Symptoms
-
Plesk and the FTP server are secured with a valid SSL certificate.
-
In the ProFTPd configuration files the parameter
TLSCACertificateFile
 is missing:# egrep -Ri TLSCACertificateFile /etc/proftpd.*
(Empty Output) -
One of the following errors might be shown when accessing a server via FTPS:
The server's certificate is unknown. Please carefully examine the certificate to make sure the server can be trusted.
Fatal Error: Certificate verification: Not trusted
-
One of the following errors might be shown when performing a PCI compliance scan:
SSL Certificate is Not Trusted (External Scan)
SSL Certificate Chain Not Trusted (External Scan)
-
Checking FTPS connection with OpenSSL utility shows the following error:
# openssl s_client -showcerts -starttls ftp -servername plesk.example.com -connect plesk.example.com:21
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = plesk.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = plesk.example.com
verify error:num=21:unable to verify the first certificate
verify return:1* Where
plesk.example.com
is the Plesk hostname protected with a valid SSL certificate -
Error when using FileZilla client:
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
-
Error when transferring data using lftp utility:
Certificate: CN=plesk.example.com Issued by: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 WARNING: Certificate verification: Not trusted
-
A backup configured to the remote FTP server over FTPS fails with the following error:
PLESK_ERROR: Warning:
Unable to upload the backup to the external storage: Unable to set backup sign certificate
Cause
This is Plesk bug with IDÂ #PPPM-6559Â which will be fixed in future Plesk updates.
Note: Subscribe to this article to get notified once a fix will become available
Resolution
As a workaround:
-
Connect to the server via SSH
-
Create an additional ProFTPd configuration file
/etc/proftpd.d/00-PPPM-6559.conf
with the following command:Warning: It is required to run the full command, make sure it is copied and pasted fully.
# echo -e “<Global>n<IfModule mod_tls.c>nTLSCACertificateFile /usr/local/psa/admin/conf/httpsd.pemn</IfModule>n</Global>” > /etc/proftpd.d/00-PPPM-6559.conf
-
The additional ProFTPd configuration file
/etc/proftpd.d/00-PPPM-6559.conf
 will be created with the following content:# cat /etc/proftpd.d/00-PPPM-6559.conf
<Global>
<IfModule mod_tls.c>
TLSCACertificateFile /usr/local/psa/admin/conf/httpsd.pem
</IfModule>
</Global>
Note:Â According to Filezilla forum, by default FileZilla automatically does not trust any certificate. It is required to add the certificate to trusted ones during the first connect.