Plesk Obsidian, Wildcard Let's Encrypt, FTP with TLS/SSL, certificate is not trusted

Hello,
I’m trying to connect by FTP with TLS/SSL (passive mode) on the single hostings but every time my client (transmit) show me the alert “certificate is not trusted”.

At the moment I’m using the free Wildcard Let’s Encrypt associate with the main domain (e.g. mydomain.com) of the server, set in the “Certificate for securing Plesk” of the control panel as reported in this tech post:
Is it possible to install a certificate to secure FTP for a specific domain on Plesk server?

I also tried to change with others certificates as “Positive SSL Wildcard” (*.mydomain.com) and “Positive SSL Multi Domain” (“mydomain.com” set to primary, “mail.mydomain.com” and “ftp.mydomain.com” set as SAN) but nothing, always the “certificate is not trusted” error.

In the “address” field of my ftp client I’ve used mydomain.com and ftp.mydomain.com format but the error is always the same.

How can I fix it?
Thanks.

Hi @Mickele

your domain name is required to test your configuration.

Hi @JuergenAuer,
the domain is microluxnet .it

The domain has a working and valid Letsencrypt certificate - there is a check of your domain - some hours old - https://check-your-website.server-daten.de/?q=microluxnet.it

Ftp works.

Checked Ftp via OpenSsl that’s correct.

openssl s_client -connect ftp.microluxnet.it:21 -starttls ftp

-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgISA+BWwgr87xXhuY8X4S3lpCafMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAxMDcwNjM3MTRaFw0y
MDA0MDYwNjM3MTRaMBkxFzAVBgNVBAMTDm1pY3JvbHV4bmV0Lml0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zUol8MO5pQZQxt8Z70qoJIS06Z+6bjn
YmlKFuTxbyThNsqKDhL3UPzHJdgVbODybClQPDdWpYfQEGOOhdMQIdoa2gybWPIF
IZVBQzw4CRjm90rFrgjvMg+YoSYFyyFs2hom+Po4Er53XzWe8TM0204F97dr/ljd
j3y46cy6Qt+5JXJJ+0TXTyBlsf9Uxi1zrwQHCAtC/pmv8YWo3WdtUkpXhdBmauW2
t3kpcMQh/dGd3K0GgFPIuhZZupohzBlGeYoSN/HWdEUSQmGNNrA1P1ZNV1ERSPjA
xqicL5e9BbUdDFkCqI3FuzYaSh9UhjCvLmQbfHUsbWCof7iYdA9CxwIDAQABo4IC
dTCCAnEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTM+BC6dLFbNk4Pg7uXhIfwLRbS
LDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMCsGA1UdEQQkMCKCECoubWljcm9sdXhuZXQuaXSCDm1pY3JvbHV4bmV0Lml0
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB
9QSB8gDwAHYAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFvfu+v
+QAABAMARzBFAiEA0vN3x3k4ylUjlv50HM2QQB7rxT6V2GnhKnu6zU7faYkCIDs1
sD3OwHJYnFYMfRnTodddDtYAP3yB6O7jc8p6YACkAHYAB7dcG+V9aP/xsMYdIxXH
uuZXfFeUt2ruvGE6GmnTohwAAAFvfu+wIQAABAMARzBFAiAr8Ie+aD9ycQzq/ABA
xgoAwQBhVOcpQ2lhC+iXcujGFgIhANXCWUaB0iNzMGxF4I1QkmUMTnbrRGJ34m4o
MhOml3IcMA0GCSqGSIb3DQEBCwUAA4IBAQAwvtqu/6SY2R9IB41xXqqzoVx9uToS
XQfOGF367jufswIQWNIqojsYvVOUdwCKSMcKZeNkp0LrLXUfPE4r6z8fKSROvA71
34f8TEWbi8MRwiLKMIP8Tap9nUS5fNpp4cCPXtouwkGMXHpYQrbAJbfk2T9fFz02
jujLXQXkCl1nbH4XTxuoAP240mWcUUwDlV1ss9MMGGWXbz4kAwVJvaLfKBpasfB+
DCrSyMVWK4oOpyow1rm7ipzFX0oUZpNav9gPmWL8X5nRsEjTbCknEQZTTkE9V+UB
3JiC1TBOEVB+EQnxRMUuxJzqDYCOuOjMXxyGn/j0bY9HuVKzvM9YX3nG
-----END CERTIFICATE-----

So there is no problem visible.

There is a small error: Your certificate chain is incomplete.

Certificate chain
0 s:CN = microluxnet.it
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

Your server doesn’t send the intermediate Letsencrypt certificate.

Use fullchain instead of chain.pem.

2 Likes

I’m not expert about SSL certifications and on Plesk I’m using “SSL It! extension” to manage all of them:
https://docs.plesk.com/en-US/obsidian/reseller-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/securing-connections-with-the-ssl-it!-extension/evaluating-the-ssl-security-of-your-website.65160/#getting-started-with-ssl-it

Could you give me more info about how to use fullchain instead of chain.pem?
Thanks!

If your client creates and installs the certificate, your client is buggy.

So ask Plesk / in the Plesk forum why the intermediate certificate isn’t installed.

Your first screenshot: What says “Trust” + “Details”?

2 Likes

I sent you a message privately.

Every user of your website sees the same informations. These informations are public logged (in CT-logs).

Yes, you’re right (I’m very reserved, perhaps exaggeratedly)… anyway I’ve opened a request on the Plesk forum, let’s see if someone answers me in the next few days otherwise I’ll try to send a request for assistance. Thanks for all the valuable information you have given me. :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.