530 Valid hostname is expected

Question
1

Looking for help with this response from ftptest.net
Reply: 530 Valid hostname is expected.
Error: Login refused by server

I think the problem is that I am connecting to my ftp site, and this certificate is for my website. Do I need another for my Ftp site? Both are on my Windows 10 IIS, share the same IP address. Following are the details …

Status: Resolving address of mickftpsite.com
Status: Connecting to 99.242.126.196
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message…
Reply: 220 Microsoft FTP Service
Command: CLNT https://ftptest.net on behalf of 2607:fea8:2e1d:ba00:11db:c25c:8d91:579f
Reply: 500 Command not understood.
Command: AUTH TLS
Reply: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Performing TLS handshake…
Status: TLS handshake successful, verifying certificate…
Status: Received 2 certificates from server.
Status: cert[0]: subject=‘CN=mickwebsite.com’ issuer=‘C=US,O=Let\27s Encrypt,CN=R3’
Status: cert[1]: subject=‘C=US,O=Let\27s Encrypt,CN=R3’ issuer=‘C=US,O=Internet Security Research Group,CN=ISRG Root X1’
Command: USER mickftpsite.com|Mick
Reply: 530 Valid hostname is expected.
Error: Login refused by server

2

Hi Mick, you can re-use one certificate for multiple services but the hostnames have to match. So if your ftp site is also called “mickwebsite.com” it should work, but if it was “ftp.mickwebsite.com” then you’d need to add that name onto the certificate and request the cert again.

3

Hi Christopher,

It looks like this is the path thru the maze in the Certify app…

  1. Double-click mickwebsite.com
  2. Select Certificate right hand side
  3. Select Site (optional): I select Website which is what I am adding the Ftp site onto
  4. Add domains to certificate: I add ftp.mickwebsite.com
  5. Domains and subdomains to include…
    Not sure what to do here. Do I keep the checkmark under INCLUDE? I am guessing I do not need a Filter [since I do not know what it is]?
    Thank you,
    Mick
4

I tried what I have posted above and no go…
I see from CTW_log.txt that it did not pick up ftp.mickwebsite.com
EDIT: I tried again, put both domains into the text area, but it gave me a warning about trying again too soon, so I abandoned. Will wait for more instruction :slight_smile:

EDIT#2 Can I add *.mickwebsite.com? It seems like it does not consider the ftp prefix as being a different domain?

CTW_log.txt
2022-12-30 23:26:25.046 -05:00 [INF] ---- Beginning Request [mickwebsite.com] ----
2022-12-30 23:26:25.057 -05:00 [INF] Certify/5.6.8.0 (Windows; Microsoft Windows NT 10.0.19044.0)
2022-12-30 23:26:25.356 -05:00 [INF] Beginning Certificate Request Process: mickwebsite.com using ACME Provider:Certes
2022-12-30 23:26:25.356 -05:00 [INF] Requested identifiers to include on certificate: mickwebsite.com
2022-12-30 23:26:25.356 -05:00 [INF] Beginning certificate order for requested domains
2022-12-30 23:26:26.224 -05:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2022-12-30 23:26:27.180 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/673201047/155972138547
2022-12-30 23:26:27.359 -05:00 [INF] Fetching Authorizations.
2022-12-30 23:26:27.944 -05:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/186463356427/qG14eg
2022-12-30 23:26:28.137 -05:00 [INF] Order authorizations already completed.
2022-12-30 23:26:28.197 -05:00 [INF] Requesting Certificate via Certificate Authority
2022-12-30 23:26:30.690 -05:00 [INF] Completed Certificate Request.
2022-12-30 23:26:31.002 -05:00 [INF] Performing Automated Certificate Binding
2022-12-30 23:26:32.353 -05:00 [INF] Completed certificate request and automated bindings update (IIS)
2022-12-30 23:26:34.297 -05:00 [INF] Request completed
2022-12-30 23:26:34.299 -05:00 [INF] Request completed
2022-12-30 23:27:42.895 -05:00 [INF] All Tests Completed OK
2022-12-30 23:31:31.132 -05:00 [INF] All Tests Completed OK

From Ftp Connection…
Status: Resolving address of ftp.mickwebsite.com
Status: Connecting to 99.242.126.196

Status: TLS handshake successful, verifying certificate…
Status: Received 2 certificates from server.
Status: cert[0]: subject=CN=mickwebsite.com issuer=‘C=US,O=Let\27s Encrypt,CN=R3’
Status: cert[1]: subject=‘C=US,O=Let\27s Encrypt,CN=R3’ issuer=‘C=US,O=Internet Security Research Group,CN=ISRG Root X1’
Command: USER Mick
Reply: 530 Valid hostname is expected.
Error: Login refused by server

Mick

5

If you’re finding it too complex I do sympathise, but we have to balance between people who have one website with one domain and those with thousands of websites sometimes with hundreds of domains, so you are seeing options you don’t need.

