Can't establish TLS connection

I am able to login to FTP site with importing the client certificate.But when i try to run via batch script i am getting an error.

Below is the log

. 2016-03-29 06:26:19.930 WinSCP Version 5.8.1 beta (Build 6144) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Enterprise)
. 2016-03-29 06:26:19.930 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2016-03-29 06:26:19.930 Log level: Normal
. 2016-03-29 06:26:19.930 Local account: XXXXXXX
. 2016-03-29 06:26:19.930 Working directory: U:\
. 2016-03-29 06:26:19.930 Process ID: 4692
. 2016-03-29 06:26:19.930 Command-line: "C:\Program Files\WinSCP\WinSCP.exe" /console=581 /consoleinstance=_4736_67 "/script=D:\FTP\LPDTR030_WELLSFARGO_sftp_script.txt" "/log=D:\Autosys\LOGS\LPDTR030.JS000010_SFtp_log.txt"
. 2016-03-29 06:26:19.930 Time zone: Current: GMT-4, Standard: GMT-5 (Eastern Standard Time), DST: GMT-4 (Eastern Daylight Time), DST Start: 03/13/2016, DST End: 11/06/2016
. 2016-03-29 06:26:19.930 Login time: Tuesday, March 29, 2016 6:26:19 AM
. 2016-03-29 06:26:19.930 --------------------------------------------------------------------------
. 2016-03-29 06:26:19.930 Script: Retrospectively logging previous script records:
> 2016-03-29 06:26:19.930 Script: option echo off
< 2016-03-29 06:26:19.930 Script: echo off
> 2016-03-29 06:26:19.930 Script: option batch on
< 2016-03-29 06:26:19.930 Script: batch on
< 2016-03-29 06:26:19.930 Script: reconnecttime 120
> 2016-03-29 06:26:19.930 Script: option confirm off
< 2016-03-29 06:26:19.930 Script: confirm off
> 2016-03-29 06:26:19.930 Script: open ftp://xxxxxx:***@xxxxxxxxxxxxxxx.com/ -explicittls -certificate="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
. 2016-03-29 06:26:19.930 --------------------------------------------------------------------------
. 2016-03-29 06:26:19.930 Session name: xxxxxx@xxxxxxxxxxxxxxx.com (Ad-Hoc site)
. 2016-03-29 06:26:19.930 Host name: xxxxxxxxxxxxxxx.com (Port: 21)
. 2016-03-29 06:26:19.930 User name: xxxxxx (Password: Yes, Key file: No)
. 2016-03-29 06:26:19.930 Transfer Protocol: FTP
. 2016-03-29 06:26:19.930 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2016-03-29 06:26:19.930 Disable Nagle: No
. 2016-03-29 06:26:19.930 Proxy: None
. 2016-03-29 06:26:19.930 Send buffer: 262144
. 2016-03-29 06:26:19.930 UTF: Auto
. 2016-03-29 06:26:19.930 FTP: FTPS: Explicit TLS/SSL [Client certificate: No]; Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]
. 2016-03-29 06:26:19.930 Session reuse: Yes
. 2016-03-29 06:26:19.930 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2016-03-29 06:26:19.930 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-03-29 06:26:19.930 Cache directory changes: Yes, Permanent: Yes
. 2016-03-29 06:26:19.930 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2016-03-29 06:26:19.930 Timezone offset: 0h 0m
. 2016-03-29 06:26:19.930 --------------------------------------------------------------------------
. 2016-03-29 06:26:19.930 Connecting to xxxxxxxxxxxxxxx.com ...
. 2016-03-29 06:26:20.039 Connected with xxxxxxxxxxxxxxx.com, negotiating TLS connection...
< 2016-03-29 06:26:20.070 220 Welcome to Axway Gateway FTP server
> 2016-03-29 06:26:20.070 AUTH TLS
< 2016-03-29 06:26:20.101 234 Security data exchange complete.
. 2016-03-29 06:26:20.476 Server asks for authentication with a client certificate.
. 2016-03-29 06:26:20.507 SSL3 alert read: fatal: bad certificate
. 2016-03-29 06:26:20.507 TLS connect: failed in SSLv3 read finished A
. 2016-03-29 06:26:20.507 Can't establish TLS connection
. 2016-03-29 06:26:20.507 Disconnected from server
