While trying to connect to a FTP server through port 21(TLS authentication) with pub.client.ftp:login from Developer, Server certificate rejected by chain verifier error is thrown. If tried with default none for auth, password incorrect error is thrown. Issue observed after replacing the expired certificate with new one. New certificate has been kept in both pub and ca directories. No change in credentials. Please provide suggestions on what might be causing this issue.
Are you trying here to connect to a sFTP/SSH enabled server?
It sounds you are trying to connect a sFTP location and you need port 22 for that and the regular client:ftp service doesn’t work right?
Can you check with remote FTP site team?
It was working before and now it doesn’t. Apart from keeping the certificates in pub & CA, do the certificates need to be configured anywhere else? Moreover I run this service in developer, it just exits before the result. Same result whenever I try again. Noticing this weird behavior too.
What changes you think were made in your env? can you troubleshoot more on this?
Yes normally we keep certs in teh IntegrationServer/certs folder and configure in the IS security page thru.
If you want the Integration Server to accept a connection when one or more of the CA certificates in the chain are expired, you must update the watt.security.ssl.ignoreExpiredChainsproperty in the server configuration file. (server.cnf) to true
. This setting will cause the server to ignore expired CA certificates in the chain.
For “true” expired chains are ignored. All other values are treated as “false”.
Try this it should work.
You did not answer is the certs used for your sFTP or regular HTTPS handshaking in your env?
You said it worked before did you research what has changed in your testing/environment assuming this is production issue?
Yes try that setting if that is applicable in your scenario.
It is FTP only but with TLS authentication. Port 21 is opened from partner side for our server. Moreover the expired certificate was a self-signed one and the new one is not, it has a CA and root CA. I will check and update if I get more information. And thank you for the suggestion on the extended setting.
One more thing is, think the partner is not having our server certificate. I’m checking the same.
Yes please check that one too