Unable to Get Local Issuer Certificate

Advertisement

rsford31
Joined:
Posts:
32

Unable to Get Local Issuer Certificate

Hi,
We're using WinSCP version 5.15.9 (Build 10071) and are connecting to our server in the DMZ to upload files using WinSCP .NET. The connection is over FTPS, implicit encryption. The script was working fine when it was on Windows 2008 R2. We cut over to Windows 2016 and now the script errors with "Summary: Unable to get local issuer certificate. The error occurred at a depth of 2 in the certificate chain." This is occurring in both our test and production environments which are both Windows 2016. I can connect without issue from the GUI.
The logs are as follows:
3:04.858 --------------------------------------------------------------------------
. 2020-10-01 15:03:04.858 WinSCP Version 5.15.9 (Build 10071) (OS 10.0.14393 - Windows Server 2016 Standard)
. 2020-10-01 15:03:04.858 Configuration: nul
. 2020-10-01 15:03:04.858 Log level: Normal
. 2020-10-01 15:03:04.858 Local account: 
. 2020-10-01 15:03:04.858 Working directory: E:\Program Files\WinSCP
. 2020-10-01 15:03:04.858 Process ID: 2568
. 2020-10-01 15:03:04.858 Command-line: "E:\Program Files\WinSCP\winscp.exe" /xmllog="C:\Users\sngfiletran\AppData\Local\Temp\wscp1820.031BB474.tmp" /xmlgroups /xmllogrequired /nointeractiveinput /dotnet=5.15.9  /ini=nul /log="F:\WinscpLogs\CONCENTRA_PORTFOLIO_RPTS_SessionLog.txt"  /console /consoleinstance=_6176_57665189_176
. 2020-10-01 15:03:04.858 Time zone: Current: GMT-6, Standard: GMT-7 (Mountain Standard Time), DST: GMT-6 (Mountain Daylight Time), DST Start: 3/8/2020, DST End: 11/1/2020
. 2020-10-01 15:03:04.858 Login time: Thursday, October 1, 2020 3:03:04 PM
. 2020-10-01 15:03:04.858 --------------------------------------------------------------------------
. 2020-10-01 15:03:04.858 Script: Retrospectively logging previous script records:
> 2020-10-01 15:03:04.858 Script: option batch on
< 2020-10-01 15:03:04.858 Script: batch           on        
< 2020-10-01 15:03:04.858 Script: reconnecttime   120       
> 2020-10-01 15:03:04.858 Script: option confirm off
< 2020-10-01 15:03:04.858 Script: confirm         off       
> 2020-10-01 15:03:04.858 Script: option reconnecttime 120
< 2020-10-01 15:03:04.858 Script: reconnecttime   120       
> 2020-10-01 15:03:04.858 Script: open ftp://:990 -implicit -certificate="f1:c0:d4:c4:f8:b7:fe:47:65:f9:62:ad:1b:21:d1:d9:35:64:53:e1" -passive=1 -timeout=15
. 2020-10-01 15:03:04.858 --------------------------------------------------------------------------
. 2020-10-01 15:03:04.858 Session name:  (Ad-Hoc site)
. 2020-10-01 15:03:04.858 Host name:  (Port: 990)
. 2020-10-01 15:03:04.858 User name:  (Password: Yes, Key file: No, Passphrase: No)
. 2020-10-01 15:03:04.858 Transfer Protocol: FTP
. 2020-10-01 15:03:04.858 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2020-10-01 15:03:04.858 Disable Nagle: No
