• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs SSL CA Cert not set in ProFTPd config

H

HostaHost

Regular Pleskian
TITLE:
SSL CA Cert not set in ProFTPd config
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
CentOS 7 (but also any other), Plesk 12.5 and 17
PROBLEM DESCRIPTION:
Plesk's ProFTPd config (/etc/proftpd.conf) adopts the same SSL cert used to secure the :8443 interface via these directives:

TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

However, it fails to make use of the directive:

TLSCACertificateFile

which should be pointed at the same CA cert that the :8443 interface uses, e.g.:

TLSCACertificateFile /usr/local/psa/admin/conf/rootchain.pem

Without this, if your server is using a real CA-issued SSL cert for Plesk, then users connecting with FTPS will get an error about the certificate either not being valid or not being issued by a recognized authority.​
STEPS TO REPRODUCE:
Install Plesk 12.5+, add a CA-issued SSL cert to secure the panel (which these days is guaranteed to require an intermediate), set it active for securing the panel, configure the security settings to require TLS for FTP.

Now, connect using an FTP client that validates the SSL or just use openssl on the command line, replacing SERVER_FQDN with the recognized name of the server that the SSL was issued to:

openssl s_client -starttls ftp -connect SERVER_FQDN:21​
ACTUAL RESULT:
If testing via real client, an error about the SSL not being recognized or not issued by a valid authority. If testing via openssl, you'll see a few of these at first:

CONNECTED(00000003)
depth=0....
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ....
verify error:num=27:certificate not trusted
verify return:1
depth=....
verify error:num=21:unable to verify the first certificate
verify return:1
---

and then further down:

Verify return code: 21 (unable to verify the first certificate)​
EXPECTED RESULT:
No error, or if testing via openssl, no verify issues:

CONNECTED(00000003)
...
Verify return code: 0 (ok)​
ANY ADDITIONAL INFORMATION:
Adding this to the /etc/proftpd.conf is all that is needed to fix the issue:

TLSCACertificateFile /usr/local/psa/admin/conf/rootchain.pem
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
Thank you! Bug was confirmed and submitted as PPPM-6559
 
You must log in or register to reply here.

Similar threads

flederwiesel
Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication
Replies
0
Views
729
flederwiesel
flederwiesel
defcon8
Issue SMTP SSL Certificate Expired
Replies
2
Views
1K
defcon8
defcon8
R
Unable to locally verify the issuer's authority.
Replies
2
Views
2K
Redsector
R
B
Resolved How do I enable FTPS?
Replies
10
Views
1K
Kaspar
K
C
Question Strange SNI (?) issue related to IPv6 (?)
Replies
2
Views
2K
Carbon Dioxide
C
Back
Top