. 2016-03-29 06:26:20.507 Connection failed.
. 2016-03-29 07:09:47.505 --------------------------------------------------------------------------
. 2016-03-29 07:09:47.505 WinSCP Version 5.8.1 beta (Build 6144) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Enterprise)
. 2016-03-29 07:09:47.505 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2016-03-29 07:09:47.505 Log level: Normal
. 2016-03-29 07:09:47.505 Local account: xxxxxxxx
. 2016-03-29 07:09:47.505 Working directory: U:\
. 2016-03-29 07:09:47.505 Process ID: 2224
. 2016-03-29 07:09:47.521 Command-line: "C:\Program Files\WinSCP\WinSCP.exe" /console=581 /consoleinstance=_4060_301 "/script=D:\FTP\LPDTR030_WELLSFARGO_sftp_script.txt" "/log=D:\Autosys\LOGS\LPDTR030.JS000010_SFtp_log.txt"
. 2016-03-29 07:09:47.521 Time zone: Current: GMT-4, Standard: GMT-5 (Eastern Standard Time), DST: GMT-4 (Eastern Daylight Time), DST Start: 03/13/2016, DST End: 11/06/2016
. 2016-03-29 07:09:47.521 Login time: Tuesday, March 29, 2016 7:09:47 AM
. 2016-03-29 07:09:47.521 --------------------------------------------------------------------------
. 2016-03-29 07:09:47.521 Script: Retrospectively logging previous script records:
> 2016-03-29 07:09:47.521 Script: option echo off
< 2016-03-29 07:09:47.521 Script: echo off
> 2016-03-29 07:09:47.521 Script: option batch on
< 2016-03-29 07:09:47.521 Script: batch on
< 2016-03-29 07:09:47.521 Script: reconnecttime 120
> 2016-03-29 07:09:47.521 Script: option confirm off
< 2016-03-29 07:09:47.521 Script: confirm off
> 2016-03-29 07:09:47.521 Script: open ftp://xxxxxx:***@xxxxxxxxxxxxxxx.com/ -explicittls -certificate="xxxxxx"
. 2016-03-29 07:09:47.521 --------------------------------------------------------------------------
. 2016-03-29 07:09:47.521 Session name: xxxxxx@xxxxxxxxxxxxxxx.com (Ad-Hoc site)
. 2016-03-29 07:09:47.521 Host name: xxxxxxxxxxxxxxx.com (Port: 21)
. 2016-03-29 07:09:47.521 User name: xxxxxx (Password: Yes, Key file: No)
. 2016-03-29 07:09:47.521 Transfer Protocol: FTP
. 2016-03-29 07:09:47.521 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2016-03-29 07:09:47.521 Disable Nagle: No
. 2016-03-29 07:09:47.521 Proxy: None
. 2016-03-29 07:09:47.521 Send buffer: 262144
. 2016-03-29 07:09:47.521 UTF: Auto
. 2016-03-29 07:09:47.521 FTP: FTPS: Explicit TLS/SSL [Client certificate: No]; Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]
. 2016-03-29 07:09:47.521 Session reuse: Yes
. 2016-03-29 07:09:47.521 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2016-03-29 07:09:47.521 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-03-29 07:09:47.521 Cache directory changes: Yes, Permanent: Yes
. 2016-03-29 07:09:47.521 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2016-03-29 07:09:47.521 Timezone offset: 0h 0m
. 2016-03-29 07:09:47.521 --------------------------------------------------------------------------
. 2016-03-29 07:09:47.521 Connecting to xxxxxxxxxxxxxxx.com ...
. 2016-03-29 07:09:47.646 Connected with xxxxxxxxxxxxxxx.com, negotiating TLS connection...
< 2016-03-29 07:09:47.677 220 Welcome to Axway Gateway FTP server
> 2016-03-29 07:09:47.677 AUTH TLS
< 2016-03-29 07:09:47.724 234 Security data exchange complete.
. 2016-03-29 07:09:48.020 Server asks for authentication with a client certificate.
. 2016-03-29 07:09:48.051 SSL3 alert read: fatal: bad certificate
. 2016-03-29 07:09:48.051 TLS connect: failed in SSLv3 read finished A
. 2016-03-29 07:09:48.067 Can't establish TLS connection
. 2016-03-29 07:09:48.067 Disconnected from server
. 2016-03-29 07:09:48.067 Connection failed.

