diff --git a/getssl b/getssl
index 04384aa..58bb1a7 100755
--- a/getssl
+++ b/getssl
@@ -1063,6 +1063,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
       # shellcheck disable=SC2086
       curl ${_NOMETER} -u "${davsuser}:${davspass}" -T "${fromdir}/${fromfile}" "https://${davshost}:${davsport}${davsdirn}${davsfile}"
     elif [[ "${to:0:6}" == "ftpes:" ]] || [[ "${to:0:5}" == "ftps:" ]] ; then
+      # FTPES (FTP over explicit TLS/SSL, port 21) and FTPS (FTP over implicit TLS/SSL, port 990).
       debug "using ftp to copy the file from $from"
       ftpuser=$(echo "$to"| awk -F: '{print $2}')
       ftppass=$(echo "$to"| awk -F: '{print $3}')
@@ -1076,10 +1077,14 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
       debug "from dir=$fromdir  file=$fromfile"
       if [[ "${to:0:5}" == "ftps:" ]] ; then
         # shellcheck disable=SC2086
-        curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}:990/"
+        debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps://${ftphost}:990/${ftpdirn}/"
+        # shellcheck disable=SC2086
+        curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps://${ftphost}:990/${ftpdirn}/"
       else
         # shellcheck disable=SC2086
-        curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}/"
+        debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}/${ftpdirn}/"
+        # shellcheck disable=SC2086
+        curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}/${ftpdirn}/"
       fi
     else
       if ! mkdir -p "$(dirname "$to")" ; then
diff --git a/test/34-ftp-passive.bats b/test/34-ftp-passive.bats
index cdc20d6..747c0a3 100644
--- a/test/34-ftp-passive.bats
+++ b/test/34-ftp-passive.bats
@@ -10,7 +10,11 @@ setup() {
     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
     if [ -n "${VSFTPD_CONF}" ]; then
-        cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+        if [ ! -f "${VSFTPD_CONF}.getssl" ]; then
+            cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+        else
+            cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
+        fi
 
         # enable passive and disable active mode
         # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
@@ -18,10 +22,7 @@ setup() {
 pasv_enable=YES
 pasv_max_port=10100
 pasv_min_port=10090
-connect_from_port_20=NO
 _FTP
-
-        ${CODE_DIR}/test/restart-ftpd start
     fi
 }
 
@@ -44,6 +45,8 @@ teardown() {
         mkdir -p /var/www/html/.well-known/acme-challenge
     fi
 
+    ${CODE_DIR}/test/restart-ftpd start
+
     NEW_FTP="false"
     if [[ "$(ftp -? 2>&1 | head -1 | cut -c-6)" == "usage:" ]]; then
         NEW_FTP="true"
@@ -57,8 +60,11 @@ teardown() {
     setup_environment
     init_getssl
 
+    # The DOMAIN_PEM_LOCATION creates a *signed* certificate for the ftps/ftpes tests
     cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
 ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+DOMAIN_PEM_LOCATION=/etc/vsftpd.pem
+CA_CERT_LOCATION=/etc/cacert.pem
 EOF
     if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then
         if [[ "$NEW_FTP" == "true" ]]; then
@@ -98,6 +104,8 @@ EOF4
         mkdir -p /var/www/html/.well-known/acme-challenge
     fi
 
