FTPS Certificate expired error

Problem Description

Using FTPS with lftp client to my sympl host, I’m getting “Certificate verification: Not trusted” and "
Certificate verification: Expired" errors.
I have checked that the LetsEncrypt certificate is current, and renewed it just to make sure.
The certificate entry /etc/ssl/private/pure-ftpd.pem points correctly though a chain of symlinks to /srv/host2.treewind.co.uk/config/ssl/current/ssl.combined.
I don’t use FTP, but one or two hosting customers do, but infrequently, so this problem may have existed since sympl was upgraded (including some FTP changes) in September 2020.

sympl ftp audit domain.name

shows it as enabled (tried on several domains that have ftp passwords)

Any Error Messages

Certificate: CN=host2.treewind.co.uk
 Issued by:        C=US,O=Let's Encrypt,CN=R3
 Checking against: C=US,O=Let's Encrypt,CN=R3
ERROR: Certificate verification: Not trusted (42:CC:BC:77:E7:7A:0B:A3:04:E3:9F:05:2F:8D:21:0A:AD:FB:0A:45)
ERROR: Certificate verification: Expired (42:CC:BC:77:E7:7A:0B:A3:04:E3:9F:05:2F:8D:21:0A:AD:FB:0A:45)
Certificate: C=US,O=Let's Encrypt,CN=R3
 Issued by: O=Digital Signature Trust Co.,CN=DST Root CA X3
  Trusted
**** Certificate verification: Not trusted (42:CC:BC:77:E7:7A:0B:A3:04:E3:9F:05:2F:8D:21:0A:AD:FB:0A:45)

Nothing helpful in log files that I can see.

  • Sympl Version 10.0
  • Sympl Testing Version? No
  • Debian Version Buster
  • Hardware Type? Virtual
  • Hosted On? Bitfolk

My guess is that the cert was rotated okay, but pure-ftpd hasn’t been restarted since.

A quick run of sudo service pure-ftpd restart should fix it.

If I remember correctly, the pure-ftd in Stretch and Buster doesn’t support SNI, so it has to use the default cert, and a full restart is needed to update the cert, rather than a quick reload of the config, and restarting FTP every time any cert is updated would probably be pretty disruptive.

I’ve added an issue to confirm and investigate.

No, I already restarted it (several times now!) and the wrong cert is still showing.
The transfer log shows activity recently, the last 4 days ago, so I was wrong about the September upgrade - ftp seems to have worked fine since then.
The customer who reported it this morning says he’s “up and running now”, but I’m not sure whether that’s just by relying on my advice to ignore the error in filezilla and click the ‘OK’ button.
I’m still getting the error, and Filezilla shows full details including that the certificate it’s seeing expired on June 8th.
I’m seeing the same error from two different machines at home, too.
I started searching for every file on my server that could be the offending certificate, but it’s a cumbersome process.
You are right about pure-ftpd not having SNI. It will in version 11. All users know the hostname to use.

The customer who reported this is still getting the certificate errors and simply telling Filezilla to override them, and I am seeing the error from different locations.
If if use the openssl command to view the certificate at
/etc/ssl/private/pure-ftpd.pem
It shows a certificate with current dates.
If I use lftp or filezilla remotely to connect to the server, they receive an invalid certificate, and filezilla actually shows it expired a month ago.
Log entries prove that I am connecting to the correct server!
It’s as if pure-ftpd is ignoring its config files and secretly fetching a certificate from somewhere else.

It’s as if pure-ftpd is ignoring its config files and secretly fetching a certificate from somewhere else.

I’d probably stop the service fully, and then start it again under strace to see where it’s reading that cert from.

/etc/ssl/private/pure-ftpd.pem should be a symlink to /etc/ssl/ssl.combined on a clean install however, and that should itself link to ‘/srv/example.com/config/ssl/current/ssl.combined’, which should be valid and up to date.

I couldn’t get strace to show anything about the cert file, but rebooting the server (now it’s past 11pm and hopefully not too busy) has fixed the problem!
Thanks for the suggestions, anyway. I didn’t know about strace, and it looks like the sort of tool that might be useful for debugging stuff like this.