Root Certificate expired for Filezilla but not for Firefox

That looks like ProFTPD only ever sends the leaf cert as I described in post #17. And, Filezilla is not able to build a proper trust chain from just that leaf. I have no idea how to modify Filezilla to affect that. Possibly by removing the DST Root CA X3 from your Windows CA store (somehow).

So, unless there is a way to have your FTP server send the intermediate chain too you cannot resolve this from the server side. I looked at their docs quick and did not see any other setting than the ones you use but I could have missed something.

Your simplest solution might be using a cert from another CA authority. Certbot supports that. It might well resolve this problem but I cannot give any guarantee

UPDATE: @manu2 I found a TLSCertificateChainFile setting in ProFTPD which should work.
http://www.proftpd.org/docs/contrib/mod_tls.html#TLSCertificateChainFile
It sounds like you would use the fullchain.pem file for this instead of the TLSRSACertificateFile setting. Make sure it is the modified fullchain which was your original less the last DST Root CA X3 cert. Now you know how to check the chain sent so you can experiment. Let us know for benefit of future readers. Thanks

So it works as you said, but it still requires the TLSRSACertificateFile line (else no certificate is sent), like this :

TLSRSACertificateFile /etc/letsencrypt/live/static.managames.com/fullchain_FTP.pem
TLSCertificateChainFile /etc/letsencrypt/live/static.managames.com/fullchain_FTP.pem
TLSRSACertificateKeyFile /etc/letsencrypt/live/static.managames.com/privkey.pem

If I use the original file with the 3 certificates, then FileZilla has 2 intermediate ones, one ok, one not ok, and only 1 root one which is still the expired one.

So I guess I should do as you said in your 1st message : update CertBot and make it generate automatically the 2-certificate file when generating the new certificate.

EDIT:
according to decoder.link/sslchecker , everything is ok when using the 3-certificate original file, so it's likely FileZilla which is not able to handle the long chain.

This:

Should either be this way:

TLSRSACertificateFile   /etc/letsencrypt/live/static.managames.com/cert.pem
TLSCertificateChainFile /etc/letsencrypt/live/static.managames.com/chain.pem

OR this way:

TLSRSACertificateFile   /etc/letsencrypt/live/static.managames.com/fullchain.pem
#TLSCertificateChainFile 

Also, which port did you check with decoder.link ?
[FileZilla might not be using port 443]

@rg305 I am not sure the 'File' and 'Chain' in ProFTPD work like they do with Apache. The docs for ProFTPD are here and say the 'Chain' is an all-in-one starting with the server cert.
http://www.proftpd.org/docs/directives/linked/config_ref_TLSCertificateChainFile.html

I originally said for them to remove 'File' and just use 'Chain' but was told that did not send any cert.

From their docs the 'File' should always be just the 'cert.pem' though and not 'fullchain' although it seems to use just the first one anyway based on results earlier in the thread.

@manu2 Yes, we already knew you cannot use the "long chain" with Filezilla. The fullchain_FTP.pem should be as it was from Certbot but manually edited to remove the last cert. This is how you manually create a "short chain".

Further, I already linked to a thread that showed a failure to update Certbot with Debian 9. I do not know why you would have better luck.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.