, negotiating TLS connection...
< 2018-01-18 22:15:30.491 220 Microsoft FTP Service
> 2018-01-18 22:15:30.491 AUTH TLS
< 2018-01-18 22:15:30.579 234 AUTH command ok. Expecting TLS Negotiation.
. 2018-01-18 22:15:30.999 Verifying certificate for "" with fingerprint 00:XX: and 20 failures
. 2018-01-18 22:15:30.999 Certificate common name "ftp.xyz.domain.com" matches hostname
. 2018-01-18 22:16:01.841 Certificate failed to verify against Windows certificate store: Error: 80092013, Chain index: 0, Element index: 0
. 2018-01-18 22:16:01.841 Asking user:
. 2018-01-18 22:16:01.841 **The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Server's certificate details follow:
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Issuer:
. 2018-01-18 22:16:01.841 - Organization: GoDaddy.com, Inc., https://certs.godaddy.com/repository/, Go Daddy Secure Certificate Authority - G2
. 2018-01-18 22:16:01.841 - Location: US, Arizona, Scottsdale
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Subject:
. 2018-01-18 22:16:01.841 - Organization: Domain Control Validated, ftp.xyz.domain.com
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Valid: 8/17/2016 8:46:38 PM - 9/5/2019 9:00:21 PM
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Fingerprint (SHA-1): 00
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Summary: Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2018-01-18 22:16:01.841
. 2018-01-18 22:16:01.841 Continue connecting and store the certificate? ()
. 2018-01-18 22:16:11.980 Peer certificate rejected
. 2018-01-18 22:16:11.980 Disconnected from server
. 2018-01-18 22:16:11.980 Connection failed.

Reply with quote

cspell
Joined:
Posts:
4

After working for several days, the same failure occurred.
Here is the command we are using, is there any command switch that may prevent this type of issue?

"C:\Program Files (x86)\WinSCP\WinSCP.exe"

/c /log="c:\ftp\winSCP.log" /ini=nul /script="c:\ftp\ftp.txt"

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,661
Location:
Prague, Czechia

Re: Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.

You can explicitly verify the certificate by adding -certificate=00:XX:...
https://winscp.net/eng/docs/scriptcommand_open#certificate
(where 00:XX: is the fingerprint of certificate public key that you have pointlessly obfuscated in the log).

Though, make sure you find out what is the real fingerprint. Do not blindly copy it from the log. At least copy it from a log of a successful connection, if the problem is intermittent. As the error can indicate you are being under MITM attack.

Reply with quote

Advertisement

cspell
Joined:
Posts:
4

Re: Unable to get local issuer certificate. The error occurred at a depth of 3 in the certificate chain.

Ok Thanks for the info, I'll let you know how it goes. Hopefully there is no MITM here :-)

martin wrote:

You can explicitly verify the certificate by adding -certificate=00:XX:...
https://winscp.net/eng/docs/scriptcommand_open#certificate
(where 00:XX: is the fingerprint of certificate public key that you have pointlessly obfuscated in the log).

Though, make sure you find out what is the real fingerprint. Do not blindly copy it from the log. At least copy it from a log of a successful connection, if the problem is intermittent. As the error can indicate you are being under MITM attack.

Reply with quote

Advertisement

You can post new topics in this forum