Pure-FTPd Initializing TLS... error with The Perfect Server - Debian 10

Discussion in 'ISPConfig 3 Priority Support' started by JohnnyBeGood, Jan 24, 2021.

  1. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Hi all,
    I've tried searching here for few hours now with a hope I will find the solution but no luck.
    Whenever I try to connect to my server using Filezilla I get this:
    Code:
    Status:    Resolving address of mydomain.com
    Status:    Connecting to myserverip:21...
    Status:    Connection established, waiting for welcome message...
    Status:    Initializing TLS...
    Error:    Connection timed out after 20 seconds of inactivity
    Error:    Could not connect to server
    Status:    Waiting to retry...
    Status:    Resolving address of mydomain.com
    Status:    Connecting to myserverip:21...
    Status:    Connection established, waiting for welcome message...
    Response:    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:    220-You are user number 1 of 50 allowed.
    Response:    220-Local time is now 14:57. Server port: 21.
    Response:    220-This is a private system - No anonymous login
    Response:    220-IPv6 connections are also welcome on this server.
    Response:    220 You will be disconnected after 15 minutes of inactivity.
    Command:    AUTH TLS
    Response:    234 AUTH TLS OK.
    Status:    Initializing TLS...
    Error:    Connection timed out after 20 seconds of inactivity
    Error:    Could not connect to server
    I followed this tutorial https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ and enabled LE on all services.
    Any suggestions?
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Are your ftp server (active and passive) ports set and opened?
     
  3. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This guide is not compatible with current ISPConfig installations and perfect server guides that use acme.sh as LE client instead of certbot. As you can read in the guide, ispconfig enables TLS for all services automatically now, so this guide is not necessary anyway. If you use the current ISPConfig version, then your issue is most likely caused by using this incompatible tutorial.
     
    Last edited: Jan 24, 2021
    ahrasis likes this.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

  7. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Thanks for the reply!
    I wasn't aware of this. So I wanted to start fresh because I need to move all of my websites eventually from old Debian 8 perfect setup. I downloaded latest Debian-10-Perfect-Server-Apache.ova https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
    Configured everything, updated Debian and ispconfig and was able to get SSL working on https://ispconfig.mydomain.com:8080 and it was automatically configured. Also one test domain works with web and email no issues.

    I'm still having issues with Initializing TLS... I've tried to follow the tutorial but I cannot find this section in ispconfig:
    Any suggestions?
     
    Last edited: Jan 24, 2021
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig firewall can be found under System > Firewall in ISPConfig GUI.
     
  9. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    It looks like it was turned off and that's why I could not find it. Do I still turn it on and enter:
    Code:
    20,21,22,25,53,80,110,143,443,3306,8080,10000,40110:40210
    ?

    upload_2021-1-25_6-37-47.png
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Then your issue is not related to this firewall. maybe your datacenter or cloud provider runs a firewall in front of your server which blocks the ports? or do you run it behind a router and these ports are not opened and forwarded to the server?
     
  11. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Its in a datacenter and they assured me that no firewall is implemented on their side. I never had any issues with the ports in the past with any other service. How can I else I can verify?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the syslog and pure ftpd log file to see if there are any other errors during connection. Maybe you have an issue with the tls cert and not a closed port?
     
  13. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    This is really odd. I tried so many times yesterday and rebooted the server as well and it would be always stuck on Initializing TLS...
    Last night instead of "Use explicit FTP over TLS if available" I chose "Only use plain FTP (insecure)" and I transferred some file. Today I tried again "Use explicit FTP over TLS if available" it it actually connected and got below prompt. At this point everything seems to work except "The server's certificate is unknown" ?

    upload_2021-1-25_8-40-56.png

    upload_2021-1-25_8-39-17.png
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely your FTP client does not know LE certs then and needs a chain / bundle cert. Might be that the SSL bundle cert(s) are missing in the pem file that pure-ftpd is using.
     
  15. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Ok, I did not generate bundle cert(s). It came with image Debian-10-Perfect-Server-Apache.ova and it was generated by ispconfig I assume.
    /etc/ssl/private/pure-ftpd.pem is linked to /usr/local/ispconfig/interface/ssl/ispserver.pem and it appears to have correct chain / bundle cert.
    Do I need to modify something?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    No, that should be fine then. Not sure why your FTP client complains. Personally, I would just accept the cert as it is if it's your server name. If you have reasons to believe that it might be wrong, you can check the fingerprint.
     
  17. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Sounds good. Thank you for your help with this!
     
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As confirmed by @till, if it was installed during ISPConfig installation your LE certs should be fine but just to make a note here, other than the ealier suspected port issues, I also suspected the disconnection that happened after trying to initialize TLS was because pure-ftpd.pem permission issue.

    I'll have to remember to ask for pure-ftpd-mysql status note to help troubleshoot similar problem better in the future since it may note something useful there as well.
     
  19. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Thank you!
     

Share This Page