Lets Encypt Broken ?

[carseatcover]

Hello

Unable to setup Lets Encrypt on FileZilla Server 1.7.2

Environment: Windows Server 2019 Std Edition, fully patched, IIS internal web server

Web server can be reached externally on port 80 and 443

Followed procedures as per docs.

Falls over when trying to create account with error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443

On the same system can browse without problem to URL https://acme-staging-v02.api.letsencrypt.org

See attached screenshots

Any ideas welcome

Thank you.

[oibaf]

Cannot reproduce.

Are you sure there's nothing blocking outgoing connections from the server's service like, say, a firewall? What do the complete server's log say?

[carseatcover]

Does this not confirm the server can reach Lets Encrypt ?

On the same system can browse without problem to URL https://acme-staging-v02.api.letsencrypt.org

See screenshot above

There are no outgoing ports blocked

Just tried again, same failure , nothing in server logs

[carseatcover]

OK just tried this on a completely different brand new Windows 2019 server

And new install of Filezilla server, 1.72

On a completely different network

Exact same failure.

Has anyone actually got this working on Windows 2019 and Filezilla server 1.72 ?

[carseatcover]

Filezilla server logs :

2023-07-11T16:19:25.436Z == [FTP Server] Listening on [::]:21.
2023-07-11T16:19:25.436Z == [Administration Server] Listening on 127.0.0.1:14148.
2023-07-11T16:19:25.436Z == [Administration Server] Listening on [::1]:14148.
2023-07-11T16:19:28.577Z == [Administration Server] Administration client with ID 1 connected from 127.0.0.1:63441
2023-07-11T16:20:09.946Z !! [ACME] Error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443.
2023-07-11T16:20:09.946Z !! [Administration Server] Error processing get_acme_terms_of_service: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443.

[carseatcover]

OK just tested on Windows 10, same network, work fine.

So the issue is that it seems not working on Windows 2019

[carseatcover]

Cannot reproduce.

Are you sure there's nothing blocking outgoing connections from the server's service like, say, a firewall? What do the complete server's log say?

Did you try to reproduce on Windows Server 2019 ?

[carseatcover]

Just to be clear, we are using Filezilla server 1.7.2

[carseatcover]

Ok turned on DEBUG logging and got this:

WINDOWS 2019
===============
2023-07-11T17:04:00.335Z DI [ACME] Getting terms of service...
2023-07-11T17:04:00.335Z DD [ACME/HTTP Client] Connecting to acme-v02.api.letsencrypt.org:443
2023-07-11T17:04:00.597Z DD [ACME/HTTP Client] Certificate is trusted: no
2023-07-11T17:04:00.597Z DW [ACME/HTTP Client] ECONNABORTED - Connection aborted. Could not connect to host acme-v02.api.letsencrypt.org:443.

WINDOWS 10
============
2023-07-11T17:09:01.172Z DI [ACME] Getting terms of service...
2023-07-11T17:09:01.172Z DD [ACME/HTTP Client] Connecting to acme-staging-v02.api.letsencrypt.org:443
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] Certificate is trusted: yes
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] ***BEGIN REQUEST***
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] GET /directory HTTP/1.1

[carseatcover]

So it seems the SSL R5 certificate at host acme-v02.api.letsencrypt.org is TRUSTED by Filezilla Server 1.7.2 on Windows 10

But is NOT trusted by Filezilla Server 1.7.2 on Windows 2019

NOTE: when using Edge browser on the same Windows 2019 server, the certificate at host acme-v02.api.letsencrypt.org is TRUSTED

Weird to say the least...........

[oibaf]

Since some time Edge doesn't use the operating system trust store, but ships its own: https://learn.microsoft.com/en-us/deplo ... rification

Your OS trust store, which FileZilla Server uses, must be updated, since it doesn't recognize the current Let's Encrypt server's certificate. Do you have any updates pending, according to Windows Update?

[carseatcover]

@oibaf , that was a great tip !

Thanks very much.

Didn't know that about Edge, checked the Windows Certificate Store and sure enough the Trusted Root Certification Authorities store contained very few certificates.

AFAWK Windows should pull additional certs to this store on demand, but this did not happen with Filezilla.

After manually installing the ISRG Root certs , the account creation process went smoothly.

Then we successfully installed a new LetsEncrypt cert.

However when we try and connect to the server using Filezilla client ( v.3.65 ) it says the certificate is unknown and ask to confirm ( see screenshot )

The whole idea was to avoid that confirmation dialogue box, we thought that only happed with a self signed cert ?

[oibaf]

In the FileZilla Client's menu: Edit -> Settings -> Connection -> Use system trust store

[botg]

By default the client doesn't use the system trust store, but instead uses user-guided TOFU. You can enable use of the system trust store in the settings dialog.

[carseatcover]

In the FileZilla Client's menu: Edit -> Settings -> Connection -> Use system trust store

@oibaf PERFECT !!

All working very well

Thank you to everyone for the help and support, highly appreciated

Perhaps the post title needs changed to "LetsEncrypt Working Perectly........."