Closed servusoft closed 6 years ago
May I ask why you want to connect without SSL? SSL is cheap (self or Letsencrypt)
some webhoster not supports SSL for FFT and in there is no options to change the behavior. the SSL connect may be exist, but can have the root access of the server. I must use another pluguns, because your plugin fails.
it would be nice, if your plugin support trannsfer without SSL too.
I can confirm that the plugin works without SSL by using secure: false
, see here:
https://github.com/LawnchairLauncher/lawnchair.info/blob/master/.drone.yml#L6
See https://lftp.yar.ru/lftp-man.html for documentation. I still stand by my point that SSL should be used for transfers on the web. You can use my plugin with common FTP but there's a reason why I set the default value for secure to true.
for me cschlosser/drone-ftps
fails with error:
mirror: Fatal error: Certificate verification: unable to get local issuer certificate (C2:5D:5B:C0:2F:6E:5E:2F:9A:BB:79:1D:19:E4:1E:42:84:C9:20:DE)
but hwan9/drone-ftps
or francoishill/drone-ftps
works fine.
image: cschlosser/drone-ftps # SSL Error!
# image: hwan9/drone-ftps
# image: francoishill/drone-ftps
hostname: ftp.host.cc:21
username: user
secrets: [ ftp_password ]
secure: false
ssl_allow: false
@servusoft you are using it wrong, username is a secret now.
same behavior with ftp_username as secret:
image: cschlosser/drone-ftps # SSL Error!
hostname: ftp.host.cc:21
secrets:
- ftp_username
- ftp_password
secure: false
I think, the hosting provider not support SSL (FTPS) and it can only be overrun with
SSL_ALLOW=false
and set ftp:ssl-allow $PLUGIN_SSL_ALLOW;
like
https://github.com/harriswan9a/drone-ftps
I agree, SSL should be used wherever possible. but it should also be possible to use the plugin if it does not work.
From what I can gather from your info is that your hosts FTP server configuration is broken. The host accepts secure connections but the certificate provided is invalid (missing intermediate cert, expired, ...). You should contact your host about this problem.
Regardless I will add your requested option because insecure is insecure anyway.
I think, the hosting provider not support SSL (FTPS) and it can only be overrun with SSL_ALLOW=false and set ftp:ssl-allow $PLUGIN_SSL_ALLOW; like
I am running the plugin and connecting to a ProFTP server without SSL (have not setup FTPS) and it works for me, what does your hoster exactly use?
@divadsn: my provider is https://www.netcup.eu/hosting/ I create a FTP test account: Details removed by @christophschlosser: Never post username and password combinations on the internet.
and test it on image: cschlosser/drone-ftps
with secure: true
I get:
mirror: Fatal error: Certificate verification: subjectAltName does not match ‘hosting10923.af93d.netcup.net’ (C2:5D:5B:C0:2F:6E:5E:2F:9A:BB:79:1D:19:E4:1E:42:84:C9:20:DE)
with secure: false
it works fine. big thanx to christophschlosser !
@christophschlosser: one more (addition) option would be to use a (wrong configured) SSL certificat, but the verifycation error wiil be suppressed: https://serverfault.com/questions/411970/how-to-avoid-lftp-certificate-verification-error
I think, if SSL is wrong configured a FTPS file transfer with wrong Certificate makes more sense, then a file tranfer wothot SSL.
with secure: true I get:
mirror: Fatal error: Certificate verification: subjectAltName does not match ‘hosting10923.af93d.netcup.net’ (C2:5D:5B:C0:2F:6E:5E:2F:9A:BB:79:1D:19:E4:1E:42:84:C9:20:DE)
So your hoster accepts and uses secure connections, but it rather fails on checking the certificate.
Ok, now I get it. Unlike on my setup, I have secure connections disabled and my FTP server isn't asking the client to use a secure connection, while on your hosters that's the case why it failed.
Rather ask your hoster why they are forcing FTP clients to connect via invalid SSL.
@servusoft Never post username and password combinations on the internet.
Suppressing invalid certs or connecting without security is essentially the same.
Even though I fixed this, please contact your hoster and demand a reason why his FTP config is broken. If he does‘t provide one, I highly advice to switch your hoster.
@christophschlosser: about user and pass I am aware. the FTP root was not in the/httpdocs folder, there are no security hole. the test account is now deleted.
the invalid certs may be an security issue, but with transfer over SSL there is significantly fewer attack options.
I have a valid LE certeficat for my web, but the FTP server on my hoster uses ProFTPD with a wildcard certeficat like CN=*.provider.net.
I thing the most hoster uses a separate FTP server and its not possible to configute the SSL certs from all customer for all hosted domains. with another hoster I have possible the same issue.
I crete a new issue, for me it works fine: https://github.com/christophschlosser/drone-ftps/issues/3
I have a issue to connent to FTP host without SSL.
it needed to be set a addition parameter:
set ftp:ssl-allow $PLUGIN_SSL_ALLOW;
francoishill and harriswan9a have a sotution: https://github.com/francoishill/drone-ftps/blob/master/upload.sh#L41 https://github.com/harriswan9a/drone-ftps/blob/master/upload.sh#L41
would your extend the plugin like this?