Cannot Get FTP over TLS to Function

[PaulScott]

I changed the certificate on the server side (Windows 2012 R2), and FileZilla did not detect the change and I still cannot login using explicit FTP over TLS. So I also uninstalled FileZilla completely from the client machine, then re-installed it, and I still do not get prompted to accept the new certificate. However, I might add that I've never successfully been able to get TSL to work, but I was at least getting the prompt to accept the certificate, about 2 days ago, but was getting a different GnuL certificate error. I have been working on getting this to work for several weeks with no success. I checked the System Events in the Event Viewer, and found the following:

An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data.

A quick search of the Internet turned up this article:

https://technet.microsoft.com/en-us/lib ... 2147217396

Wherein the author states that certificates must be "registered with the server."

I am a very experienced programmer and IT person, and normally can figure this stuff out on my own, but this one truly has me stumped. I have FTP working for multiple sites in fine in plain FTP (insecure) mode, PASSIVE and ACTIVE, but cannot get it to work using SSL certificates in TLS mode. This is what I am getting when I try to connect:

Status: Resolving address of ftp.drdang.net
Status: Connecting to xx.xx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 431 Failed to setup secure session.
Command: AUTH SSL
Response: 431 Failed to setup secure session.
Error: Could not connect to server

I did try FileZilla on the server itself, and received the following error:

Status: Connecting to 127.0.0.1:21...
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 431-Failed to setup secure session.
Response: Win32 error: Cannot find object or property.
Response: Error details: SSL certificate was not found.
Response: 431 End
Command: AUTH SSL
Response: 431-Failed to setup secure session.
Response: Win32 error: Cannot find object or property.
Response: Error details: SSL certificate was not found.
Response: 431 End
Error: Could not connect to server

Please let me know if you have any ideas on how I should proceed with figuring this out. The following is my configuration:

- Windows 2012 R2 server, with IIS 8.5, (Windows firewall ON or OFF makes no difference)
- Cisco PIX 515e with ports 80, 443, 989, 990, 21, 22 and a passive range of 5000 to 5010 open.

[botg]

It's a server-side issue. The server cannot find its own certificate.

[PaulScott]

Okay, I see. Any ideas why this is happening? Any help is most greatly appreciated. Thank you very much!

[botg]

I'm not familiar with that server software. You need to contact Microsoft for assistance.

[boco]

This being a Microsoft product, there's a high change this certificate needs to be properly imported into the Windows certificate store.

[PaulScott]

I managed to get this fixed. Using the following command-line program, I found that there were several hundred certificates defined between the ranges 0.0.0.0:44300 to 0.0.0.0:44399:

netsh httpd show sslcert

I then used the same command to delete ALL of the certificates at the odd port numbers, and the one at 0.0.0.0:443.

Some of the certificates had to be re-bound to their respective applications in IIS, as they had become "un-bound" due to the certificate store being full.

It turns out that there is a maximum limit to the number of certificates that can be in the store, and when it goes over that, SSL stops working.

No idea where those 100 extra certificates came from. Figured this might be a useful piece of information for users who run into the same issue.