pure-ftpd unsorted certificate chain

ssgill

Verified User
Joined
May 9, 2012
Messages
164
Hello, i recently moved from proftpd to pure-ftpd. Now when i connect Filezilla works fine but it does show error

1) Error: Server sent unsorted certificate chain in violation of the TLS specifications

Any ideas, i am using stock "/etc/pure-ftpd.conf", i guess thats default for new installs. Also in the header location of the config file it states that to use this file run following command

/usr/sbin/pure-ftpd /etc/etc/pure-ftpd.conf

This is incorrect, should be one etc not 2, i modified and ran this command and did not got any response so i guess it was all good.


2) I updated my config file to only use TLS 1.2, my edits

# This option accepts three values:
# 0: disable SSL/TLS encryption layer (default).
# 1: accept both cleartext and encrypted sessions.
# 2: refuse connections that don't use the TLS security mechanism,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Double check that:
# 1) The server has been compiled with TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS 2


# Cipher suite for TLS sessions.
# The default suite is secure and setting this property is usually
# only required to *lower* the security to cope with legacy clients.
# Prefix with -C: in order to require valid client certificates.
# If -C: is used, make sure that clients' public keys are present on
# the server.

# TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLSCipherSuite HIGH:MEDIUM:+TLSv1.2:!TLSv1.1:!TLSv1:!SSLv2:!SSLv3

Restarted pure-ftpd and log files shows

[INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher

I was hoping to see TLS1.2 for connection, in advise.

Thanks
 
Hello, i recently moved from proftpd to pure-ftpd. Now when i connect Filezilla works fine but it does show error

1) Error: Server sent unsorted certificate chain in violation of the TLS specifications

Any ideas, i am using stock "/etc/pure-ftpd.conf", i guess thats default for new installs. Also in the header location of the config file it states that to use this file run following command

/usr/sbin/pure-ftpd /etc/etc/pure-ftpd.conf

This is incorrect, should be one etc not 2, i modified and ran this command and did not got any response so i guess it was all good.


2) I updated my config file to only use TLS 1.2, my edits

Restarted pure-ftpd and log files shows

[INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher

I was hoping to see TLS1.2 for connection, in advise.

Thanks

Fixed it by updating /etc/pure-ftpd.pem, it had localhost keys changed them to server key and certificate files and all good now.
 
Error: Server sent unsorted certificate chain in violation of the TLS specifications
This error can be display with Filezilla, if the FTP parameter used is an IP address or something not in accordance with the SSL certificate.
ftp.domain.com should be enable with the SSL certificate, and used to be connected by FTP, it will avoid this error with Filezilla
 
I have this problem to enter by IP, i cant use domain because is behind cloudflare.
But in other servers i use IP connection and never have this error.

Error: Server sent unsorted certificate chain in violation of the TLS specifications
 
Last edited:
Fixed it by updating /etc/pure-ftpd.pem, it had localhost keys changed them to server key and certificate files and all good now.
Can explain how to do this? I Have the same problem i need to access via IP not domain.
 
Can explain how to do this? I Have the same problem i need to access via IP not domain.
My issue was that i had incorrect certificate for pureftp, but in case you want to use server certificate you will find them here

Make backup of /etc/pure-ftpd.pem

Edit /etc/pure-ftpd.pem and remove text

Copy paste all of the text from key and certificate from these files

/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/cacert.pem

Text from cakey goes first and below that text from cacert.pem
Restart pure-ftpd, i am using IP to connect and its working fine.
 
I got the same problem. I had done it once a few years ago. Thanks for the instruction.

However, I wonder if I use Let's Encrypt certificates, do I have to run this command every a few months when the certificate is renewed?

I know we can create a script and put it into crontab. Is there any other easier and automatic method to do this everytime it is renewed?
 
Back
Top