FTP server certificate

Discussion in 'Installation/Configuration' started by adamjedgar, May 5, 2017.

  1. adamjedgar

    adamjedgar Member

    Hi guys,
    i have created a new website and site user on my ispconfig cp.
    I have created a new ftp user
    When i attempt to login using the ftp user the "Unknown Certificate" warning pops up in filezilla (see attached image)
    I havent yet tried to go any further prior to writing this post, however, i will shortly.
    My assumption is that my ftp session will connect however, i will not be allowed to login and the session will disconnect. What do i need to do from this point?

    Attached Files:

  2. adamjedgar

    adamjedgar Member

    yep just as i suspected...
    Status: TLS connection established.
    Command: USER <"my ftp username">
    Response: 331 User <"my ftp username"> OK. Password required
    Command: PASS ***************
    Response: 530 Login authentication failed
    Error: Critical error: Could not connect to server

    My assumption is that i need to generate a new ssl certificate for the domain and website and save it to my desktop pc for filezilla yes?
    (is there an alternative for now)
  3. adamjedgar

    adamjedgar Member

    I think i may know what the problem is...
    1.I noticed after i deleted my instance and went back to basics that i had SSL metadata for this servers domain from a previous install that was for a different CP...i had inadvertently forgotten to check the metadata and remove the old certificate (my bado_O)

    In any case, I am learning a lot by repeatedly starting again. In going back through the "perfect server" tutorial, its surprising the number of issues that i have encountered that i am now able to immediately problem solve and resolve.

    There is one that still eludes me "freshclam" still produces a locked log file error. I still cannot get this one solved...moving along:mad:
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If I understand you correctly, there was another CP installed on your server and you did not start with a fresh and clean system install? This must lead to problems as the other CP has modified config files and ISPConfig expects to find the original unmodified files of the OS. So starting with an unclean system will lead to all kind of issues.
  5. adamjedgar

    adamjedgar Member

    No it wasnt the same server...the ssl certificate was held by Google Cloud Platform Network metadata for the domain name i was using on the server.
    I had forgotten about the location of the old certificate and google cloud Platform automatically relinked it with the domain name when i created a new instance using that domain name again (new server...same name = same certificate).

    I have since create a completely new instance, with a different domain name and i also deleted the old meta data that was on the network that referred to the old certificate. So the certificate issue should hopefully be resolved (however time will tell, i have only tested it on a tablet thus far and not with filezilla)

    However, even with a brand new install...i still cannot ftp into any site on the new ISP Config install. It refuses to accept the login credentials.
    I have tried over and over again...I am at a loss as to how something so simple with other control panels i have used ISPsystems, Vestacp, and Virtualmin, could be so problematic? (this should just work without any issues...I dont know about how these ftp servers are coded however i am beginning to think that Pure ftpd is mess (none of the other cp's i have used have this problem on google cloud...and coincidentally or otherwise, none of them use Pure ftpd as choice)

    Can we use a different ftp server?

    What information do i need to provide in order for us to begin to resolve.......oooooooooooohhhhhhhhhhhh hang on. I need to check something. Will post back!!!

    Nope I am still getting that F#$ing TLS error.

    Command: USER admin_mydomain.com.au
    Response: 331 User admin_mydomain.com.au OK. Password required
    Command: PASS ***************
    Response: 530 Login authentication failed
    Error: Critical error: Could not connect to server

    Will ISPConfig run with a different ftp server...Pure Ftp is mess...i am finding articles on the internet that say this is a common problem experienced with it! (ie it suffers from database corruption)
    Last edited: May 5, 2017
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Pure-ftpd is a very stable software and pure-ftpd + ISPConfig are working perfectly together, I made hundreds of installs in the past years and it never failed for me, simply copy/paste of the perfect server tutorial on a clean system results in a working setup. So neither pure-ftpd nor ISPConfig is to blame for your problems here. And you should remember that there are several hundred thousand working servers with ISPConfig out there, so you can assume that it's not an issue with the software.

