Server's certificate is unknown when using ftp with cPanel

ArjunSuhass

Registered
Feb 9, 2022
3
0
1
Mumbai
cPanel Access Level
Website Owner
I have a VPS hosting with both WHM/cPanel and SSH root access, I created an FTP account using cPanel, now when I try to connect using fileZilla I get the following
Warning:
The server's certificate is unknown. Please carefully examine the certificate to make sure the server can be trusted. etc etc. and at the bottom under Session details a red text saying Hostname doesn't match certificate.

Now I'm familiar with SSH/CLI and can navigate anywhere in the server without any trouble if graphical cPanel access is not enough, but don't have in depth knowledge about SSL certificates or networking in general so at a loss where to even begin. Of course I tried googling first in case this is a common case but without avail, so I need at least a clue to the right direction, for starters, should I check some values from some files in the server and match with something showing in the message?

Here's the screenshots of the server certificate from a browser:


And here's the popup warning window from FileZilla while trying to connect to the server:

 

quietFinn

Well-Known Member
Feb 4, 2006
1,649
323
438
Finland
cPanel Access Level
Root Administrator
If the certificate is for the server you are connecting to it's normal, and you can ignore that message.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,904
1,544
313
cPanel Access Level
Root Administrator
Yes, this is just like when you make an SSH connection to a machine for the first time and it asks if you're sure you recognize the host. Nothing to be concerned with at all here since the screenshots show the SSL is valid.
 

plesk4lyf

Active Member
PartnerNOC
May 21, 2018
35
5
8
Sydney
cPanel Access Level
Root Administrator
@ArjunSuhass the reason for the warning is in the screenshot:
Host: 263research.com:21 - Hostname does not match certificate

That's because the certificate Common Name doesn't mention 263research.com . The certificate is for Common Name: v5837.securen.net.

If you instead connect to v5837.securen.net, you'll still get the prompt, but there'll be no warning about the name not matching.

I vaguely remember out of pureftp and proftp, one of them doesn't support SNI, which allows you to use individual SSL certificates to cover the configured hostnames. It's not mentioned on in the documentation of differences: FTP Server Selection | cPanel & WHM Documentation

@cPRex would know!
 

ecartz

Member
Oct 23, 2021
8
4
3
United States
cPanel Access Level
Root Administrator
Warning:
The server's certificate is unknown. Please carefully examine the certificate to make sure the server can be trusted.
This is perfectly normal and expected. The first time you connect, the certificate is unknown.

It may be possible to configure FileZilla to look the same place as your SSH client to see if a certificate is known. This would be highly dependent on what SSH client you use. Or you could replace FileZilla with another FTP client that interacts better with your SSH client. It looks like FileZilla itself uses PuTTY. I do not know if using PuTTY would be sufficient.

at the bottom under Session details a red text saying Hostname doesn't match certificate.
This is not as expected. If you are sure that v5837.securen.net is supposed to host 263research.com, you can ignore it or connect to the host using the name the certificate expects.

It is also generally possible to use a certificate to cover multiple domains, which would be a better fix if your clients are going to use SSL-secured FTP or SSH. According to this link both PureFTPD and ProFTPD now support SNI (which is used to allow a certificate to answer multiple domains on the same IP). However, you may have to use a particular version (or install modules), as they may not come with it by default. This link claims that FileZilla supports SNI.

My main point here is that you are getting two different messages. This is why you are getting different advice. The certificate being unknown is normal and many get in the habit of ignoring it (which makes that particular warning not as useful as it would otherwise be). There isn't a real fix for it other than accepting the certificate. The hostname not matching is less normal (although not that abnormal either) and may be possible to fix. It's possible that it won't allow you to permanently accept the certificate if the hostname doesn't match, so you might get the first message repeatedly rather than just once. I have provided several links to additional information, but I can't confirm that they are correct. I provide them mostly to give you an idea of the terminology involved if you want to do more research.