Cyberduck Mountain Duck CLI

#6953 closed defect (worksforme)

wildcard certificate problem with custom root CA

Reported by: Andre Kelpe Owned by: yla
Priority: normal Milestone: 4.3
Component: webdav Version: 4.2.1
Severity: normal Keywords:
Cc: Architecture:
Platform: Windows 7

Description (last modified by Andre Kelpe)

I am having a problem with wildcard certificates for webdav over https. Here is the current situation:

I have a server, that uses SSL. The certificate used by the server is signed by our own internal root CA. I have installed this root CA in the certificate management on windows, following the documentation on http://windows.microsoft.com/is-IS/windows-vista/View-or-manage-your-certificates. After that, I verified, that IE trusts the certificate of my server signed with this root CA. This works, which means, the root CA is correctly installed. After that I tried it with cyberduck and it does not trust the server at all.

After some googling around, I saw that cyberduck is written in java, so I went into the control panel and installed the root CA in the java configuration thing as well. This still has no effect. Cyberduck keeps on telling me, that the cert is not valid, while all other software trusts it.

The hostname of the server is something like foo.secure.example.com and the cert is valid for *.secure.example.com. As I said above, it works with other windows software, just not with cyberduck.

What am I doing wrong?

Attachments (1)

2012-11-09-110912_1366x768_scrot.png (21.3 KB) - added by Andre Kelpe on Nov 9, 2012 at 10:12:50 AM.

Download all attachments as: .zip

Change History (11)

comment:1 Changed on Nov 8, 2012 at 1:16:00 PM by Andre Kelpe

  • Description modified (diff)

comment:2 Changed on Nov 8, 2012 at 10:02:15 PM by dkocher

  • Owner set to yla

We use native Windows certificate chain validation, therefore settings in Java preferences have no effect.

comment:3 Changed on Nov 8, 2012 at 10:02:24 PM by dkocher

  • Component changed from core to webdav

comment:4 Changed on Nov 8, 2012 at 10:03:02 PM by dkocher

What is the exact certificate validation error? Just a hostname mismatch or a trust validation failure?

comment:5 Changed on Nov 9, 2012 at 10:12:19 AM by Andre Kelpe

As stated above, I put it in the windows certificate store as well and it works for IE, so it is installed correctly.

The error I get is 'Certificate is not valid". See screenshot. (I had to blank out the hostname, to protect the innocent.)

Last edited on Nov 9, 2012 at 10:13:42 AM by Andre Kelpe (previous) (diff)

comment:6 Changed on Nov 10, 2012 at 11:15:55 AM by dkocher

Looks like there is an issue with hostname validation trying to match hostname with the common name wildcard in the certificate.

comment:7 Changed on Nov 12, 2012 at 10:45:51 AM by Andre Kelpe

yes, indeed. Can I give you more information in some way, so that you will be able to tell me, what is wrong?

comment:8 Changed on Dec 17, 2012 at 2:41:58 PM by dkocher

  • Milestone set to 4.2.2

comment:9 Changed on Dec 17, 2012 at 4:56:46 PM by yla

I have setup a test environment with a self-signed Certificate Authority and issued a wildcard certificate for my test web server. After importing the root certificate into the certificate store 'Trusted Root Certification Authorities' (either user or computer store) Cyberduck did not complain anymore about an invalid certificate. The behavior is as expected.

Is there any chance that you can send me both the root and machine certificate to mailto:feedback@…? As you don't send me the private keys this is not security critical.

comment:10 Changed on Dec 17, 2012 at 8:54:03 PM by dkocher

  • Resolution set to worksforme
  • Status changed from new to closed

Test in r10666.

Note: See TracTickets for help on using tickets.
swiss made software