. 2020-10-01 15:03:04.858 Proxy: None
. 2020-10-01 15:03:04.858 Send buffer: 262144
. 2020-10-01 15:03:04.858 UTF: Auto
. 2020-10-01 15:03:04.858 FTPS: Implicit TLS/SSL [Client certificate: No]
. 2020-10-01 15:03:04.858 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2020-10-01 15:03:04.858 Session reuse: Yes
. 2020-10-01 15:03:04.858 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-10-01 15:03:04.858 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2020-10-01 15:03:04.858 Cache directory changes: Yes, Permanent: Yes
. 2020-10-01 15:03:04.858 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2020-10-01 15:03:04.858 Timezone offset: 0h 0m
. 2020-10-01 15:03:04.858 --------------------------------------------------------------------------
. 2020-10-01 15:03:04.967 Connecting to server:990 ...
. 2020-10-01 15:03:04.967 Connected with server:990, negotiating TLS connection...
. 2020-10-01 15:03:05.561 Verifying certificate for "Celero Solutions Inc." with fingerprint 3b:fe:bb:d0:d1:59:26:ba:a3:3d:f0:e8:59:b5:c7:55:82:00:05:56 and 20 failures
. 2020-10-01 15:03:05.561 Certificate common name "server" matches hostname
. 2020-10-01 15:04:05.638 Certificate failed to verify against Windows certificate store: Error: 80092013, Chain index: 0, Element index: 0
. 2020-10-01 15:04:05.638 Asking user:
. 2020-10-01 15:04:05.638 **The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**
. 2020-10-01 15:04:05.638 
. 2020-10-01 15:04:05.638 Server's certificate details follow:
. 2020-10-01 15:04:05.638 
. 2020-10-01 15:04:05.638 Issuer:
. 2020-10-01 15:04:05.638 - Organization: Sectigo Limited, Sectigo RSA Organization Validation Secure Server CA
. 2020-10-01 15:04:05.638 - Location: GB, Greater Manchester, Salford
. 2020-10-01 15:04:05.638 
. 2020-10-01 15:04:05.653 Subject:
. 2020-10-01 15:04:05.653 - Organization: organization, server
. 2020-10-01 15:04:05.653 - Location: locaation
. 2020-10-01 15:04:05.653 - Other: other;
. 2020-10-01 15:04:05.653 
. 2020-10-01 15:04:05.653 Valid: 1/27/2020 12:00:00 AM - 1/26/2021 11:59:59 PM
. 2020-10-01 15:04:05.653 
. 2020-10-01 15:04:05.653 Fingerprint (SHA-1): 3b:fe:bb:d0:d1:59:26:ba:a3:3d:f0:e8:59:b5:c7:55:82:00:05:56
. 2020-10-01 15:04:05.653 
. 2020-10-01 15:04:05.653 Summary: Unable to get local issuer certificate. The error occurred at a depth of 2 in the certificate chain.
. 2020-10-01 15:04:05.653 
. 2020-10-01 15:04:05.653 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2020-10-01 15:04:05.653 
. 2020-10-01 15:04:05.653 Continue connecting and store the certificate? ()
As you can see the fingerprint has been added. In the GUI, I went to Session > Server/Protocol Information and confirmed that the fingerprint is the same.
Any ideas?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: Unable to Get Local Issuer Certificate

