WinSCP will not accept certificate in batch mode

Advertisement

jborrows
Joined:
Posts:
1
Location:
Province of BC, Canada

WinSCP will not accept certificate in batch mode

I am running WinSCP 4.4.0 on Windows Vista. I'm running in batch mode using FTPS (FTP with TLS Explicit encryption and passive mode). My saved session works perfectly using the GUI interface. I have accepted the server certificate, and no longer get prompted.

However, when I export my session to a .ini file and run in batch mode (with "option batch off" to allow the cert to be accepted), it does not allow me to accept the cert. Oddly, the cert warning message comes up twice, and the command line session hangs after I hit "Y" to accept the cert. My "Y" keystroke seems to have been read, as I get "Yes" echoed back on the second prompt. Not sure why this is happening, as accepting the cert on the command line used to work fine (with no double prompt). Note that if I open the connection and specify the -certificate switch with the certificate fingerprint, it works fine in batch mode.

Here is my command invokation:
"C:\Program Files\WinSCP\winscp" /script=test_transfer.txt /ini=WinSCP.ini /log=winscp.log

Here is the script file (test_transfer.txt):
option batch off
option confirm off
open jbtestTLS-ftp.dir.gov.bc.ca
put somedata.txt
close
exit

Here is the output of the command line console:
H:\WinSCP_testing>"C:\Program Files\WinSCP\winscp" /script=test_transfer.txt /in
i=WinSCP.ini /log=winscp.log
batch off
confirm off
Prompting for credentials...
Password:
Connecting to ftp.dir.gov.bc.ca ...
Connected with ftp.dir.gov.bc.ca, negotiating SSL connection...
The server's certificate is not known. You have no guarantee that the server is
the computer you think it is. Server's certificate details follow:
Issuer:
- Organization: Entrust, Inc., (c) 2009 Entrust, Inc., Entrust Certification Aut
hority - L1C
- Location: US
Subject:
- Organization: Government of the Province of British Columbia, ftp.dir.gov.bc.c
a
- Location: CA, British Columbia, Victoria
Valid: 2013-04-10 9:20:49 PM - 2014-05-01 12:20:55 AM
Fingerprint (SHA1): 2d:76:df:6e:cc:05:f5:cb:7e:42:82:69:99:5a:7c:75:44:75:e8:04
Summary: Unable to get local issuer certificate. The error occured at a depth of
1 in the certificate chain.
If you trust this certificate, press Yes. To connect without storing certificate
, press No. To abandon the connection press Cancel.
Continue connecting and store the certificate?
(Y)es, (N)o, C(a)ncel, (C)opy Key:
(Y)es, (N)o, C(a)ncel, (C)opy Key: Yes


Here is the output of the winscp.log file:
. 2013-05-29 12:02:45.853 --------------------------------------------------------------------------
. 2013-05-29 12:02:45.861 WinSCP Version 4.4.0 (Build 1904) (OS 6.0.6002 Service Pack 2)
. 2013-05-29 12:02:45.875 Configuration: H:\WinSCP_testing\WinSCP.ini
. 2013-05-29 12:02:45.883 Local account: IDIR\jborrows
. 2013-05-29 12:02:45.892 Login time: Wednesday, May 29, 2013 12:02:45 PM
. 2013-05-29 12:02:45.900 --------------------------------------------------------------------------
. 2013-05-29 12:02:45.908 Session name: jbtestTLS-ftp.dir.gov.bc.ca (Stored session)
. 2013-05-29 12:02:45.916 Host name: ftp.dir.gov.bc.ca (Port: 21)
. 2013-05-29 12:02:45.924 User name: jborrows (Password: No, Key file: No)
. 2013-05-29 12:02:45.932 Tunnel: No
. 2013-05-29 12:02:45.940 Transfer Protocol: FTP
. 2013-05-29 12:02:45.948 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2013-05-29 12:02:45.956 Proxy: none
. 2013-05-29 12:02:45.964 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: A]
. 2013-05-29 12:02:45.972 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2013-05-29 12:02:45.980 Cache directory changes: Yes, Permanent: Yes
. 2013-05-29 12:02:45.988 DST mode: 1
. 2013-05-29 12:02:45.996 --------------------------------------------------------------------------
. 2013-05-29 12:02:46.004 Password prompt (no password provided or last login attempt failed)
. 2013-05-29 12:02:49.850 Connecting to ftp.dir.gov.bc.ca ...
. 2013-05-29 12:02:49.955 Connected with ftp.dir.gov.bc.ca, negotiating SSL connection...
< 2013-05-29 12:02:49.988 220 pearl.bcsc.gov.bc.ca FTP server (Version wu-2.7.0-11.91.2.3.1) ready.
> 2013-05-29 12:02:49.996 AUTH TLS
< 2013-05-29 12:02:50.004 234 AUTH TLS OK.
. 2013-05-29 12:02:50.420 Asking user:
. 2013-05-29 12:02:50.428 The server's certificate is not known. You have no guarantee that the server is the computer you think it is. Server's certificate details follow:
. 2013-05-29 12:02:50.436
. 2013-05-29 12:02:50.442 Issuer:
. 2013-05-29 12:02:50.450 - Organization: Entrust, Inc., (c) 2009 Entrust, Inc., Entrust Certification Authority - L1C
. 2013-05-29 12:02:50.458 - Location: US
. 2013-05-29 12:02:50.466
. 2013-05-29 12:02:50.472 Subject:
. 2013-05-29 12:02:50.480 - Organization: Government of the Province of British Columbia, ftp.dir.gov.bc.ca
. 2013-05-29 12:02:50.488 - Location: CA, British Columbia, Victoria
. 2013-05-29 12:02:50.496
. 2013-05-29 12:02:50.502 Valid: 2013-04-10 9:20:49 PM - 2014-05-01 12:20:55 AM
. 2013-05-29 12:02:50.510
. 2013-05-29 12:02:50.516 Fingerprint (SHA1): 2d:76:df:6e:cc:05:f5:cb:7e:42:82:69:99:5a:7c:75:44:75:e8:04
. 2013-05-29 12:02:50.524
. 2013-05-29 12:02:50.530 Summary: Unable to get local issuer certificate. The error occured at a depth of 1 in the certificate chain.
. 2013-05-29 12:02:50.538
. 2013-05-29 12:02:50.544 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2013-05-29 12:02:50.552
. 2013-05-29 12:02:50.558 Continue connecting and store the certificate? ()
. 2013-05-29 12:02:52.670 Peer certificate rejected
. 2013-05-29 12:02:52.679 Disconnected from server
. 2013-05-29 12:02:52.687 Connection failed.
. 2013-05-29 12:02:52.697 Attempt to close connection due to fatal exception:
* 2013-05-29 12:02:52.705 (EAccessViolation) EAccessViolation


