{"id":2217,"date":"2019-03-12T15:49:49","date_gmt":"2019-03-12T19:49:49","guid":{"rendered":"https:\/\/blog.jonesling.us\/?p=2217"},"modified":"2019-03-13T21:21:16","modified_gmt":"2019-03-14T01:21:16","slug":"failed-to-retrieve-directory-listing","status":"publish","type":"post","link":"https:\/\/blog.jonesling.us\/?p=2217","title":{"rendered":"Failed to retrieve directory listing"},"content":{"rendered":"<figure id=\"attachment_2216\" aria-describedby=\"caption-attachment-2216\" style=\"width: 604px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2216\" src=\"https:\/\/blog.jonesling.us\/wp-content\/uploads\/2019\/03\/filezilla-error.png\" alt=\"filezilla connection log with &quot;failed to retrieve directory listing&quot; error\" width=\"604\" height=\"193\" \/><figcaption id=\"caption-attachment-2216\" class=\"wp-caption-text\">Filezilla&#8217;s opaque error<\/figcaption><\/figure>\n<p>I occasionally run a local vsftp daemon on my development machine for testing.\u00a0 I don&#8217;t connect to it directly &#8212; it&#8217;s used to back up unit tests that need an FTP connection.\u00a0 No person connects to it, least of all me, and the scripts that do connect are looking at small, single-use directories.<\/p>\n<p>I needed to test a new feature: <a href=\"https:\/\/en.wikipedia.org\/wiki\/FTPS\">FTPS<\/a>, aka FTP with SSL (Not to be confused with <a href=\"https:\/\/en.wikipedia.org\/wiki\/SSH_File_Transfer_Protocol\">SFTP<\/a>, a very different beast.)\u00a0 Several of our vendors will be requiring it soon; frankly, I&#8217;m surprised they haven&#8217;t required it sooner.\u00a0 But I digress.<\/p>\n<p>To start this phase of the project I needed to make sure that my local vsftp daemon supports FTPS so that I can run tests against it.\u00a0 So I edit <code>\/etc\/vsftpd\/vsftpd.conf<\/code> to add some lines to my config, and restart:<\/p>\n<pre>rsa_cert_file=\/etc\/ssl\/private\/vsftpd.pem\nrsa_private_key_file=\/etc\/ssl\/private\/vsftpd.pem\nssl_enable=YES<\/pre>\n<p>But <a href=\"https:\/\/filezilla-project.org\/\">Filezilla<\/a> bombs with an opaque error message:<\/p>\n<pre>Status: Resolving address of localhost\nStatus: Connecting to 127.0.0.1:21...\nStatus: Connection established, waiting for welcome message...\nStatus: Initializing TLS...\nStatus: Verifying certificate...\nStatus: TLS connection established.\nStatus: Logged in\nStatus: Retrieving directory listing...\nCommand: PWD\nResponse: 257 \"\/home\/dad\" is the current directory\nCommand: TYPE I\nResponse: 200 Switching to Binary mode.\nCommand: PASV\nResponse: 227 Entering Passive Mode (127,0,0,1,249,239).\nCommand: LIST\nResponse: 150 Here comes the directory listing.\nError: GnuTLS error -15: An unexpected TLS packet was received.\nError: Disconnected from server: ECONNABORTED - Connection aborted\nError: Failed to retrieve directory listing<\/pre>\n<p>I clue in pretty quickly that &#8220;GnuTLS error -15: An unexpected TLS packet was received&#8221; is actually a red herring, so I drop the SSL from the connection and get a different error:<\/p>\n<pre>Response: 150 Here comes the directory listing.\nError: Connection closed by server\nError: Failed to retrieve directory listing<\/pre>\n<p>Huh, that&#8217;s not particularly helpful, shame on you Filezilla.\u00a0 I drop down further to a command-line FTP client to get the <em>real<\/em> error:<\/p>\n<pre>$ ftp localhost\nConnected to localhost.\n220 (vsFTPd 3.0.3)\nName (localhost:dad): \n530 Please login with USER and PASS.\n530 Please login with USER and PASS.\nSSL not available\n331 Please specify the password.\nPassword:\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n421 Service not available, remote server has closed connection\nftp&gt; quit<\/pre>\n<p>Ah.\u00a0 Now we&#8217;re getting somewhere.<\/p>\n<p>A quick perusal turned up a <a href=\"https:\/\/unix.stackexchange.com\/questions\/333276\/vsftpd-closes-conntion-with-code-421-when-listing-directory-content\/441307#441307\">stackexchange<\/a> answer with the assertion that &#8220;the directory causing this behaviour had too many files in it (2,666).&#8221;\u00a0 My own directory is much smaller, about a hundred files.\u00a0 According to <a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=845980\">this bug report<\/a>, however, the real maximum may be as few as 32 files.\u00a0 It&#8217;s not clear to me whether this is a kernel bug, a vsftpd bug, or just a bad interaction between recent kernels and vsftpd.<\/p>\n<p>Happily, there is a work-around: add &#8220;<code>seccomp_sandbox=NO<\/code>&#8221; to vsftpd.conf.<\/p>\n<p>Since vsftpd&#8217;s documentation is spare, and actual examples are hard to come by, here&#8217;s my working config:<\/p>\n<pre>listen=YES\nlocal_enable=YES\nwrite_enable=YES\nchroot_local_user=YES\nallow_writeable_chroot=YES\nseccomp_sandbox=NO\nssl_enable=YES\nrsa_cert_file=\/etc\/ssl\/private\/vsftpd.pem\nrsa_private_key_file=\/etc\/ssl\/private\/vsftpd.pem<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>I occasionally run a local vsftp daemon on my development machine for testing.\u00a0 I don&#8217;t connect to it directly &#8212; it&#8217;s used to back up unit tests that need an FTP connection.\u00a0 No person connects to it, least of all me, and the scripts that do connect are looking at small, single-use directories. I needed &hellip; <a href=\"https:\/\/blog.jonesling.us\/?p=2217\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Failed to retrieve directory listing&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","wprm-recipe-roundup-name":"","wprm-recipe-roundup-description":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[491,151,488,487,490,83,489,486],"class_list":["post-2217","post","type-post","status-publish","format-standard","hentry","category-linux","tag-bug","tag-dad-needs-to-stop-bringing-work-home","tag-filezilla","tag-ftp","tag-ftps","tag-linux","tag-ssl","tag-vsftp"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4o3FW-zL","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2217"}],"version-history":[{"count":10,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2217\/revisions"}],"predecessor-version":[{"id":2227,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2217\/revisions\/2227"}],"wp:attachment":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}