    Are you sure that you connect to the right server?
    Did you check the server logs?
    Did you use the correct username incl. prefix as it is shown in the FTP user list in ISPConfig?
    Are you sure that you don't mix up SFTP and FTPS? SFTP is not FTP, it is SSH and provided by SSHD while FTPS is FTP over tls and provided by the FTP Daemon. So FTP and FTPS requires an FTP user while SFTP requires a shell login (shell user without jail).
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The internet is full of nonsense posts, so no wonder that you can find such wrong information somewhere. And ISPConfig does not even use the internal pure-ftpd puredb user database, so your comment on database corruption does not apply here at all.

    Instead of messing up your server by trying to switch to a nonsupported FTP daemon, you better take a look at the FTP server log file. And an issue like 'Error: Critical error: Could not connect to server" indicates that there might be a problem with the google firewall, e.g. passive ports are blocked.

    To test if its a firewall issue use a command line ftp client to connect to your server on localhost.
  8. adamjedgar

    adamjedgar Member

    I have tried the following
    "[email protected]"
    "[email protected]"
    "[email protected]"

    I am making some progress...as at least the error message is now different.

    Command: MLSD
    Error: Connection timed out after 20 seconds of inactivity
    Error: Failed to retrieve directory listing
    Status: Disconnected from server
    Status: Resolving address of mydomain.com.au
    Status: Connecting to
    Status: Connection established, waiting for welcome message...
    Status: Initializing TLS...
    Status: Verifying certificate...
    Status: TLS connection established.
    Status: Logged in
    Status: Retrieving directory listing...
    Status: Server sent passive reply with unroutable address. Using server address instead.

    This is progress me thinks:p

    Could i ask...if i leave the website IPV4-Address as * (this is a wildcard yes?) is this what is causing the above problem...or is it related?
    (I am going to change the IPV4-address to my google cloud internal one i think...although the website index.html page is working fine:rolleyes:)
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The exact username is shown in the FTP user list in ispconfig, so you can see the name there, no guessing required.
    Your new error is a problem that the passive port range of the FTP server is blocked in the google firewall.
    Define a FTP port range that you want to open in pure-ftpd:
    and then open these ports in the google firewall.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not related to FTP. The best is to leave it at * for all sites, as long as you don't need a dedicated IP for very old SSL clients (like windows 98) that don't support SNI, leave it at *.
  11. adamjedgar

    adamjedgar Member

    Found this on the cpanel wiki...does this apply?
    I am going to be hosting multiple websites on this server. I dont know much about NAT configurations...what is google cloud platform? UPDATE...yes i have this configuration)

    Enable the passive port range for Pure-FTPd
    We strongly recommend that you only use this option if your server exists behind a NAT configuration. This option prevents connections to other IP addresses on the server, and connections via domains that resolve to other IP addresses. If you set an IP address for the ForcePassiveIP option, you can only connect to the FTP server via that IP address.

    I am off to bed Till its 2am in the morning here in Sydney, thank you so much for your help! I will get back to this tomorrow.
    I am almost ready to jump the next hurdle...setting up WHMCS:D
    Last edited: May 5, 2017
  12. adamjedgar

    adamjedgar Member

    I opened the all ports on the entire network...
    I can now get a directory listing.:D
    Now its a mattery of figuring out how to close off the unneeded ports again so resecure everything but not prevent filezilla from working:oops:

    Now the next question...should i use Google Cloud Platform Network > Firewall to control this, or do it on the actual webserver control panels themselves?

    Is there anything to be gained in using both? (my thoughts are that if i eventually obtain a large number of servers, its going to be easier and better for continuity in the long run to use GCPlatform for this?)

    Finally, is it possible to not use a wide range of ports for this...can i just specify a custom port (or handful of ports)? Does this make any difference to security?
    Last edited: May 6, 2017
  13. adamjedgar

    adamjedgar Member

    Woohoo I got it!
    We are up and running peoples!:p:cool:

    I also have my answer about the port range in the previous post. I think i understand now...is the range is related to the number of users that can access passively at the same time? (ie the port range outlined in tutorial would be for 100 users)
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    yes :)
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    I would use the Google firewall in that case.


Share This Page