Running your own webserver and ftp sites etc is hard enough, and managing TLS certs for those is a further complication, this is why organisations require trained specialists to manage these things - nobody just knows it all without a lot research and this stuff is not simple or easy. Someone could spend their entire career working in IT and never know the first thing about any of this.

Regarding “Domains and subdomains to include” this list is all of the domains IIS says you have hostname bindings for, or it can be domains you enter manually. Yes mickwebsite.com and ftp.website.com are two different domains/identifiers for the purpose of a certificate. “including” them means include it as a name on the certificate, Primary means make it the first name, this is sometimes important, but generally not. Filter means visually filter the list to just a specific keyword so you can select/deselect them - it makes more sense when you are looking at a list of 500 domains on one website.

You can use *.mickwebsite.com if you want a wildcard, you need to be using DNS validation (the default is http validation). If you are not currently using DNS validation then I wouldn’t attempt to use a wildcard unless you really need one, they have their own rules/limitations.

For the log that you show above, you are getting a certificate for just “mickwebsite.com”, so I’d suggest adding “ftp.mickwebsite.com” under Domains and Identifiers, then requesting your certificate again (after checking your FTP binding, see below) - the warning about requesting the same cert again is mainly so you avoid hitting the Let’s Encrypt rate limit, so you can proceed with the request. Note that even if this failed your existing cert would remain in place until a new cert was successfully requested.

I assume the FTP log file you show is from a different app. For certify to automatically update your FTP binding with the certificate you would need an FTP binding setup with the correct host name (e.g. ftp.mickwebsite.com) already setup in IIS, When you click the “Preview” tab in Certify you should then see in the Deployment section (scroll down) that it plans to update the https binding for “mickwebsite.com” and the ftp binding for “ftp.mickwebsite.com”, if that’s not the case then you need to fix that first before requesting your cert as the app will only update those bindings if you can see it in the Preview. Bindings are matched on the hostname matching a name from the certificate.

6

Hi Christopher,
Thank you very much for the detailed reply. I will need to study it carefully and decide how to proceed. I’ll post back here again, soon, when I get a few things done and get back to this one.
:slight_smile:
Mick

7

Hi Christopher,
While studying your reply I had a couple of insights, did some more research and found the solution. Thank you. Here are some details…

I have been getting this Test log output Error message from the Ftp client at https://ftptest.net/ while testing my Ftp site addition to my website…

Status: Resolving address of mickwebsite.com
Status: Connecting to 99.242.126.196

Command: USER Mick
Reply: 530 Valid hostname is expected.
Error: Login refused by server

1. My Comments

The error had nothing to do with my CTW setup, except that I had not wisely chosen the domain for the Ftp site. To finally resolve this issue I have set up my Windows 10 IIS with a website and an ftp site, both bound to mickwebsite.com, both using the same SSL certificate. Inside inetmgr the host name is mickwebsite.com for both the website and the ftp site.

I found this solution at this ServerFault Blog…

I needed to make two changes…
[1] Login with mickwebsite.com|Mick rather than with just my user name Mick
[2] Include a binding in inetsrv to my internal IP address 10.0.0.153 for mickwebsite.com in addition to the binding to my external IP address

2. Here is part of the Preview section, before the successful run of CTW app…
Action Site Binding
Add ftp binding Micks Ftp Server ***:21:mickwebsite.com **
Update https binding Website *:443:mickwebsite.com SNI

3. Here is the Log File, after successful run of CTW app…
2023-01-04 15:31:26.897 -05:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2023-01-04 15:31:51.830 -05:00 [INF] ---- Beginning Request [mickwebsite.com] ----
2023-01-04 15:31:51.844 -05:00 [INF] Certify/5.6.8.0 (Windows; Microsoft Windows NT 10.0.19044.0)
2023-01-04 15:31:52.097 -05:00 [INF] Beginning Certificate Request Process: mickwebsite.com using ACME Provider:Certes
2023-01-04 15:31:52.097 -05:00 [INF] Requested identifiers to include on certificate: mickwebsite.com
2023-01-04 15:31:52.097 -05:00 [INF] Beginning certificate order for requested domains
2023-01-04 15:31:52.914 -05:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2023-01-04 15:31:53.943 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/673201047/156899437397
2023-01-04 15:31:54.201 -05:00 [INF] Fetching Authorizations.
2023-01-04 15:31:54.847 -05:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/186463356427/qG14eg
2023-01-04 15:31:55.033 -05:00 [INF] Order authorizations already completed.
2023-01-04 15:31:55.087 -05:00 [INF] Requesting Certificate via Certificate Authority
2023-01-04 15:31:57.847 -05:00 [INF] Completed Certificate Request.
2023-01-04 15:31:57.912 -05:00 [INF] Performing Automated Certificate Binding
2023-01-04 15:31:59.221 -05:00 [INF] Completed certificate request and automated bindings update (IIS)
2023-01-04 15:32:01.035 -05:00 [INF] Request completed
2023-01-04 15:32:01.047 -05:00 [INF] Request completed
2023-01-04 15:32:46.328 -05:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2023-01-04 15:32:51.505 -05:00 [INF] All Tests Completed OK

