FTP with TLS/SSL, certificate is not trusted

[MicheleB]

Hello,
I'm trying to connect by FTP with TLS/SSL (passive mode) on the single hostings but every time my client (transmit) show me the alert "certificate is not trusted".

At the moment I'm using the free Wildcard Let's Encrypt associate with the main domain (e.g. mydomain.com) of the server, set in the "Certificate for securing Plesk" of the control panel as reported in this tech post:
Is it possible to install a certificate to secure FTP for a specific domain on Plesk server?

I also tried to change with the "professional" certificates "Positive SSL Wildcard" (*.mydomain.com) and "Positive SSL Multi Domain" ("mydomain.com" set to primary, "mail.mydomain.com" and "ftp.mydomain.com" set as SAN) but nothing, always the "certificate is not trusted" error.

In the "address" field of my ftp client I've used mydomain.com and ftp.mydomain.com format but the error is always the same.

How can I fix it?
Thanks.

 

[eilko]

Isn't the same issue as with Filezilla? Filezilla doesn't trust any certificate by default. You have to trust it manually at the first time. https://forum.filezilla-project.org/viewtopic.php?t=36799

 

[MicheleB]

Ok, thanks, however the issue with Filezilla is about "unknown" certificate instead for me "is not trusted"... is the same thing?
Transmit asks me to validate it every time I open the ftp client (to avoid this error is necessary save the "not trusted" certification in the keychain of my Mac but for a "behaviour safe" I prefer to see the real value of the certification).
For my knowledge, do you have the same problem with your "FTP with TLS/SSL" connections?

 

[MicheleB]

I've opened a request also in the "Plesk Extensions -> SSL It! Extension" forum because someone told me about an intermediate certificate missing but I don't know if the suggestion is correct (I'd like to receive a reply from the tech assistance of this extension):
Important - SSL It! Extension

 

[eilko]

Ok, thanks, however the issue with Filezilla is about "unknown" certificate instead for me "is not trusted"... is the same thing?
Transmit asks me to validate it every time I open the ftp client (to avoid this error is necessary save the "not truested" certification in the keychain of my Mac but for a "behaviour safe" I prefer to see the real value of the certification).
For my knowledge, do you have the same problem with your "FTP with TLS/SSL" connections?

yes the same errors

 

[zerozenit]

Hello,
I'm trying to connect by FTP with TLS/SSL (passive mode) on the single hostings but every time my client (transmit) show me the alert "certificate is not trusted".

...

How can I fix it?
Thanks.

View attachment 16269 View attachment 16270 View attachment 16271

Hi MicheleB,

I also had the exact same problem. I solved it in this way:

On Transmit: Preferences -> Advanced -> Server (Default) -> Advanced: activated the check on "Use TLS v1.2 encryption".

Enjoy it!

Paolo

 

[MicheleB]

Hi MicheleB,

I also had the exact same problem. I solved it in this way:

On Transmit: Preferences -> Advanced -> Server (Default) -> Advanced: activated the check on "Use TLS v1.2 encryption".

Enjoy it!

Paolo

Thanks Paolo but unfortunately in my case your tip doesn't work ("Use TLS v.1.2 encryption" was already activated on Transmit).
I think it's a problem with "Let's Encrypt" certificate, managed/generated from the "SSL it!" extension but without an official reply from their technical support is impossible to me go beyond.
Anyway, thanks for the tip.

 

[zerozenit]

Thanks Paolo but unfortunately in my case your tip doesn't work ("Use TLS v.1.2 encryption" was already activated on Transmit).
I think it's a problem with "Let's Encrypt" certificate, managed/generated from the "SSL it!" extension but without an official reply from their technical support is impossible to me go beyond.
Anyway, thanks for the tip.

Have you installed and enabled recommended the two extensions (CA plugins) from SSL It !? In particular DigiCert SSL 1.5+. In my case I also enabled and synchronized TLS versions and ciphers by Mozilla (Modern configuration). I have your identical server and client configuration so I don't explain how it can't work.

 

[zerozenit]

The only configuration difference is that you use a Letsencrypt wildcard certificate for Plesk and for all domains. While I use a Letsencrypt certificate for Plesk and a specific Letsencrypt certificate for each domain. I don't think this could be the problem but you can give it a try.

 

[MicheleB]

I've tried all possible configurations but... nothing, always the alert "certificate is not trusted".
About the CA plugins, they're installed and enabled:

 

[daanse]

same here with me aswell.

 

[MicheleB]

same here with me aswell.

Unfortunately, it would seem that there is no solution to this problem with Plesk (I've another server with DirectAdmin and the ftp connections works good, not show me this alert).

 

[learning_curve]

@MicheleB Just as an alternative (depends on how many of your users you think can / would be suitable etc) Could you not switch to SFTP SSH2 - Key based authorisiation instead of FTP and Certificates? We have multiple *wildcard domains but we only use this method on them all and never have had any issues or problems. It's fast, it's very secure; you can restrict SSH access by IP in advance anyway & then there's the key based authorisiation afterwards etc. Works fine in Filezilla and on Macs too (both of which we use) Here's a Filezilla reference page: Howto - FileZilla Wiki if you wanted to read more / try it

 

[MicheleB]

@MicheleB Just as an alternative (depends on how many of your users you think can / would be suitable etc) Could you not switch to SFTP SSH2 - Key based authorisiation instead of FTP and Certificates? We have multiple *wildcard domains but we only use this method on them all and never have had any issues or problems. It's fast, it's very secure; you can restrict SSH access by IP in advance anyway & then there's the key based authorisiation afterwards etc. Works fine in Filezilla and on Macs too (both of which we use) Here's a Filezilla reference page: Howto - FileZilla Wiki if you wanted to read more / try it

Thanks, I'll take a look... however, the most frequent use on my server is to activate an ftp account to access specific folders of the hosting plan (not only the root but also subfolders as for example "/httpdocs/folder-share/"), using the Plesk "FTP access" function present in each dashboard and managed independently by clients... I don't think this is possible with SSH.

 

[learning_curve]

~~the most frequent use on my server is to activate an ftp account to access specific folders of the hosting plan (not only the root but also subfolders as for example "/httpdocs/folder-share/"), using the Plesk "FTP access" function present in each dashboard and managed independently by clients... I don't think this is possible with SSH

We don't require and/or use that type of restriction, but a very quick search would indicate that you probably can, albeit there's additional work to be done of course e.g. SFTP does not restrict user to the subscription's directory Or Linux – Setting Up FTP/SFTP Restricted Access for User – Ryan and Debi & Toren etc

 

[Dada Faitoo]

You need to manually setup the certificate in the IIS settings... IIS -> SRV - > Sites -> "Your FTP Site" -> FTP -> FTP SSL Settings

But you can only select one for all ftp connections :/

If you want no error message, you have to put the slected domain name or the IP Adress as server/host.

If you have a Let's Encrypt certificate, you have to do this like every month... (put a reminder in your calendar, lol)

Vote this feature here, it should fix the issue :

Use Lets Encrypt to secure FTPs connections

Hi, I usually use the ftp.site.com subdomain for the client FTP connections. And to secure those connections I enabled FTPs. But at this point the users receive a certificate host name mismatch because the FTPs connection is being setup using the VPS Lets Encrypt cert. It would be nice to use...

plesk.uservoice.com

They should developp a little more the FTP section (...)

Cheers,
Dada'