The log says that the fingerprint is:
. 2020-10-01 15:03:05.561 Verifying certificate for "Celero Solutions Inc." with fingerprint 3b:fe:bb:d0:d1:59:26:ba:a3:3d:f0:e8:59:b5:c7:55:82:00:05:56 and 20 failures
While your script has different fingerprint.
If you see a different fingerprint in the GUI, something must be different. Are you sure you are connecting to the same server? Post a GUI log file, if unsure.

Reply with quote

rsford31
Joined:
Posts:
32

Re: Unable to Get Local Issuer Certificate

Hi, The fingerprint in the script is 3b:fe:bb:d0:d1:59:26:ba:a3:3d:f0:e8:59:b5:c7:55:82:00:05:56. The fingerprint in the GUI is the same as is in the GUI logs and what I am using in the script. I am connecting to the same server through the script and through the GUI.
Here is the log from when I successfully connected from the GUI:
. 2020-10-02 14:12:01.554 --------------------------------------------------------------------------
. 2020-10-02 14:12:01.554 WinSCP Version 5.15.9 (Build 10071) (OS 10.0.14393 - Windows Server 2016 Standard)
. 2020-10-02 14:12:01.554 Configuration: E:\Program Files\WinSCP\WinSCP.ini
. 2020-10-02 14:12:01.554 Log level: Normal, Rotating after: 10M
. 2020-10-02 14:12:01.554 Local account: 
. 2020-10-02 14:12:01.554 Working directory: E:\Program Files\WinSCP
. 2020-10-02 14:12:01.554 Process ID: 5656
. 2020-10-02 14:12:01.554 Command-line: "E:\Program Files\WinSCP\WinSCP.exe" 
. 2020-10-02 14:12:01.554 Time zone: Current: GMT-6, Standard: GMT-7 (Mountain Standard Time), DST: GMT-6 (Mountain Daylight Time), DST Start: 3/8/2020, DST End: 11/1/2020
. 2020-10-02 14:12:01.554 Login time: Friday, October 2, 2020 2:12:01 PM
. 2020-10-02 14:12:01.554 --------------------------------------------------------------------------
. 2020-10-02 14:12:01.554 Session name:  (Modified site)
. 2020-10-02 14:12:01.554 Host name:  (Port: 990)
. 2020-10-02 14:12:01.554 User name:  (Password: Yes, Key file: No, Passphrase: No)
. 2020-10-02 14:12:01.554 Transfer Protocol: FTP
. 2020-10-02 14:12:01.554 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2020-10-02 14:12:01.554 Disable Nagle: No
. 2020-10-02 14:12:01.554 Proxy: None
. 2020-10-02 14:12:01.554 Send buffer: 262144
. 2020-10-02 14:12:01.554 UTF: Auto
. 2020-10-02 14:12:01.554 FTPS: Implicit TLS/SSL [Client certificate: No]
. 2020-10-02 14:12:01.554 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2020-10-02 14:12:01.554 Session reuse: Yes
. 2020-10-02 14:12:01.554 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-10-02 14:12:01.554 Local directory: , Remote directory: E:/MSL/PrivateMB, Update: Yes, Cache: Yes
. 2020-10-02 14:12:01.554 Cache directory changes: Yes, Permanent: Yes
. 2020-10-02 14:12:01.554 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2020-10-02 14:12:01.554 Timezone offset: 0h 0m
. 2020-10-02 14:12:01.554 --------------------------------------------------------------------------
. 2020-10-02 14:12:01.570 Connecting to server:990 ...
. 2020-10-02 14:12:01.570 Connected with server:990, negotiating TLS connection...
. 2020-10-02 14:12:02.104 Verifying certificate for "" with fingerprint [u][b]3b:fe:bb:d0:d1:59:26:ba:a3:3d:f0:e8:59:b5:c7:55:82:00:05:56[/b][/u] and 20 failures
. 2020-10-02 14:12:02.104 Certificate common name "server" matches hostname
. 2020-10-02 14:12:02.104 Certificate for "" matches cached fingerprint and failures
. 2020-10-02 14:12:02.104 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2020-10-02 14:12:02.152 TLS connection established. Waiting for welcome message...
