Support for passive FTP

[podtalje]

In FTP configuration, getSSL will try to use active FTP connection to transfer ACME file to server.

But in reality connection to web hosting servers is usually only possible through Passive FTP mode.
The result of this is that ACME file will not be successfully transferred.

Would it be possible to add an option to also support passive FTP by using pftp or by adding -p option.

[srvrco]

Passive mode is the default (I thought) for both ftp and pftp. If I check the ftp manual

-p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server support the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

Is your connection trying to use active ?

[podtalje]

I am using Ubuntu 12.04 LTS, my ftp client is 0.17-25 and by default it starts in active mode.

My man page for ftp is a little different and it states:
-p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server support the PASV command. This is the default if invoked as pftp.

But to be honest, my ftp client is a rather old version. Still I am a bit puzzled since I see that setting default to passive was done already in 2010.

Anyway I think the issue can be closed since it probably does not make much sense to support such an old version.

[srvrco]

Thanks for the update.

I'll close this as an "issue" but I'll have a look if there is a sensible way to allow flags etc on the ftp command.

From a security viewpoint. I'd suggest updating your FTP client of course, and if possible changing to SFTP or SSSH as that would also allow you to transfer the certificates securely ( which teh script doesn't allow via FTP as it's not secure ) .

[ntamas]

Just wanted to give a quick update the even with Ubuntu 18.04 LTS, the default ftp client in the ftp package is netkit-ftp, which defaults to starting in active mode. The manual says:

-p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server support the PASV command. This is the default if invoked as pftp.

Note that it does not say anything about starting up in passive mode by default.

In my case, a client of mine has a hosting provider that does not provide SFTP or SSH access; the only options are FTP in passive mode and FTPS (i.e. FTP with a TLS layer on top of it). Since FTPS is not supported by getssl as far as I know, I always have to patch getssl to invoke pftp (i.e. passive FTP) instead of ftp to upload the challenge. (I am copying the certificates manually to CPanel). So this is definitely still a problem today, although it's relatively easy to get around it once you know where the problem is.

[QuingKhaos]

Thanks for you feedback @ntamas

I will reopen that issue. Working in passive mode should be IMHO default, don't know where active mode would work seamless.. I'm still not sure if we should fix this to be default in passive mode by default or introduce a new parameter or flag for setting FTP into passive mode.

[QuingKhaos]

There is a PR in #275

[ntamas]

Thanks, subscribed!

[vasiliyaltunin]

Still have this problem with Debian 10 installed in WSL2 on Windows
PORT/EPRT (Active Mode/Extended Active Mode) is not supported. Use PASV/EPSV instead of this

[timkimber]

Adding:

FTP_OPTIONS="passive"

in getssl.cfg will enable passive mode