431 Failed to setup secure session.

Hello, I just changed SSL certificate from SAN certificate to WILDCARD certificate, but now I cannot connect to any of FTPS instances. I'm getting following events in log file.

Can you connect with any other FTP client? Can you post a more verbose log file?

Hello Martin,
I found that new WILDCARD certificate which I got from customer is using sha384RSA algorithm. I didn't found much relevant informations about algorithms supported by IIS at W2K16 Server, but I think that this can be problem. I compared old SAN certificate, old WILDCARD certificate and new WILDCARD certificate and found only this one significant difference.

Martin, do you think that encrypt algorithm can be source of the problem? I think, that there is nothing wrong with WinSCP.

akapl wrote:

Martin, do you think that encrypt algorithm can be source of the problem? I think, that there is nothing wrong with WinSCP.

Can be, but I do not know.
What does the log show? I see some successful and some failed connections.
Did you try any other FTPS client?

I tried internal FTP client of Multi Commander with same result.

Successful connections was made with previous SAN Let's Encrypt certificate. Old WILDCARD certificate with sha256RSA works too..

akapl wrote:

Hello, I just changed SSL certificate from SAN certificate to WILDCARD certificate, but now I cannot connect to any of FTPS instances. I'm getting following events in log file.

< 2020-11-30 01:06:33.825 431 Failed to setup secure session.

I had the same problem, and managed to resolve. Posting here for anyone else who encounters this issue.
The root cause is that when changing the cert for your FTPS site it needs to be done in two different places. This happens ANY time you change the cert, even if its just a cert renewal -- it's not just for changing to wildcard certs.

The natural place to update the cert in IIS Manager is by selecting your FTP site on the Connections list on the left, then double clicking FTP SSL Settings. Do this first, change to your new cert, and apply.

Then go up near the top of the Connections and choose your server. Within your server's settings is ANOTHER "FTP SSL Settings" icon. Double click it, and repeat the steps. Make sure the site settings and server settings are the same, then re-try the connection from your client and it will work.

@codepoet80: Thank you very much! It works ^^
I was blocked with this since a week.

@codepoet80: This worked for me also.