Use -clientcert switch.
https://winscp.net/eng/docs/scriptcommand_open#clientcert

martin wrote:

Use -clientcert switch.
https://winscp.net/eng/docs/scriptcommand_open#clientcert

Thanks martin. -clientcert worked for an extent but need some more information to have the successful connection.

The passphrase needs to input manually. Any option where the passphrase can be input in the batch script.

And it is connecting to 990 port by default, IT needs to connect to port 21.

Below log is from the batch script.

. 2016-03-31 04:29:23.683 --------------------------------------------------------------------------
. 2016-03-31 04:29:23.683 WinSCP Version 5.8.1 beta (Build 6144) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Enterprise) . 2016-03-31 04:29:23.683 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\ . 2016-03-31 04:29:23.683 Log level: Normal . 2016-03-31 04:29:23.683 Local account: CONSECO\plat . 2016-03-31 04:29:23.683 Working directory: U:\ . 2016-03-31 04:29:23.683 Process ID: 4508 . 2016-03-31 04:29:23.683 Command-line: "C:\Program Files\WinSCP\WinSCP.exe" /console=581 /consoleinstance=_4408_330 "/script=D:\FTP\LPDTR030_WELLSFARGO_sftp_script.txt" "/log=D:\Autosys\LOGS\LPDTR030.JS000010_SFtp_log.txt"
. 2016-03-31 04:29:23.683 Time zone: Current: GMT-4, Standard: GMT-5 (Eastern Standard Time), DST: GMT-4 (Eastern Daylight Time), DST Start: 03/13/2016, DST End: 11/06/2016 . 2016-03-31 04:29:23.683 Login time: Thursday, March 31, 2016 4:29:23 AM . 2016-03-31 04:29:23.683 --------------------------------------------------------------------------
. 2016-03-31 04:29:23.683 Script: Retrospectively logging previous script records:
> 2016-03-31 04:29:23.683 Script: option echo off
< 2016-03-31 04:29:23.683 Script: echo off
> 2016-03-31 04:29:23.683 Script: option batch on
< 2016-03-31 04:29:23.683 Script: batch on
< 2016-03-31 04:29:23.683 Script: reconnecttime 120
> 2016-03-31 04:29:23.683 Script: option confirm off
< 2016-03-31 04:29:23.683 Script: confirm off
> 2016-03-31 04:29:23.683 Script: open ftps://xxxxxx:***@XXXXXXXXXXX/ -clientcert="C:\Program Files\cogacnt.pem"
. 2016-03-31 04:29:23.683 --------------------------------------------------------------------------
. 2016-03-31 04:29:23.683 Session name: xxxxxxx@XXXXXXXXXXX (Ad-Hoc site) . 2016-03-31 04:29:23.683 Host name: XXXXXXXXXXX (Port: 990) . 2016-03-31 04:29:23.683 User name: xxxxxxx (Password: Yes, Key file: No) . 2016-03-31 04:29:23.683 Transfer Protocol: FTP . 2016-03-31 04:29:23.683 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec . 2016-03-31 04:29:23.683 Disable Nagle: No . 2016-03-31 04:29:23.683 Proxy: None . 2016-03-31 04:29:23.683 Send buffer: 262144 . 2016-03-31 04:29:23.683 UTF: Auto . 2016-03-31 04:29:23.683 FTP: FTPS: Implicit TLS/SSL [Client certificate: Yes]; Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto] . 2016-03-31 04:29:23.683 Session reuse: Yes . 2016-03-31 04:29:23.683 TLS/SSL versions: TLSv1.0-TLSv1.2 . 2016-03-31 04:29:23.683 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes . 2016-03-31 04:29:23.683 Cache directory changes: Yes, Permanent: Yes . 2016-03-31 04:29:23.683 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2016-03-31 04:29:23.683 Timezone offset: 0h 0m . 2016-03-31 04:29:23.683 --------------------------------------------------------------------------
. 2016-03-31 04:29:23.699 Certificate is encrypted, need passphrase . 2016-03-31 04:29:33.839 Certificate is encrypted, need passphrase . 2016-03-31 04:29:42.419 Connecting to XXXXXXXXXXX:990 ...
. 2016-03-31 04:29:57.161 Timeout detected. (control connection) . 2016-03-31 04:29:57.161 Connection failed


