Kevin is right about the complete chain.
I issued this openssl command:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile gd-class2-root.crt
and got error:
Verify return code: 21 (unable to verify the first certificate)
I created a cacerts file with both the intermediate and root cert:
copy gd_intermediate.crt+gd-class2-root.crt daddy.cacerts.crt
Then I got code 0 with:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile daddy.cacerts.crt
So your rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt file probably
does not have the chain
of 3 certs in it: They should be stacked in the file as follows:
-----BEGIN CERTIFICATE-----
mainline server cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
gd_intermediate.crt cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
gd-class2-root.crt cert
-----END CERTIFICATE-----
Filezilla is not a good program to test with, as it appears to not do
server cert
authenticatation. It is better to use curl for windows or curl for
z/OS.
--
Donald J.
dona...@4email.net
On Wed, May 7, 2014, at 03:38 PM, Neubert, Kevin wrote:
> Is the chain complete? Check trust and Issuer's/Subject's Names.
> RACDCERT LIST(LABEL('Go Daddy Class 2')) CERTAUTH. Do you have all the
> names? SEARCH CLASS(DIGTCERT).
>
> Regards,
>
> Kevin
>
>
> Ring:
> >FtpSecur<
> Certificate Label Name Cert Owner USAGE DEFAULT
> -------------------------------- ------------ -------- -------
> GeoTrust Global CA CERTAUTH CERTAUTH NO
> Go Daddy Class 2 CERTAUTH CERTAUTH YES
--
http://www.fastmail.fm - Choose from over 50 domains or use your own
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
