Knowledge Base

Error is shown when accessing a FTP server over FTPS: The server’s certificate is unknown. Please carefully examine the certificate to make sure the server can be trusted

 
backupplesk for linuxplesk updatesserverssh

Symptoms

  • Plesk and the FTP server are secured with a valid SSL certificate.

  • In the ProFTPd configuration files the parameterTLSCACertificateFile is missing:

    # egrep -Ri TLSCACertificateFile /etc/proftpd.*
    (Empty Output)

  • One of the following errors might be shown when accessing a server via FTPS:

    The server's certificate is unknown. Please carefully examine the certificate to make sure the server can be trusted.
    Fatal Error: Certificate verification: Not trusted

  • One of the following errors might be shown when performing a PCI compliance scan:

    SSL Certificate is Not Trusted (External Scan)
    SSL Certificate Chain Not Trusted (External Scan)

  • Checking FTPS connection with OpenSSL utility shows the following error:

    # openssl s_client -showcerts -starttls ftp -servername plesk.example.com -connect plesk.example.com:21
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = plesk.example.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 CN = plesk.example.com
    verify error:num=21:unable to verify the first certificate
    verify return:1

    * Where plesk.example.com is the Plesk hostname protected with a valid SSL certificate

  • Error when using FileZilla client:

    Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

  • Error when transferring data using lftp utility:

    Certificate: CN=plesk.example.com Issued by: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 WARNING: Certificate verification: Not trusted

  • A backup configured to the remote FTP server over FTPS fails with the following error:

    PLESK_ERROR: Warning:
    Unable to upload the backup to the external storage: Unable to set backup sign certificate

Cause

This is Plesk bug with ID #PPPM-6559 which will be fixed in future Plesk updates.

Note: Subscribe to this article to get notified once a fix will become available

Resolution

As a workaround:

  1. Connect to the server via SSH

  2. Create an additional ProFTPd configuration file /etc/proftpd.d/00-PPPM-6559.conf with the following command:

    Warning: It is required to run the full command, make sure it is copied and pasted fully.

    # echo -e “<Global>n<IfModule mod_tls.c>nTLSCACertificateFile /usr/local/psa/admin/conf/httpsd.pemn</IfModule>n</Global>” > /etc/proftpd.d/00-PPPM-6559.conf

  3. The additional ProFTPd configuration file /etc/proftpd.d/00-PPPM-6559.conf will be created with the following content:

    # cat /etc/proftpd.d/00-PPPM-6559.conf
    <Global>
    <IfModule mod_tls.c>
    TLSCACertificateFile /usr/local/psa/admin/conf/httpsd.pem
    </IfModule>
    </Global>

Note: According to Filezilla forum, by default FileZilla automatically does not trust any certificate. It is required to add the certificate to trusted ones during the first connect.

Read the full article
Related Posts
Knowledge Base

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2021 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with 💙  with Plesk WordPress Toolkit

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt