5

I run a website that uses IIS 10's FTP server and I have it setup to use Explicit FTP over TLS and it's worked great for the last year+. I bought the server certificate through Digicert.

The server certificate expired on 2019-01-04. I renewed the certificate at Digicert, one that is good through 2021. I then installed it on the Windows server, and updated the FTP site to use the new certificate.

However, when I try connecting with FileZilla Client, the log reports the following:

Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...

But then up pops a warning saying that the certificate expired on 2019-01-04.

enter image description here

If I click Ok, it continues, but then it says: Primary connection and data connection certificates don't match. Here's the log following the "Initializing TLS..."

Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I.
Command:    PASV
Response:   227 Entering Passive Mode (38,101,199,155,19,46).
Command:    LIST
Response:   150 Opening BINARY mode data connection.
Error:  Primary connection and data connection certificates don't match.
Error:  Transfer connection interrupted: ECONNABORTED - Connection aborted
Response:   226 Transfer complete.
Error:  Failed to retrieve directory listing
Status: Disconnected from server: ECONNABORTED - Connection aborted

It's like the Initializing TLS logic is somehow grabbing the OLD certificate, but once it connects, it's grabbing the NEW certificate and seeing they don't match.

If I update the IIS FTP server to use the OLD certificate and retry connecting, I get the same expired certificate warning on Initializing TLS, but then when I click Ok it connects and I can transfer files without issue (albeit, I have to confirm that the certificate is expired every transfer).

What's going on here? Is FileZilla Client caching the Initializing TLS certificate? Is there some other setting or action I need to take in the IIS FTP configuration to get the new certificate "to take?" (I tried rebooting the web server after updating the certificate - still no dice, same problem.)

EDIT 2019-01-13: I went ahead and removed the expired certificate from the Windows Certificate Store and now when I try to connect via FTP it fails on the AUTH TLS command:

Status: Connecting to ...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    AUTH TLS
Response:   431 Failed to setup secure session.
Command:    AUTH SSL
Response:   431 Failed to setup secure session.
Error:  Could not connect to server

This tells me that it's a server-side problem. Namely, the server is trying to find the expired certificate, but can't. I'm at a loss as to why IIS FTP is still trying to use the old certificate.

If I look in %WinDir%\System32\Inetsrv\Config\applicationHost.config, I see these settings for the FTP server section:

<ftpServer>
    <security>
        <ssl serverCertHash="E10..." serverCertStoreName="My" ssl128="false" controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
        <authentication>
            <basicAuthentication enabled="true" />
        </authentication>
    </security>
</ftpServer>

The serverCertHash reported is the Thumbprint of the current certificate (not the expired one) so I am at a loss as to how/where/why IIS FTP is using the expired one for AUTH TLS.

EDIT 2019-02-13:

Unfortunately, I wasn't able to get this working. In the end, I installed FileZilla Server and created a self-signed certificate for use by FileZilla Server.

Thanks

Scott Mitchell
  • 473
  • 2
  • 6
  • 13
  • Are you hitting the server directly or do you have other machines in the mix? Firewall? Load Balancer? – Keith Barrows Jan 13 '19 at 06:18
  • @KeithBarrows - I am hitting the server directly, at least to my understanding. The server is a dedicated server hosted by a company. It's a single server (no load balancer). – Scott Mitchell Jan 13 '19 at 16:55
  • **Thank you** for writing those updates. I was banging my head with very similar issues, but in my case, when I opened `applicationHost.config`, it was showing the thumbprint of an _expired_, and now removed, certificate. Copy/pasting in the current certificate’s thumbprint thankfully fixed it for me. – Janus Bahs Jacquet Sep 30 '21 at 00:15

1 Answers1

4

I was at a loss on this one and stumbled upon the fix (works for me now).

  1. Select the root node of the IIS server in IIS Manager
  2. Choose FTP SSL settings in the right pane
  3. Choose and apply the new certificate to the root node

It's now working for me with multiple ftp hosts. I had previously just applied the certificate to each host node...

Steve T
  • 41
  • 1