Any hints would be appeciated.

thanks,
Jonathan

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: WinSCP will not accept certificate in batch mode

Thanks for your report.
I have sent you an email with a debug version of WinSCP to address you have used to register on this forum.

Reply with quote

rhussey3
Guest

Re: WinSCP will not accept certificate in batch mode

martin wrote:

Thanks for your report.
I have sent you an email with a debug version of WinSCP to address you have used to register on this forum.

I just ran into the same issue, is it possible to get the fix as well? I am running WinSCP Version 5.7 (Build 5125) (OS 5.2.3790 Service Pack 2 - Microsoft Windows Server 2003 R2)

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: WinSCP will not accept certificate in batch mode

rhussey3 wrote:

I just ran into the same issue, is it possible to get the fix as well? I am running WinSCP Version 5.7 (Build 5125) (OS 5.2.3790 Service Pack 2 - Microsoft Windows Server 2003 R2)
It was fixed in 5.1.6.
You are having a different (though possibly similar) problem.
So we need more details, please.

Reply with quote

Advertisement

metalaarif
Joined:
Posts:
2
Location:
LONDON

Re: WinSCP will not accept certificate in batch mode

Hi,

I am using WinSCP version 5.7.6 (build 5874) and having the same issue. I am not sure how I should make it accept the certificate.

My current script which runs in Windows Server 2012 R2 is:-

open ftps://ftp:password@XX.XXX.XXX.XXX -passive=on -explicitssl -hostkey="ssh-rsa 1024 XXXXXXXXXXXXXXXXXXXXXXXXXXX"

