Search code examples
certificatewinscpftps

WinSCP - Accept any certificate automatically

I'm using the WinSCP command line utility (fired off from SSIS) with a script file that looks like this:

option confirm off
open ftps://user:[email protected]:3221/root -certificate=*
put \\path\to\file\Stores.zip
put \\path\to\file\Products.zip
put \\path\to\file\Inventory.zip
exit

When I run this it does not complete - if I check the logs I see this:

. 2018-05-11 10:27:16.413 Connecting to ftp.host.com:3221 ...
. 2018-05-11 10:27:16.546 Connected with ftp.host.com:3221, negotiating SSL connection...
. 2018-05-11 10:27:17.044 Asking user:
. 2018-05-11 10:27:17.045 The server's certificate is not known. You have no guarantee that the server is the computer you think it is. Server's certificate details follow:
. 2018-05-11 10:27:17.045 
. 2018-05-11 10:27:17.046 Issuer:
. 2018-05-11 10:27:17.047 - Organization: Host, Inc., *.host.com
. 2018-05-11 10:27:17.048 - Location: US, State, City
. 2018-05-11 10:27:17.048 
. 2018-05-11 10:27:17.053 Subject:
. 2018-05-11 10:27:17.058 - Organization: CertOrg
. 2018-05-11 10:27:17.060 - Location: US
. 2018-05-11 10:27:17.066 
. 2018-05-11 10:27:17.068 Valid: 7/14/2017 12:00:00 AM - 8/29/2018 12:00:00 PM
. 2018-05-11 10:27:17.074 
. 2018-05-11 10:27:17.075 Fingerprint (SHA1): ##################
. 2018-05-11 10:27:17.075 
. 2018-05-11 10:27:17.076 Summary: Unable to get local issuer certificate. The error occured at a depth of 1 in the certificate chain.
. 2018-05-11 10:27:17.076 
. 2018-05-11 10:27:17.077 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2018-05-11 10:27:17.080 
. 2018-05-11 10:27:17.081 Continue connecting and store the certificate? ()

The -certificate=* should push the acceptance through automatically, from what I've gathered on the documentation. Anything I'm missing here? I've also tried hostkey=* which produces the same result, and using both hostkey & certificate flags causes an error.

Any help is greatly appreciated.

Solution

  • It is difficult to answer this without seeing a complete session log file.

    But my guess is that you use some old version of WinSCP that does not support the * in -certificate (older than 5.2) or does not support the -certificate switch at all (older than 4.2.2).

    With the latest version of WinSCP, your script should work ok.

    Needless to say that by using *, you are losing a protection against MITM attacks!