Admin TLS Certificate Expired

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Admin TLS Certificate Expired

#1 Post by CrimpOn » 2022-11-22 00:05

FileZilla server stopped last night. Downloaded and installed x64 nightly build, 2022-11-21.
Noticed that at least one FTP client no longer had the correct password.
Also noticed that apparently the Administration TLS Certificate has Expired:
Attachments
expired.JPG
expired.JPG (16 KiB) Viewed 9950 times

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: Admin TLS Certificate Expired

#2 Post by oibaf » 2022-11-22 05:27

If the certificate is expired, you must generate/provide a new one.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: Admin TLS Certificate Expired

#3 Post by CrimpOn » 2022-11-22 07:50

Oh, dear me. Have installed Filezilla Server several times, and have no memory of creating a TLS certificate.
Had hoped that installing the "nightly build" would avoid the question, "have you installed the latest version?"
Thought I was being helpful.
Perhaps installing 1.5.1 will result in an acceptable TLS certificate?

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: Admin TLS Certificate Expired

#4 Post by oibaf » 2022-11-22 10:03

The certificate is created and self-signed the first time the server installed. If that's good enough for you, you don't have to do anything until it expires. Then, you must either create a new self signed one or provide your own.

You can do that in the configuration window itself, under Administration/Connection Security.

Installing a new version of FileZilla Server will not help, as long as the old certificate is still referenced by the configuration.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: Admin TLS Certificate Expired

#5 Post by CrimpOn » 2022-11-22 17:22

Thanks. Have done so. What a coincidence that I would install a nightly build for the first time on the exact day that the SSL certificate expired.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Admin TLS Certificate Expired

#6 Post by boco » 2022-11-22 18:44

Validity is 365 days. Out of Interest, I checked my server, too, upon reading this topic, and, lo-and-behold, I had only four days left.

@botg @oibaf: Could you announce the nearing expiration of either certificate a bit earlier in the GUI? Like 14 days or so...
Additionally, it might even be possible to automagically present the appropriate dialog for renewing the certificate when you open the GUI with an expired one (exception: when using Let's Encrypt).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: Admin TLS Certificate Expired

#7 Post by CrimpOn » 2022-11-22 20:16

(Display even more ignorance....)

Is there something magic (or required) about a one year (365 day) expiration? Why not make it 20 years?

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Admin TLS Certificate Expired

#8 Post by boco » 2022-11-23 00:09

Why not make it 20 years?
Because that would be bad practice.

A one year validity is certainly a compromise between security, control and effort with renewing. Take a very short validity period, and you have maximum security and control over the certificate, but the constant renewing would become a nuisance, quickly. Let's Encrypt's certificates have a validity of 90 days but are mostly renewed automatically by scripts or tools (this very website is no exception).
It may be very convenient to use a certificate with a very long or even infinite validity period, as you would not need to renew it for a long time, or never. But such a certificate is very bad, especially if it leaks to the public. Then, it becomes a big problem, as anyone could just pretend to be you. Sure, there are revocation mechanisms, but they could be deliberately ignored. For this reason, such a cert would haunt you virtually forever.

Back to FileZilla Server's one year validity. Sure, it's self-signed, but nevertheless a certificate which authenticates the server (admin cert) or you (server cert). Should the server cert leak, it cannot be abused after the validity ends, only the validity end date renders a certificate truly useless. And the admin cert? Well, you are supposed to change your passwords regularly, the same is true for the certificates. It only takes a few seconds.

Note, you can always create a certificate with a longer validity outside of FileZilla Server, it will be honored if imported. I'm using OpenSSL for generating an elliptic curve certificate to match FileZilla Server's, but with a validity of two years. Not that hard.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: Admin TLS Certificate Expired

#9 Post by CrimpOn » 2022-11-23 06:54

Great explanation. Thanks.

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Admin TLS Certificate Expired

#10 Post by botg » 2022-11-23 09:27

Should the server cert leak
I cannot let this stand uncorrected: The certificate is public information, it gets sent to the peer during every handshake. Each certificate, alongside other information contains a public key. All this data is then included in a signature which can be verified with the signer's public key. In case of a self-signed certificate, the public key asserted by the certificate and the signer' public key are the same.

The secrets that must not be leaked are the private key the certificate asserts and, in the general case each signer's private key.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Admin TLS Certificate Expired

#11 Post by boco » 2022-11-23 12:49

Yes, I meant the complete certificate information leaking (including the private part, the public one is public knowledge), as has happened in the past with various certs from various registrars.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply