FTP_TLS invalid cert message

[optisun]

Hello and Happy New Year 2024

I'm writing this post because I need help (I'm a beginner on the subject)

I'm working on a Raspberry pi pico WH, and I wrote a program in micropython RP2 to control a system.
This Raspberry is installed on this system outside my home and communicates via Wifi
What I would like to do is be able to update my program on my Raspberry by OTA
For this I installed an FTP server on a Windows PC, using Filezilla Server 1.8.0
I would like to use FTP over TLS, and I have therefore created a certificate which, unless I am mistaken, is stored in users/toto/appdata/roaming/filezilla/trustedcerts.xml
I can connect to my FTP server via Filezilla Client from another PC, so I'm sure the port management on my router is OK
My micropython program is:
```
import network
import gc
import time
import usocket
import ussl as ssl
from ftplibtls import FTP_TLS

with open(cert_file_path, 'rb') as f:
cacert = f.read()
f.close()

ftp_conn = FTP_TLS(keyfile=None,certfile=cert_file_path,cert_reqs=ssl.CERT_REQUIRED,ca_certs=cacert,server_hostname=server_address)

print("Connecting to the FTP server...")
try:
ftp_conn.connect(server_address,port)
except Exception as e:
print("Error connecting to FTP server:", str(e))

try:
print("Connection established. Attempting authentication...")
ftp_conn.login(user=OST_user, passwd=OST_password)
except Exception as e:
raise e

try:
ftp_conn.prot_p()
except Exception as e:
raise e

ftp_conn.cwd("/")
```

The result is:

Traceback (most recent call last):
File "<stdin>", line 168, in <module>
File "<stdin>", line 166, in <module>
File "ftplibtls.py", line 78, in login
File "ftplibtls.py", line 101, in auth
File "ftplibtls.py", line 99, in auth
ValueError: invalid cert

On the FTP server, I have:

<12/30/2023 6:20:54 PM> FTP Session 32 192.168.0.254 [Response] 220-FileZilla Server 1.8.0
<12/30/2023 6:20:54 PM> FTP Session 32 192.168.0.254 [Response] 220-Please visit https://filezilla-project.org/
<30/12/2023 18:20:54> FTP Session 32 192.168.0.254 [Response] 220 Welcome to OST-FTP
<12/30/2023 6:20:54 PM> FTP Session 32 192.168.0.254 [Command] AUTH TLS
<12/30/2023 6:20:54 PM> FTP Session 32 192.168.0.254 [Response] 234 Using authentication type TLS.

then nothing

Can anyone give me some info?

Thanks in advance

[botg]

Would be nice to know why your client thinks the cert is invalid.

Does it not like self-signed certificates? Does it not like the signature algorithm? Anything else maybe?

[optisun]

that's exactly what I don't know
On the server, I configured with a self-signed certificate
Then I generated an xml file containing the certificate (unless I'm mistaken)

1) Is it possible to generate a pem file ?
2) Have I to copy a cert file on my Raspberry ?

On the micropython forum, someone told me I have to convert the certificate in DER format
How could I do that ?

Thx

[botg]

Then I generated an xml file containing the certificate (unless I'm mistaken)

1) Is it possible to generate a pem file ?
2) Have I to copy a cert file on my Raspberry ?

That's unusual, you shouldn't need to manually copy the certificate file, it is after all transmitted over the wire when you start the handshake with the server. Validation of self-signed certificates is typically done with fingerprints

On the micropython forum, someone told me I have to convert the certificate in DER format
How could I do that ?

If you have the PEM, remove the header/footer and pass the rest through a base64 decoder.

[optisun]

Ok, but how to generate a PEM file in the last version of Filezilla server (1.8.0) ?

[botg]

In the admin UI, select Server -> Export configuration... in the main menu, export the server listeners and protocols. In the created file, look for the certs element inside the ftp_options element, it contains the cert in PEM.

[optisun]

Thx
I have to try now

Just to be sure
The thing I want to do is :
1) I have a Raspberry Pi Pico with my program installed
2) I want to update my program by OTA (a procedure inside connects to the FTP server, check if there's an update and download it if necessary)

So, I want to be sure my program is talking with MY server and not a server installed by an hacker
Is the right way I'm using?

[botg]

To ensure the server's authenticity, the client needs to verify the certificate during the handshake. You either do it with the certificate fingerprint (which can be done easily by humans even), or by providing the exact certificate to the client as reference. Internally, I don't think the TLS implementations compare the full certs though, it's likely just comparing the certificate fingerprints or the pubkeys.

[optisun]

Hourra
I can connect to my server with TLS
But when I want to list lhe file in my distant folder
I have the message : 150 Starting data transfer
And after that : MBEDTLS_ERR_SSL_INVALID_RECORD

An idea ?

Thx

[botg]

No idea. Try running your client in a debugger and step through the used TLS library to figure out exactly what it complains about.