TITLE:
SSL CA Cert not set in ProFTPd config
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:CentOS 7 (but also any other), Plesk 12.5 and 17
PROBLEM DESCRIPTION:Plesk's ProFTPd config (/etc/proftpd.conf) adopts the same SSL cert used to secure the :8443 interface via these directives:
TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem
However, it fails to make use of the directive:
TLSCACertificateFile
which should be pointed at the same CA cert that the :8443 interface uses, e.g.:
TLSCACertificateFile /usr/local/psa/admin/conf/rootchain.pem
Without this, if your server is using a real CA-issued SSL cert for Plesk, then users connecting with FTPS will get an error about the certificate either not being valid or not being issued by a recognized authority.
STEPS TO REPRODUCE:TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem
However, it fails to make use of the directive:
TLSCACertificateFile
which should be pointed at the same CA cert that the :8443 interface uses, e.g.:
TLSCACertificateFile /usr/local/psa/admin/conf/rootchain.pem
Without this, if your server is using a real CA-issued SSL cert for Plesk, then users connecting with FTPS will get an error about the certificate either not being valid or not being issued by a recognized authority.
Install Plesk 12.5+, add a CA-issued SSL cert to secure the panel (which these days is guaranteed to require an intermediate), set it active for securing the panel, configure the security settings to require TLS for FTP.
Now, connect using an FTP client that validates the SSL or just use openssl on the command line, replacing SERVER_FQDN with the recognized name of the server that the SSL was issued to:
openssl s_client -starttls ftp -connect SERVER_FQDN:21
ACTUAL RESULT:Now, connect using an FTP client that validates the SSL or just use openssl on the command line, replacing SERVER_FQDN with the recognized name of the server that the SSL was issued to:
openssl s_client -starttls ftp -connect SERVER_FQDN:21
If testing via real client, an error about the SSL not being recognized or not issued by a valid authority. If testing via openssl, you'll see a few of these at first:
CONNECTED(00000003)
depth=0....
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ....
verify error:num=27:certificate not trusted
verify return:1
depth=....
verify error:num=21:unable to verify the first certificate
verify return:1
---
and then further down:
Verify return code: 21 (unable to verify the first certificate)
EXPECTED RESULT:CONNECTED(00000003)
depth=0....
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ....
verify error:num=27:certificate not trusted
verify return:1
depth=....
verify error:num=21:unable to verify the first certificate
verify return:1
---
and then further down:
Verify return code: 21 (unable to verify the first certificate)
No error, or if testing via openssl, no verify issues:
CONNECTED(00000003)
...
Verify return code: 0 (ok)
ANY ADDITIONAL INFORMATION:CONNECTED(00000003)
...
Verify return code: 0 (ok)
Adding this to the /etc/proftpd.conf is all that is needed to fix the issue:
TLSCACertificateFile /usr/local/psa/admin/conf/rootchain.pem
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:TLSCACertificateFile /usr/local/psa/admin/conf/rootchain.pem
Confirm bug