And below is the log file

. 2016-01-15 11:20:12.079 --------------------------------------------------------------------------
. 2016-01-15 11:20:12.095 WinSCP Version 5.7.6 (Build 5874) (OS 6.3.9600 - Windows Server 2012 R2 Essentials)
. 2016-01-15 11:20:12.095 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2016-01-15 11:20:12.095 Log level: Normal
. 2016-01-15 11:20:12.095 Local account: XXXXXXXXXXXXXXXXXXXXX
. 2016-01-15 11:20:12.095 Working directory: D:\FTP
. 2016-01-15 11:20:12.095 Process ID: 15564
. 2016-01-15 11:20:12.095 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" /script="D:\FTP\WinSCPScript - Upload CSV.txt" /log="D:\FTP\FTPLogs\log.txt" /timeout=999
. 2016-01-15 11:20:12.095 Time zone: Current: GMT+0, Standard: GMT+0 (GMT Standard Time), DST: GMT+1 (GMT Daylight Time), DST Start: 27/03/2016, DST End: 30/10/2016
. 2016-01-15 11:20:12.095 Login time: 15 January 2016 11:20:12
. 2016-01-15 11:20:12.095 --------------------------------------------------------------------------
. 2016-01-15 11:20:12.095 Script: Retrospectively logging previous script records:
> 2016-01-15 11:20:12.095 Script: option batch abort
< 2016-01-15 11:20:12.095 Script: batch abort
< 2016-01-15 11:20:12.095 Script: reconnecttime 120
> 2016-01-15 11:20:12.095 Script: option confirm off
< 2016-01-15 11:20:12.095 Script: confirm off
> 2016-01-15 11:20:12.095 Script: open ftps:/ftp:***@XXX.XXX.XXX.XXX-passive=on -explicitssl -hostkey="ssh-rsa 1024 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
. 2016-01-15 11:20:12.095 --------------------------------------------------------------------------
. 2016-01-15 11:20:12.095 Session name: ftp@XXX.XXX.XXX.XXX(Ad-Hoc site)
. 2016-01-15 11:20:12.095 Host name: XXX.XXX.XXX.XXX (Port: 21)
. 2016-01-15 11:20:12.095 User name: ftp (Password: Yes, Key file: No)
. 2016-01-15 11:20:12.095 Transfer Protocol: FTP
. 2016-01-15 11:20:12.095 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2016-01-15 11:20:12.095 Disable Nagle: No
. 2016-01-15 11:20:12.095 Proxy: none
. 2016-01-15 11:20:12.095 Send buffer: 262144
. 2016-01-15 11:20:12.095 UTF: 2
. 2016-01-15 11:20:12.095 FTP: FTPS: Explicit SSL; Passive: Yes [Force IP: A]; MLSD: A [List all: A]
. 2016-01-15 11:20:12.095 Session reuse: Yes
. 2016-01-15 11:20:12.095 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2016-01-15 11:20:12.095 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-01-15 11:20:12.095 Cache directory changes: Yes, Permanent: Yes
. 2016-01-15 11:20:12.095 Timezone offset: 0h 0m
. 2016-01-15 11:20:12.095 --------------------------------------------------------------------------
. 2016-01-15 11:20:12.111 Connecting to XXX.XXX.XXX.XXX...
. 2016-01-15 11:20:12.111 Connected with XXX.XXX.XXX.XXX, negotiating TLS connection...
< 2016-01-15 11:20:12.111 220-Communicator Corp's Secure FTP Service (HW). No unauthorised access.
< 2016-01-15 11:20:12.111 220 All connection attempts are logged.
> 2016-01-15 11:20:12.111 AUTH SSL
< 2016-01-15 11:20:12.111 234 AUTH command ok. Expecting TLS Negotiation.
. 2016-01-15 11:20:12.314 Verifying certificate for "Communicator Corporation Limited" with fingerprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and 20 failures
. 2016-01-15 11:20:12.345 Certificate verified against Windows certificate store
. 2016-01-15 11:20:12.345 Asking user:
. 2016-01-15 11:20:12.345 **The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**
. 2016-01-15 11:20:12.345
. 2016-01-15 11:20:12.345 Server's certificate details follow:
. 2016-01-15 11:20:12.345
. 2016-01-15 11:20:12.345 Issuer:
. 2016-01-15 11:20:12.345 - Organization: Thawte, Inc., Thawte SSL CA
. 2016-01-15 11:20:12.345 - Location: US
. 2016-01-15 11:20:12.361
. 2016-01-15 11:20:12.361 Subject:
. 2016-01-15 11:20:12.361 - Organization: Technology, *.
. 2016-01-15 11:20:12.361 - Location: GB, GREAT BRITAIN, LONDON
. 2016-01-15 11:20:12.361
. 2016-01-15 11:20:12.361 Valid: 16/06/2014 00:00:00 - 09/08/2016 23:59:59
. 2016-01-15 11:20:12.361
. 2016-01-15 11:20:12.361 Fingerprint (SHA-1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
. 2016-01-15 11:20:12.361
. 2016-01-15 11:20:12.361 Summary: Certificate was not issued for this server. You might be connecting to a server that is pretending to be "XXX.XXX.XXX.XXX".
. 2016-01-15 11:20:12.361
. 2016-01-15 11:20:12.361 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2016-01-15 11:20:12.361
. 2016-01-15 11:20:12.361 Continue connecting and store the certificate? ()
. 2016-01-15 11:20:12.361 Peer certificate rejected
. 2016-01-15 11:20:12.361 Disconnected from server
. 2016-01-15 11:20:12.361 Connection failed.

Reply with quote

metalaarif
Joined:
Posts:
2
Location:
LONDON

Re: WinSCP will not accept certificate in batch mode

Hi,

My problem was resolved.

I was being really stupid. I opened my WinSCP software accepted their Certificate and now when I tried the script it worked right away.

Hope it helps for other people facing same issue.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: WinSCP will not accept certificate in batch mode

metalaarif wrote:

I was being really stupid. I opened my WinSCP software accepted their Certificate and now when I tried the script it worked right away.

Hope it helps for other people facing same issue.
That's not really the correct way.

See https://winscp.net/eng/docs/scripting#hostkey

You need to provide a real certificate fingerprint using -certificate switch. Not the XX:XX:XX..., but the real value.

Reply with quote

Advertisement

You can post new topics in this forum