< 2020-10-02 14:12:02.168 220 Momentum SSL/TLS FTP Service Ready. (Implicit Mode)
> 2020-10-02 14:12:02.168 USER 
< 2020-10-02 14:12:02.168 331 User name okay, need password.
> 2020-10-02 14:12:02.168 PASS *************
< 2020-10-02 14:12:02.183 230-Credentials accepted.
< 2020-10-02 14:12:02.183 230 User logged in, proceed.
> 2020-10-02 14:12:02.183 SYST
. 2020-10-02 14:12:02.183 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2020-10-02 14:12:02.183 215 Windows_NT
> 2020-10-02 14:12:02.183 FEAT
< 2020-10-02 14:12:02.199 502 Command not implemented.
> 2020-10-02 14:12:02.199 PBSZ 0
< 2020-10-02 14:12:02.199 200 Command accepted, PBSZ=0
> 2020-10-02 14:12:02.199 PROT P
< 2020-10-02 14:12:02.199 200 Command okay.
. 2020-10-02 14:12:02.230 Connected
. 2020-10-02 14:12:02.230 --------------------------------------------------------------------------
. 2020-10-02 14:12:02.230 Using FTP protocol.
. 2020-10-02 14:12:02.230 Doing startup conversation with host.
> 2020-10-02 14:12:02.246 PWD
< 2020-10-02 14:12:02.246 257 "E:/MSL/PrivateMB" is current directory.
. 2020-10-02 14:12:02.246 Changing directory to "E:/MSL/PrivateMB".
> 2020-10-02 14:12:02.246 CWD E:/MSL/PrivateMB
< 2020-10-02 14:12:02.246 250 CWD command successful. (E:/MSL/PrivateMB)
. 2020-10-02 14:12:02.246 Getting current directory name.
> 2020-10-02 14:12:02.246 PWD
< 2020-10-02 14:12:02.246 257 "E:/MSL/PrivateMB" is current directory.
. 2020-10-02 14:12:02.293 Retrieving directory listing...
> 2020-10-02 14:12:02.293 TYPE A
< 2020-10-02 14:12:02.293 200 Command okay.
> 2020-10-02 14:12:02.293 PASV
< 2020-10-02 14:12:02.293 227 Entering Passive Mode (198,161,254,171,19,178)
> 2020-10-02 14:12:02.293 LIST -a
. 2020-10-02 14:12:02.293 Connecting to 198.161.254.171:5042 ...
< 2020-10-02 14:12:02.293 150 Opening ASCII mode data connection for LIST return info.
. 2020-10-02 14:12:02.812 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2020-10-02 14:12:02.812 TLS connection established
. 2020-10-02 14:12:02.812 Data connection closed
. 2020-10-02 14:12:02.812 <Empty directory listing>
< 2020-10-02 14:12:02.812 226 Transfer complete.
. 2020-10-02 14:12:02.812 Directory listing successful
. 2020-10-02 14:12:02.812 LIST with -a switch returned empty directory listing, will try pure LIST
. 2020-10-02 14:12:02.812 Retrieving directory listing...
> 2020-10-02 14:12:02.812 TYPE A
< 2020-10-02 14:12:02.812 200 Command okay.
> 2020-10-02 14:12:02.812 PASV
< 2020-10-02 14:12:02.812 227 Entering Passive Mode (198,161,254,171,19,179)
> 2020-10-02 14:12:02.812 LIST
. 2020-10-02 14:12:02.812 Connecting to 198.161.254.171:5043 ...
< 2020-10-02 14:12:02.812 150 Opening ASCII mode data connection for LIST return info.
. 2020-10-02 14:12:03.327 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2020-10-02 14:12:03.327 TLS connection established
. 
< 2020-10-02 14:12:03.343 226 Transfer complete.
. 2020-10-02 14:12:03.343 Directory listing successful
. 2020-10-02 14:12:03.343 ..;D;0;1899-12-30T07:00:00.000Z;0;"" [0];"" [0];---------;0
.
. 2020-10-02 14:12:03.374 Startup conversation with host finished.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: Unable to Get Local Issuer Certificate

rsford31 wrote:

Hi, The fingerprint in the script is 3b:fe:bb:d0:d1:59:26:ba:a3:3d:f0:e8:59:b5:c7:55:82:00:05:56.
Your first log file shows that the fingerprint in the script is different:
> Script: open ftp://:990 -implicit -certificate="f1:c0:d4:c4:f8:b7:fe:47:65:f9:62:ad:1b:21:d1:d9:35:64:53:e1" -passive=1 -timeout=15

Reply with quote

Advertisement

You can post new topics in this forum