4. Here is test log output from successful run of the Ftp client: https://ftptest.net/
Status: Resolving address of mickwebsite.com
Status: Connecting to 99.242.126.196
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message…
Reply: 220 Microsoft FTP Service
Command: CLNT https://ftptest.net on behalf of 2607:fea8:2e1d:ba00:81fa:7f7f:6a5:7177
Reply: 500 Command not understood.
Command: AUTH TLS
Reply: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Performing TLS handshake…
Status: TLS handshake successful, verifying certificate…
Status: Received 2 certificates from server.
Status: cert[0]: subject=‘CN=mickwebsite.com’ issuer=‘C=US,O=Let\27s Encrypt,CN=R3’
Status: cert[1]: subject=‘C=US,O=Let\27s Encrypt,CN=R3’ issuer=‘C=US,O=Internet Security Research Group,CN=ISRG Root X1’
Command: USER mickwebsite.com|Mick
Reply: 331 Password required
Command: PASS ******
Reply: 230 User logged in.
Command: SYST
Reply: 215 Windows_NT
Command: FEAT
Reply: 211-Extended features supported:
Reply: LANG EN*
Reply: UTF8
Reply: AUTH TLS;TLS-C;SSL;TLS-P;
Reply: PBSZ
Reply: PROT C;P;
Reply: CCC
Reply: HOST
Reply: SIZE
Reply: MDTM
Reply: REST STREAM
Reply: 211 END
Warning: The server does not indicate MLSD support. MLSD uses a well-specified listing format. Without MLSD, directory listings have to be obtained using LIST which uses an unspecified output format.
Command: PBSZ 0
Reply: 200 PBSZ command successful.
Command: PROT P
Reply: 200 PROT command successful.
Command: PWD
Reply: 257 “/” is current directory.
Status: Current path is /
Command: TYPE I
Reply: 200 Type set to I.
Command: PASV
Reply: 227 Entering Passive Mode (99,242,126,196,136,185).
Command: LIST
Status: Data connection established, performing TLS handshake…
Reply: 125 Data connection already open; Transfer starting.
Status: TLS handshake successful, verifying certificate…
Status: Received 2 certificates from server.
Status: cert[0]: subject=‘CN=mickwebsite.com’ issuer=‘C=US,O=Let\27s Encrypt,CN=R3’
Status: cert[1]: subject=‘C=US,O=Let\27s Encrypt,CN=R3’ issuer=‘C=US,O=Internet Security Research Group,CN=ISRG Root X1’
Warning: Control and transfer connection do not share the same TLS session. Without TLS session resumption, an attacker could swap transfers between you and another user connected to the same server. Make sure the server allows session resumption and caches sessions for the entire duration of the control connection.
Listing: 12-24-22 05:16PM 21 MetaTest.txt
Reply: 226 Transfer complete.
Status: Success
Thanx again :slight_smile:
Mick

1 Like
8

Hi Christopher,
Well, it looks like what I have posted above may not work for me after all so I may have to undo it and go back to ftp.mickwebsite.com. The problem is that while the online Ftp Tester at https://ftptest.net/ works just fine, as you can see from the above log, I have not been able to find a Play Store Ftp client app that will accept the domain:name format for logging in. I’ll check some more tomorrow but so far I have tried Filezilla, FtpCafe, PowerFTP, and AndFTP with no successful logins.
It will be another day of careful, perhaps tedious work removing ftp setup from IIS, deleting the Ftp service from Windows 10, rebooting then reinstalling and applying the CTW app again :slight_smile:
Mick

UpDate…

Everything good! :slight_smile:
I found that PowerFTP, AndFtp and FtpCafe work very well indeed. Just had to get the login and local/remote credentials set up correctly.
Once again, thank you very much for the help you have given me on this and on other questions etc that I have posted. You have been cery helpful. And…
Have a Happy New Year!
:slight_smile:
Mick

1 Like