GUI log:-

. 2016-03-31 04:21:13.222 WinSCP Version 5.8.1 beta (Build 6144) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Enterprise) . 2016-03-31 04:21:13.222 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\ . 2016-03-31 04:21:13.222 Log level: Normal . 2016-03-31 04:21:13.222 Local account: CONSECO\plat . 2016-03-31 04:21:13.222 Working directory: C:\Program Files\WinSCP . 2016-03-31 04:21:13.222 Process ID: 2892 . 2016-03-31 04:21:13.222 Command-line: "C:\Program Files\WinSCP\WinSCP.exe"
. 2016-03-31 04:21:13.222 Time zone: Current: GMT-4, Standard: GMT-5 (Eastern Standard Time), DST: GMT-4 (Eastern Daylight Time), DST Start: 03/13/2016, DST End: 11/06/2016 . 2016-03-31 04:21:13.222 Login time: Thursday, March 31, 2016 4:21:13 AM . 2016-03-31 04:21:13.222 --------------------------------------------------------------------------
. 2016-03-31 04:21:13.222 Session name: XXXXXXXXXXX@XXXXXX.com (Site) . 2016-03-31 04:21:13.222 Host name: XXXXXX.com (Port: 21) . 2016-03-31 04:21:13.222 User name: XXXXXXXXXXX (Password: No, Key file: No) . 2016-03-31 04:21:13.222 Transfer Protocol: FTP . 2016-03-31 04:21:13.222 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec . 2016-03-31 04:21:13.222 Disable Nagle: No . 2016-03-31 04:21:13.222 Proxy: None . 2016-03-31 04:21:13.222 Send buffer: 262144 . 2016-03-31 04:21:13.222 UTF: Auto . 2016-03-31 04:21:13.222 FTP: FTPS: Explicit TLS/SSL [Client certificate: Yes]; Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto] . 2016-03-31 04:21:13.222 Session reuse: No . 2016-03-31 04:21:13.222 TLS/SSL versions: SSLv3-TLSv1.2 . 2016-03-31 04:21:13.222 Local directory: C:\Users\plat\Documents, Remote directory: /, Update: Yes, Cache: Yes . 2016-03-31 04:21:13.222 Cache directory changes: Yes, Permanent: Yes . 2016-03-31 04:21:13.222 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2016-03-31 04:21:13.222 Timezone offset: 0h 0m . 2016-03-31 04:21:13.222 --------------------------------------------------------------------------
. 2016-03-31 04:21:13.238 Certificate is encrypted, need passphrase . 2016-03-31 04:22:20.865 Connecting to XXXXXX.com ...
. 2016-03-31 04:22:20.865 Connected with XXXXXX.com, negotiating TLS connection...
< 2016-03-31 04:22:20.865 220 Welcome to Axway Gateway FTP server
> 2016-03-31 04:22:20.865 AUTH TLS
< 2016-03-31 04:22:20.865 234 Security data exchange complete.
. 2016-03-31 04:22:20.928 Server asks for authentication with a client certificate.
