Ftps with self-signed certificate: Hostname does not match certificate

Franco Polato 96 Reputation points
2021-08-29T21:02:24.687+00:00

Hi,
Sorry I’m not very experienced with this topic.

As the title suggests, I created a self signed certificate and set up a ftp over ssl with port 21 (explicit). Than forwarded the 21 port in my router and assigned an external one. Of corse I opened the mentioned tcp port also in my local firewall and enabled for incoming connections.

I’m able to connect to it locally, with the pc I created the certificate with but as soon as I try to use my public dns provided from my fritzbox router an message appears on filezilla:

127329-06a0d23b-1847-4fa1-bbdd-94e760bdab3a.jpeg

Hostname does not match certificate.
If I click on ok it tries to connect but eventually fails, I suppose it is due to the aforementioned alert since the fact that If I try to connect remotely without certificate it works fine, but it’s insicure.

I tried to play around with “external ip of firewall” without knowing exactly what it is, and changing the default ftp port, which causes both ftp and ftps remote connection to not work.

I made google research for the entire day and didn’t find anything!

Could someone tell me how it would be possible to establish a ftps with iis and access to the site remotely. I know that ssh is a valid solution and yet I would like to make it with iis.

Thank you.
Franco

Internet Information Services
0 comments No comments
{count} votes

Accepted answer
  1. Franco Polato 96 Reputation points
    2021-08-31T14:51:39.073+00:00

    Thank you for your support.
    I solved the problem by just restarting the ftp service. This did the job.
    Anyway when it comes to ftp over tls at least for the explicit connection it was necessary enable the selected tcp range on both windows firewall and router ( port forwarding) I managed to restrict that range to the minimum tough. By doing so it was also possible to create new sites assigning other port, which was impossible before enabling the aforementioned ports, as described on this article:

    cannot-access-to-ftp-server-after-change-the-ftp-default-port-in-iis-manager.html

    But yet I didn’t configure the external ip of firewall and keep not understanding what it really id

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Lex Li (Microsoft) 5,152 Reputation points Microsoft Employee
    2021-08-29T23:42:23.487+00:00

    As you don't have full control of the whole end to end link, such a behavior is expected (a kind of man-in-the-middle attack). The certificate can come from a device (your router or another device on the wire).

    There are other ways to share files over the internet, so FTPS isn't your only option.

    0 comments No comments

  2. Bruce Zhang-MSFT 3,736 Reputation points
    2021-08-30T02:52:49.17+00:00

    Hi @Franco Polato ,

    Did you set the FTP Firewall Support to enable FTP server accept passive connection? If your server is behind an external firewall/NAT, you need to tell the FTP server its external IP address, to allow passive mode connections. I think it has little effect on connection because you can connect to it locally. But I still suggest you set it.
    Configuring FTP Firewall Settings in IIS 7.
    127336-5.jpg

    More important.

    I try to use my public dns provided from my fritzbox router an message appears on filezilla.

    The issue could be caused by router or filezilla. So don't use filezilla first. Try to enter ftp://xxxx in browser. If it can connect without alert of "host name doesnot match certificate", maybe something in filezilla affect the connection. It the issue still exist, you'd better contact the route provider.


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments No comments

  3. Franco Polato 96 Reputation points
    2021-08-30T14:49:41.24+00:00

    Thank you for your replies.

    I restricted the entity of the problem. It’s a matter of opening tcp ports. The fact that the alert says that hostname does not match with certificate doesn’t actually prevent the connection to be established.

    To do it I need to open the whole range of tcp ports both on windows firewall and my router.

    So I need to figure out the exact ports range to open in my nat and firewall. Do you know which are they?

    Till now I forwarded port 20 and 21 and the range of 50000 - 55000 in my router and allowed them on windows firewall inbound rules ( needed for explicit connection)
    Moreover I specified the same range in the firewall support of the server in iis.

    Clearly it’s not enough.

    I don’t have an external firewall or nat. Just my router and the pc

    Thank you again, I hope you can hep me.