"You must enter at least 2nd level domain names."

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

"You must enter at least 2nd level domain names."

#1 Post by boco » 2021-11-24 09:51

Why is that restriction for Hostnames that strict? With dynamic DNS, you will basically NEVER get a 2nd level domain name, but a subdomain URL, at best, like user.example.net. Plus, you also can't enter IPs directly.

With an externally generated certificate, all that is working beautifully.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: "You must enter at least 2nd level domain names."

#2 Post by oibaf » 2021-11-24 10:14

At least means >= 2nd level. foo.baz.bar is a 3rd level domain name, hence >= 2nd level.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: "You must enter at least 2nd level domain names."

#3 Post by botg » 2021-11-24 10:20

user.example.net is a 3rd-level domain name, which is at least a 2nd level domain name. First level domains are not supported as every domain name that is resolvable to an IP address is at least a 2nd level domain name.

IP addresses are not supported as TLS libraries don't typically use IP addresses in trust evaluation and also since SNI works based on hostnames.

Last but not least, Let's Encrypt has the same restrictions.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: "You must enter at least 2nd level domain names."

#4 Post by boco » 2021-11-24 14:42

The error is a red herring, as I entered IPs in addition to my 3rd level domains.

With my external certificate, I can always enter IPs as ASNs, and they are recognized fine by FileZilla when I call the server using a (local) IP address (no red mismatch text in FileZilla). Locally, Hostnames do not always work for me.
IP addresses are not supported as TLS libraries don't typically use IP addresses in trust evaluation
Wouldn't that sentence mean that they are not prohibited and can be allowed?
and also since SNI works based on hostnames.
I don't give a fuck about that, locally.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: "You must enter at least 2nd level domain names."

#5 Post by botg » 2021-11-24 17:08

Well, an IP address definitely isn't at least a second-level domain.
With my external certificate, I can always enter IPs as SANs, and they are recognized fine by FileZilla when I call the server using a (local) IP address
That is because there is no hostname to compare against to begin with. You can enter arbitrary IP addresses in your SANs, they are not evaluated at all. They are displayed in the client purely for display purposes.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: "You must enter at least 2nd level domain names."

#6 Post by boco » 2021-11-25 11:17

Looks like it. Browsers seem to recognize IP sometimes, though.

Took them out of the ASNs. No need for them to be in, if FileZilla will accept the cert on IPs without complaining.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply