Solved (Explicit) FTPS not working for admin backups.

[realcryptonight]

Hello everyone,
I am currently trying to setup an vsFTPd backup server for 2 weeks now. For as far as i can tell it works as intended. (My FileZilla client works with that FTP server.)
But it always fails when i use this FTP server for my admin backup. I always get the following message:

User admin has been backed up.
ftp_upload.php exit code: 18
ftp_upload.php output: curl: (18) server did not report OK, got 426
curl return code: 18
Please see this URL and check for curl exit code '(18)': https://help.directadmin.com/item.php?id=2127
Although a backup error has occurred, the upload of valid backups would have still been attempted to ftps://**MY FTP server Address/files

And on my backup server it creates an backup file but its only 2MB where I know for a fact it should be around 89MB big.

And i have tried to following:
1. Change the script from ftp:// to ftps:// (Still same error)
2. Secure FTP setting off and on. (Without "Secure FTP" it does not work (As expected with Explicit FTPS) and when its on still the same error)
3. Use IP address and Domain name. (Still same error but no SSL errors when using IP)
4. And of course combinations of this.

I have also added my vsFTPd config in the case it is relivant.


Final update:

After weeks of testing and trying I just gave up and changed to SFTP (SSH based) backups with the help of zEiter and his SFTP script.
I figured out that the issue was NOT the upload script but my FTP server. (Even tho I still do not know why to this day.)

 

[factor]

Here is the new docs

Backup to remote locations | Directadmin Docs

If you in ssh try to ftp directly from the server does it connect?

Also have you explored Pulling the backups it is safer.

 

[realcryptonight]

Here is the new docs

Backup to remote locations | Directadmin Docs

If you in ssh try to ftp directly from the server does it connect?

Also have you explored Pulling the backups it is safer.

Thanks for the docs. I just tried the test command and now its getting even weirder.
When i use FileZilla client on the same network its all fine and works.
When i test the ftp_upload.php i get an connection refused.

 

[realcryptonight]

Quick update:
On my local network i get an connection refused. (Tried to fix it with removing pasv_address but still same result.)
On my external network/server it just connects. And when I upload a test.txt with a little bit of text it all works but when i upload the admin backup i get the 18 error with ftp error 426 again.

And just a quick thought:
Could it be because i configured vsFTPd to use port 990 instead of 21? Since it needs to comunicate on port 990/21 to get the transfer ports open/assigned.

Extra update:
Found out that after I somehow messed up the port configurations i never readded the custom passive ports to not be blocked. But i still get a connection refused.
And changing to port 21 fixed nothing.

 

[factor]

if you go to the DA server where the backup is located (one you are ftping to the remote ftp server) log in to ssh

can you ftp from there?
da server command prompt > ftp command > open remote server > login with remote ftp server account

Not using filezilla. That only proves the connection from your pc to the remote server works.

Is the LAN on private addressing?

ftp_upload.php

I also dont thing DA supports ftps for remote backup.

 

[realcryptonight]

if you go to the DA server where the backup is located (one you are ftping to the remote ftp server) log in to ssh

can you ftp from there?
da server command prompt > ftp command > open remote server > login with remote ftp server account

Not using filezilla. That only proves the connection from your pc to the remote server works.

Is the LAN on private addressing?

I also dont thing DA supports ftps for remote backup.

Here is some clearing up:

I run 2 DA servers. One is hosted at my home and one in a datacenter in germany.
(And plan in adding another backup server somewhere else but that not for now.)
I use my home DA for expirimental use and the one in the datacenter is where my production domains life.
And the backup server is also hosted at home. (And all port forwarding added where needed.)

My external DA give the 18 error with an FTP 426 error. (And the file gets created on the server but is to small.)
My home DA give an connection refused all the time. Even tho (for testing) i use the same cridentials between the two.

For IPs at home i use the 192.168.* addressing but i enter in my public IP to the DA panels to prevent local IP issues. (And vsFTPd pasv_address has my public IP)

And all the upload test are done on my production server and home server and validated with FileZilla to get a complete picture where the issue is.

And i also did some more testing and my FileZilla server at home just works as a backup for my production server.

 

[ikkeben]

Here is some clearing up:

I run 2 DA servers. One is hosted at my home and one in a datacenter in germany.
(And plan in adding another backup server somewhere else but that not for now.)
I use my home DA for expirimental use and the one in the datacenter is where my production domains life.
And the backup server is also hosted at home. (And all port forwarding added where needed.)

My external DA give the 18 error with an FTP 426 error. (And the file gets created on the server but is to small.)
My home DA give an connection refused all the time. Even tho (for testing) i use the same cridentials between the two.

For IPs at home i use the 192.168.* addressing but i enter in my public IP to the DA panels to prevent local IP issues. (And vsFTPd pasv_address has my public IP)

And all the upload test are done on my production server and home server and validated with FileZilla to get a complete picture where the issue is.

And i also did some more testing and my FileZilla server at home just works as a backup for my production server.

Winscp then ssh ( kind of fstp) with key. ?

 

[realcryptonight]

Winscp then ssh ( kind of fstp) with key. ?

I have used sftp in the past but i am 100% against it since it allows shell level access to a server if the cridentials get stolen or the key get exposed.
With a FTP setup they would only have access to the FTP part of the OS.

 

[ikkeben]

I have used sftp in the past but i am 100% against it since it allows shell level access to a server if the cridentials get stolen or the key get exposed.
With a FTP setup they would only have access to the FTP part of the OS.

FTP is insecure.
So it depends how you have other security , key ssh with keyphrase ( don''t save that one ) and IP adress limits.
Shell Acces users and rights. and so on.

but ok

 

[realcryptonight]

FTP is insecure.
So it depends how you have other security , key ssh with keyphrase and IP adress limits.
Shell Acces users and rights. and so on.

but ok

I said that I use and FTP server. I did not say that i use the FTP protocol. I use the FTPS protocol.
And this hole issue is because of FTPS. So your anwser makes no sense to me.

 

[ikkeben]

I said that I use and FTP server. I did not say that i use the FTP protocol. I use the FTPS protocol.
And this hole issue is because of FTPS. So your anwser makes no sense to me.

Yes but you also did write: "With a FTP setup" on that i replied. For other readers here if found with search.

 

[realcryptonight]

I found the issue. (After way too long trying to find and fix it.)

My suspicious where right. The list and upload script (And possibly download too) do not work/are not compatible with explicit FTPS.
I already made a fix/patch for it. And will soon upload this to my github repo.

 

[scriptkitty]

I found the issue. (After way too long trying to find and fix it.)

My suspicious where right. The list and upload script (And possibly download too) do not work/are not compatible with explicit FTPS.
I already made a fix/patch for it. And will soon upload this to my github repo.

There was an issue with curl flags that has been addressed in pre-release. Have you updated to pre-release yet? Also, make sure you’ve built curl via custombuild & are using it rather than an outdated version of curl packaged with the OS. CentOS I know will often have curl version 7.29 but you’ll need 7.75 I believe to work with the updated upload scripts.

 

[realcryptonight]

There was an issue with curl flags that has been addressed in pre-release. Have you updated to pre-release yet? Also, make sure you’ve built curl via custombuild & are using it rather than an outdated version of curl packaged with the OS. CentOS I know will often have curl version 7.29 but you’ll need 7.75 I believe to work with the updated upload scripts.

No, I have not. (But i use Curl from CustomBuilds) But i found out that even tho there “should” be an ftps implementation, there is not.
And since the FTP server forces SSL, Curl can not ignore it like it does in the default script.

 

[realcryptonight]

No, I have not. But i found out that even tho there “should” be an ftps implementation, there is not.
And since the FTP server forces SSL, Curl can not ignore it like it does in the default script.

Just to be clear:

The default script for Curl connects to the FTP server over FTP or FTPS depending on where or not FTPS is chosen in the panel.
Even tho it says it can use FTPS, it can not. When Curl get the Certificate (For all i care) Curl trows it in the trash and keeps talking in plain FTP.
But since my FTP server is setup to only allow FTPS (Expicit FTPS) it needs talk in FTPS. (What it is not doing) And thus my FTP server drops the connection.

 

[realcryptonight]

Well, there goes that idea.
After some time my server gives an curl error of 18 and 426 as FTP error so that is not it I guess.

 

[realcryptonight]

There was an issue with curl flags that has been addressed in pre-release. Have you updated to pre-release yet? Also, make sure you’ve built curl via custombuild & are using it rather than an outdated version of curl packaged with the OS. CentOS I know will often have curl version 7.29 but you’ll need 7.75 I believe to work with the updated upload scripts.

Do you have a article on how i can do that?
Since at this point im trying everything.

 

[scriptkitty]

Sure do!
https://docs.directadmin.com/directadmin/general-usage/updating-da/#installing-pre-release-version

 

[realcryptonight]

Sure do!
https://docs.directadmin.com/directadmin/general-usage/updating-da/#installing-pre-release-version

Is there a way to only update curl to the latest beta or am I required to update everthing to beta?
And how can change it from beta to the production release later? (Since all my server are somewhat of a production server. In the way that its not easy to reset them for every tiny thing.)

 

[scriptkitty]

Hello,

Pre-release contains changes to the ftp upload script, which is why you'd need to update to pre-release.

To downgrade back to the latest stable version, you would just run the upgrade without the '&channel=beta' flag.

And to update curl afterwards, just:

cd /usr/local/directadmin/custombuild/
./build update
./build curl