Updating certificate for FTP site for IIS 10 - FTP client does not see newly updated certificate on primary connection
I run a website that uses IIS 10's FTP server and I have it setup to use Explicit FTP over TLS and it's worked great for the last year+. I bought the server certificate through Digicert.
The server certificate expired on 2019-01-04. I renewed the certificate at Digicert, one that is good through 2021. I then installed it on the Windows server, and updated the FTP site to use the new certificate.
However, when I try connecting with FileZilla Client, the log reports the following:
Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
But then up pops a warning saying that the certificate expired on 2019-01-04.
If I click Ok, it continues, but then it says: Primary connection and data connection certificates don't match. Here's the log following the "Initializing TLS..."
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (38,101,199,155,19,46).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Primary connection and data connection certificates don't match.
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Response: 226 Transfer complete.
Error: Failed to retrieve directory listing
Status: Disconnected from server: ECONNABORTED - Connection aborted
It's like the Initializing TLS logic is somehow grabbing the OLD certificate, but once it connects, it's grabbing the NEW certificate and seeing they don't match.
If I update the IIS FTP server to use the OLD certificate and retry connecting, I get the same expired certificate warning on Initializing TLS, but then when I click Ok it connects and I can transfer files without issue (albeit, I have to confirm that the certificate is expired every transfer).
What's going on here? Is FileZilla Client caching the Initializing TLS certificate? Is there some other setting or action I need to take in the IIS FTP configuration to get the new certificate "to take?" (I tried rebooting the web server after updating the certificate - still no dice, same problem.)
EDIT 2019-01-13: I went ahead and removed the expired certificate from the Windows Certificate Store and now when I try to connect via FTP it fails on the AUTH TLS command:
Status: Connecting to ...
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 431 Failed to setup secure session.
Command: AUTH SSL
Response: 431 Failed to setup secure session.
Error: Could not connect to server
This tells me that it's a server-side problem. Namely, the server is trying to find the expired certificate, but can't. I'm at a loss as to why IIS FTP is still trying to use the old certificate.
If I look in %WinDir%\System32\Inetsrv\Config\applicationHost.config, I see these settings for the FTP server section:
<ftpServer>
<security>
<ssl serverCertHash="E10..." serverCertStoreName="My" ssl128="false" controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
<authentication>
<basicAuthentication enabled="true" />
</authentication>
</security>
</ftpServer>
The serverCertHash reported is the Thumbprint of the current certificate (not the expired one) so I am at a loss as to how/where/why IIS FTP is using the expired one for AUTH TLS.
EDIT 2019-02-13:
Unfortunately, I wasn't able to get this working. In the end, I installed FileZilla Server and created a self-signed certificate for use by FileZilla Server.
Thanks
I was at a loss on this one and stumbled upon the fix (works for me now).
- Select the root node of the IIS server in IIS Manager
- Choose FTP SSL settings in the right pane
- Choose and apply the new certificate to the root node
It's now working for me with multiple ftp hosts. I had previously just applied the certificate to each host node...