Using lftp with IIS 7.x FTPs

I have an IIS 7.x FTPs server set up on port 990 with a Certificate signed by a major certificate provider (i.e. not self-signed).
It works fine with Filezilla but when I try with lftp this is what happens:

set ftp:ssl-force true
connect "IP ADDRESS"
login "username"
Password: "Password"
ls: "login Failed: ftp:ssl-force is set and serever does not support or allow ssl"

Above is a slightly condensed version but there is clearly a problem.
On the FTP server all I see is a an anonymous connection, which is not allowed.

If I can't get lftp work (should be able too!), then can someone recommend another ftps client for unix/linux?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you are able to access your FTP server using filezilla over an SSL connection, but can not with lftp, I would suggest the issue is with lftp and not with the server.
You have your FTP setup on port 990 but in your connect directive, it is not made clear that you are connecting to the special port such that the connection attempt might be attempted to port 21 or another .

Check the FTP logs on the IIS side to see whether it sees your connection attempt and reports errors.

Open to terminal windows on the client side, and use tcpdump to capture packets to make sure you are seeing outgoing/returning traffic going and coming from port 990.

Try using the -p 990 -u username when starting the process.
ajmcqueenAuthor Commented:
Thanks. That was my thought about lftp so what I did was build a new copy of the latest Ubuntu linux 14.04 and tried to connect in from a remote location using lftp.
To cut a long story short, this script eventually gave me what I wanted:

set ftp:ssl-force true
set ftp:ssl-protect-data true
debug 4
open –u 'username','password' ftps://'url of ftp site'
mget *.txt

I saved the file and then executed it:   lftp -f 'filename'

The 'url of ftp site' is the same as the Certificate of course.
However, I have a 3rd party trying to connect in who cannot get past the 'ls' command, using the same script on a unix box. He also seems to get debug messages suggesting the Certificate is not recognised/trusted. Their firewall chap said that they only needed to enable outbound port 990 to our site, not any data ports. I don't know if that is true or if something else is causing their data connection to hang. When I look at active connections in IIS, all I see is anonymous connection from the 3rd party. Anonymous connections are blocked.
One, it is difficult to see what the error is.
One thing to check is whether the certificate you loaded includes the certificate chain, i.e. you have the server certificate and need to include the chain of certificates from the CA who signed it. This deals with apps that do not have the CA certificate on their own as trusted. i.e. the CA signer of your certificate is not known to lftp. not sure whether lftp has an option to ignore the validity of the certificate.
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

ajmcqueenAuthor Commented:
OK. I would be surprised if that was the case but it's definitely worth checking. Thanks!
lftp has an option ssl:ca-path either pointing to a file with trusted CA certificates or a directory with individual files that contain ca certificates.
Either way you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue.

Openssl s_client -connect is a tool that can be used to see what certicate/s are transmitted for the ssl connection.
ajmcqueenAuthor Commented:

Just to be clear....
we definitely have the Intermediate and Global Certs required for connection on the host FTP server. The signing authority is GeoTrust and the cert path looks good to me.
And of course I was able to connect via lftp and FileZilla from linux and Windows PCs respectively so I can't think there is a problem with the server-side SSL setup. Another 3rd party is also abel to connect without problems.

However, this 3rd party is trying to connect via a Unix box that may be older and less-frequently maintained with respect to certs. Do you think it is possible they are missing the required cert(s) or have an expired one? Would they need both or just the Global Cert and could I send them ours by exporting from the Windows Computer Cert store? I think that is what you are referring to here: "you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue".
You could send them only the public certificate via export (do not include the private key included just to be clear)

There is a way that IIS can be configured to transmit not only your certificate i.e.
but to include the chain geotrust global and geotrust singning this often deals with applications/systems that might not have all the root certificates. Double check your CA certificate store to make sure you do not also have expired certificates. Different vendors include tools to test the certificate.  

It is very likely that this particular third party does not have or has an outdated/expired certificate of the signing certificate authority

You can provide them the public CA certificates from  Geotrust that signs your certificate.

Alternatively, you could direct the third party to to download and add all the goetrust root CAs into their trusted certificate file/directory and see if that resolves the issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ajmcqueenAuthor Commented:
The certificates were only installed a year ago. If I follow the chain up from the IIS cert I find that the root cert is valid until 2022 and the intermediate until 2020. The actual cert has an expiry of Feb 2015.
The config for IIS to present the full chain of certs to clients would be useful. I'll have a look at that. In the meantime I'll send them the link to Geotrust to get their own certs.

Thanks! Will let you know how it goes.
ajmcqueenAuthor Commented:
It turns out the 3rd party trying to connect to our server had not set up rules in their firewall to access our server!
ajmcqueenAuthor Commented:
Whilst the 3rd party was at fault, all the comments from Arnold were good so I would like to award him the points
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.