0

I am trying to access a Filezilla Server using FtpWebRequest in Powershell, like this:

$ftprequest = [System.Net.FtpWebRequest]::Create($sourceuri)
$ftprequest.Method = ([System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails + " -a")
$ftprequest.Credentials = New-Object System.Net.NetworkCredential($username,$password)
$ftprequest.EnableSsl = $true

In Filezilla Server there is a "Generate New Certificate" which is what I used to create the certificate. This created a .crt file that Filezilla is pointing to for both the private key and certificate file.

The server is also configured with the options "Enable FTPS" and "Allow explicit FTP over TLS".

I am able to happily access the server using the Filezilla Client (although it warns that the server's certificate is unknown).

To access the server from a Powershell client, without getting complaints about the certificate, my understanding is the best thing to do is import the certificate on the client machine. I managed to do this by downloading the .crt file, manually stripping out the private key portion using Notepad, and then running:

Import-Certificate -FilePath .\filezillaCertificate.crt -CertStoreLocation cert:\CurrentUser\My

However, trying to connect using FtpWebRequest I still receive the error "The remote certificate is invalid according to the validation procedure."

Can anyone point me in the right direction?

cbp
  • 25,252
  • 29
  • 125
  • 205
  • I have also tried adding the certificate directly to the FtpWebRequest object using `$cert=New-Object ([System.Security.Cryptography.X509Certificates.X509Certificate]::CreateFromCertFile("D:\Temp\certificate.crt"))` `$ftprequest.ClientCertificates.Add($cert)` – cbp Jan 29 '18 at 02:49
  • Possible duplicate of [Using a self-signed certificate with .NET's HttpWebRequest/Response](https://stackoverflow.com/questions/526711/using-a-self-signed-certificate-with-nets-httpwebrequest-response) – Martin Prikryl Jan 29 '18 at 07:15

1 Answers1

1

This is not a PoSH issue. It is a pure PKI 101 (cert implementation) issue.

Self-signed certificates will always be considered untrusted in most cases, because there is no way to validate it, no public registered body for it and no public CRL (Certificate Revocation List / Authority) associated with it.

You cannot create a PKI cert for a remote location on your local machine. You must create the cert on the remote location, or buy a public cert and install it on the remote location certificate store. The public and private key must reside on the remote server / site. For any server / site, the certificate must be registered / issued to that server then manually assigned to a site (FTP/s, HTTP/s).

Then, you download the public cert from the destination and install that on your local machine. Normally installed to the local machine store. If you cannot download that public certificate and certificate chain using a browser, by clicking on the lock, after visiting the site, then you must request that the destination server/site owner send you the public cert for you to install locally. Again, normally installed to the local machine store.

I know your post is about a Filezilla server (Full Disclosure: I've never seen on used one), but the approach as shown in the articles below on setting up FTP over SSL on IIS should be similar.

FTP over SSL

The element specifies the FTP over Secure Sockets Layer (SSL) settings for the FTP service; FTP over SSL was first introduced for IIS 7 in FTP 7.0.

Unlike using HTTP over SSL, which requires a separate port and connection for secure (HTTPS) communication, secure FTP communication occurs on the same port as non-secure communication. FTP 7 supports two different forms of FTP over SSL:

https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/security/ssl

https://learn.microsoft.com/en-us/iis/publish/using-the-ftp-service/using-ftp-over-ssl-in-iis-7

Update to find the FileZilla SSL guidance

Install a SSL certificate on FileZilla FTP Server https://www.tbs-certificates.co.uk/FAQ/en/FileZilla_FTP_Server.html

Installing a certificate on an OpenSSL-based server is really similar than doing so on Apache: Install an Apache certificate, except that the instructions indicating the path to th files are not the same! for FTP FileZilla server, via the interface: FileZilla Server Option -> SSL/TLS settings:

•import the private key (.key file generated along with the CSR) in "Private key file".

•import the certificate and the certification chain in the same file: 1) on your certificate status page, download the "file.cer" file and the certification chain "chain-xxx.txt" 2) concatenate those two files into one 3) import the file in "Certificate file"

How to connect FTP over SSL/TLS in FileZilla?

Create Site

  1. Go to File >> Site Manager >> New Site.

  2. Following are the required details to fill up.

• Host: Enter Hostname(i.e. ftp.yourdomain.com) or IP address which we have sent in Welcome e-mail. • Port: 21 (Default FTP port is 21, you can also keep it blank). • Protocol: FTP - File Transfer Protocol. • Encryption: Select Required explicit FTP over TLS from dropdown list. • Logon Type: Select Normal from the dropdown list. • User: Your FTP username. • Password: Your FTP Password.

https://manage.accuwebhosting.com/knowledgebase/761/How-to-connect-FTP-over-SSLorTLS-in-FileZilla.html

The FileZilla wiki also talks to how to do the SSL implementation.

postanote
  • 15,138
  • 2
  • 14
  • 25
  • Thanks a lot of all the info. I _think_ I'm following these points correctly: I have the certificate installed on FileZilla and my local machine, but unfortunately I'm still not getting any joy when connecting. My guess is there are details I'm missing in regards to the construction of the certificate, where it is installed, or maybe how the FTP client uses it. Looking at some other SO questions, it seems that most people just ignore all certificates entirely, and globally, by returning true ServicePointManager.ServerCertificateValidationCallback... doesn't seem like the best idea to me... – cbp Jan 30 '18 at 04:49
  • 1
    Ditto, that your cert deployment is a sticking point. Yep, many ignore cert issues but normally only if they control source and destination. Otherwise, no, ignoring certs is a bad thing. If you are going to ignore them anyway, then why use them at all. – postanote Jan 30 '18 at 22:17