FTP can't connect over TLS, says certificate expired

Discussion in 'Installation/Configuration' started by lonerunner, Feb 24, 2019.

  1. lonerunner

    lonerunner Member

    So i was following the perfect server debian 9 guide and setup everything, and than i was following how to secure with let's encrypt guide.


    But now i am facing problems with FTP, i can't connect over TLS, there's error of expired certificate, as you can see there are 2 certificates in chain (i don't know what that means to be honest) but one say it's expired and other one say it's renewed.

    Annotation 2019-02-24 014621.jpg Annotation 2019-02-24 014839.jpg

    I did follow everything from guide above, and i set ports in pureftp and firewall 40110:40210 but connection can't be established.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Probably the certificate pureftpd uses is expired. Maybe it is not using the certificate you created with Let's Encrypt?
  3. lonerunner

    lonerunner Member

    That's the thing, it uses let's encrypt certificate, it links to one cert that's auto updating and everything is explained in tutorial link i posted, but idk why, it says it's expired, now everywhere else certificate is good, it's recently renewed but not as i see on ftp.
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If the symlink is correct and the certificate on disk is up to date, try restarting pure-ftpd.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was looking at your attached images and I think the later cannot be LE SSL certificates since their validity should only be 90 days.

    I can only guess that your ispserver.pem file was not automatically recreated when LE SSL certs for the server website were renewed, if they were already renewed.

    You can verify this by simply looking at its creation date, which if true, it means that your incron settings may not be working as it should.

    If LE SSL certificates for the server website were already renewed, you have to manually run the le_ispc_pem.sh to fix the "certificate expired" error.

    To fix incron, verify that you still have incron installed and then check your incron settings.

    I would suggest changing the one in the tutorial
    /etc/letsencrypt/archive/server1.example.com/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
    to this:
    /etc/letsencrypt/archive/server1.example.com/ IN_CREATE, IN_MODIFY /bin/bash /etc/init.d/le_ispc_pem.sh
    Finally restart incron via "service incron restart".

    To test whether incron is working, take note of the creation time of ispserver.pem file and then create any test file inside /etc/letsencrypt/archive/server1.example.com/.

    If ispserver.pem file creation time change, then your incron is now working and should be able to automatically renew ispserver.pem in the future.
  7. lonerunner

    lonerunner Member

    So i rerun all commands from above tutorial link that i posted, upon further checking out i found out that ispconfig cert file and website domain cert are missmatching, basically they were generated on different time, and since one that is on domain name is set to expire later, certbot didn't generate new file, and incron didn't have need to copy files since there was no modification, but ftp was using old expired cert.

    But now i have different problem, my filezilla won't connect to server, i am getting error

    Status:    Initializing TLS...
    Status:    Verifying certificate...
    Status:    TLS connection established.
    Command:    USER username
    Error:    GnuTLS error -110: The TLS connection was non-properly terminated.
    Status:    Server did not properly shut down TLS connection
    Error:    Could not connect to server
    Whatever i google i find divided explains, some people blame server, some blame filezilla, but no real answers.
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You might want to try other software(s). I personally use winscp from my windows pcs and elfinder if I need quicker access from my web browser(s).
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Check which version Filezilla you have. I remember in the past updated Filezilla ceased to work without fiddling with the settings. I do not remember what exact version it was. So Filezilla may change how the program works from version to version.
  10. lonerunner

    lonerunner Member

    Yes with winscp it works fine, i use winscp too, but not for client logins, because it can mess up permissions and roles some time when uploading. So it's Filezilla problem definitely.

Share This Page