. 2016-03-31 04:22:21.177 Verifying certificate for "Wells Fargo" with fingerprint XXXXXXXXXXX and 19 failures . 2016-03-31 04:22:21.255 Certificate common name "XXXXXX.com" matches hostname . 2016-03-31 04:22:21.255 Certificate for "Wells Fargo" matches cached fingerprint and failures . 2016-03-31 04:22:21.271 Using TLSv1.2, cipher TLSv1/SSLv3: AES256-SHA, 2048 bit RSA . 2016-03-31 04:22:21.302 TLS connection established. Waiting for welcome message...
> 2016-03-31 04:22:21.302 USER XXXXXXXXXXX
< 2016-03-31 04:22:21.318 331 User name okay, need password.
. 2016-03-31 04:22:21.318 Server asked for password, but we are using certificate, and no password was specified upfront, using fake password
> 2016-03-31 04:22:21.318 PASS *********
< 2016-03-31 04:22:21.411 530 Not logged in.
. 2016-03-31 04:22:21.411 Connection failed.
. 2016-03-31 04:22:21.427 Password prompt (last login attempt failed) . 2016-03-31 04:22:31.520 Certificate is encrypted, need passphrase . 2016-03-31 04:22:41.988 Connecting to XXXXXX.com ...
. 2016-03-31 04:22:41.988 Connected with XXXXXX.com, negotiating TLS connection...
< 2016-03-31 04:22:42.004 220 Welcome to Axway Gateway FTP server
> 2016-03-31 04:22:42.004 AUTH TLS
< 2016-03-31 04:22:42.051 234 Security data exchange complete.
. 2016-03-31 04:22:42.269 Server asks for authentication with a client certificate.
. 2016-03-31 04:22:42.487 Verifying certificate for "Wells Fargo" with fingerprint XXXXXXXXXXX and 19 failures . 2016-03-31 04:22:42.503 Certificate common name "XXXXXX.com" matches hostname . 2016-03-31 04:22:42.503 Certificate for "Wells Fargo" matches cached fingerprint and failures . 2016-03-31 04:22:42.503 Using TLSv1.2, cipher TLSv1/SSLv3: AES256-SHA, 2048 bit RSA . 2016-03-31 04:22:42.550 TLS connection established. Waiting for welcome message...
> 2016-03-31 04:22:42.550 USER XXXXXXXXXXX
< 2016-03-31 04:22:42.550 331 User name okay, need password.
> 2016-03-31 04:22:42.550 PASS ************
< 2016-03-31 04:22:42.643 230 User logged in, proceed
> 2016-03-31 04:22:42.643 SYST
< 2016-03-31 04:22:42.675 215 UNIX XFB/Gateway
> 2016-03-31 04:22:42.675 FEAT
< 2016-03-31 04:22:42.721 211-Extensions supported
< 2016-03-31 04:22:42.721 SIZE
< 2016-03-31 04:22:42.721 MDTM
< 2016-03-31 04:22:42.721 AUTH TLS
< 2016-03-31 04:22:42.721 PBSZ
< 2016-03-31 04:22:42.721 PROT
< 2016-03-31 04:22:42.721 End of feat command response
< 2016-03-31 04:22:42.721 211 End of reply
> 2016-03-31 04:22:42.721 PBSZ 0
< 2016-03-31 04:22:42.753 200 Command okay.
> 2016-03-31 04:22:42.753 PROT P
< 2016-03-31 04:22:42.799 200 Command okay.
. 2016-03-31 04:22:42.799 Connected

Use the -passphrase switch.
See the very same page: https://winscp.net/eng/docs/scriptcommand_open#passphrase

It's connecting to port 990 because you changed ftp://.../ -explicittls to ftps://.... Change it back.