+    ${CODE_DIR}/test/restart-ftpd start
+
     NEW_FTP="false"
     if [[ "$(ftp -? 2>&1 | head -1 | cut -c-6)" == "usage:" ]]; then
         NEW_FTP="true"
@@ -144,3 +152,128 @@ EOF3
     fi
     check_output_for_errors
 }
+
+
+@test "Use ftpes (explicit ssl, port 21) to create challenge file" {
+    if [[ ! -f /etc/vsftpd.pem ]]; then
+        echo "FAILED: This test requires the previous test to succeed"
+        exit 1
+    fi
+
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+        mkdir -p /var/www/html/.well-known/acme-challenge
+    fi
+
+    # Restart vsftpd with ssl enabled
+    cat <<- _FTP >> $VSFTPD_CONF
+connect_from_port_20=NO
+ssl_enable=YES
+allow_anon_ssl=NO
+force_local_data_ssl=NO
+force_local_logins_ssl=NO
+ssl_tlsv1=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+require_ssl_reuse=NO
+ssl_ciphers=HIGH
+rsa_cert_file=/etc/vsftpd.pem
+rsa_private_key_file=/etc/vsftpd.pem
+_FTP
+    ${CODE_DIR}/test/restart-ftpd start
+
+    # Always change ownership and permissions in case previous tests created the directories as root
+    chgrp -R www-data /var/www/html/.well-known
+    chmod -R g+w /var/www/html/.well-known
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+
+    # Verbose output is needed so the test assertion passes
+    # On Ubuntu 14 and 18 curl errors with "unable to get issuer certificate" so disable cert check using "-k"
+    if [[ "$GETSSL_OS" == "ubuntu14" || "$GETSSL_OS" == "ubuntu18" ]]; then
+        cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    ACL="ftpes:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+    FTPS_OPTIONS="--cacert /etc/cacert.pem -v -k"
+EOF
+    else
+        cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftpes:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+FTPS_OPTIONS="--cacert /etc/cacert.pem -v"
+EOF
+    fi
+
+    create_certificate
+    assert_success
+    # assert_line --partial "SSL connection using TLSv1.3"
+    assert_line --partial "200 PROT now Private"
+
+    check_output_for_errors
+}
+
+
+@test "Use ftps (implicit ssl, port 990) to create challenge file" {
+    if [[ ! -f /etc/vsftpd.pem ]]; then
+        echo "FAILED: This test requires the previous test to succeed"
+        exit 1
+    fi
+
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    # Restart vsftpd listening on port 990
+    cat <<- _FTP >> $VSFTPD_CONF
+implicit_ssl=YES
+listen_port=990
+connect_from_port_20=NO
+ssl_enable=YES
+allow_anon_ssl=NO
+force_local_data_ssl=NO
+force_local_logins_ssl=NO
+ssl_tlsv1=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+require_ssl_reuse=NO
+ssl_ciphers=HIGH
+rsa_cert_file=/etc/vsftpd.pem
+rsa_private_key_file=/etc/vsftpd.pem
+_FTP
+    ${CODE_DIR}/test/restart-ftpd start
+
+    if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+        mkdir -p /var/www/html/.well-known/acme-challenge
+    fi
+
+    # Always change ownership and permissions in case previous tests created the directories as root
+    chgrp -R www-data /var/www/html/.well-known
+    chmod -R g+w /var/www/html/.well-known
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+
+    # Verbose output is needed so the test assertion passes
+    # On Ubuntu 14 and 18 curl errors with "unable to get issuer certificate" so disable cert check using "-k"
+    # as I don't have time to fix
+    if [[ "$GETSSL_OS" == "ubuntu14" || "$GETSSL_OS" == "ubuntu18" ]]; then
+        cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftps:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+FTPS_OPTIONS="--cacert /etc/cacert.pem -v -k"
+EOF
+    else
+        cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftps:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+FTPS_OPTIONS="--cacert /etc/cacert.pem -v"
+EOF
+    fi
+
+    create_certificate
+    assert_success
+    assert_line --partial "200 PROT now Private"
+    check_output_for_errors
+}
diff --git a/test/restart-ftpd b/test/restart-ftpd
index 768ff93..b7a5830 100755
--- a/test/restart-ftpd
+++ b/test/restart-ftpd
@@ -7,9 +7,14 @@ else
 fi
 
 if [ "$GETSSL_OS" = "alpine" ]; then
-    killall -HUP vsftpd
+    # Switch to supervisorctl as killall -HUP won't change the listen port
+    supervisorctl restart vsftpd:
 elif [[ "$GETSSL_OS" == "centos"[78] || "$GETSSL_OS" == "rockylinux"* ]]; then
-    pgrep vsftpd | head -1 | xargs kill -HUP
+    # Hard restart the service as using -HUP won't change the listening port
+    if pgrep vsftpd; then
+      pgrep vsftpd | head -1 | xargs kill
+      vsftpd 3>&- 4>&-
+    fi
 elif [[ "$GETSSL_OS" == "centos6" ]]; then
     service vsftpd "$arg" 3>&- 4>&-
 else
diff --git a/test/run-test.cmd b/test/run-test.cmd
index dccf1a0..22d3989 100644
--- a/test/run-test.cmd
+++ b/test/run-test.cmd
@@ -77,6 +77,8 @@ docker run -it ^
   --network-alias j.%OS%.getssl.test ^
   --network-alias k.%OS%.getssl.test ^
   --network-alias wild-%ALIAS% ^
+  --hostname getssl-%OS% ^
+  --dns 8.8.8.8 ^
   --name getssl-%OS% ^
   getssl-%OS% ^
   %COMMAND%
diff --git a/test/test-config/alpine-supervisord.conf b/test/test-config/alpine-supervisord.conf
index bbf671e..c0a7a5a 100644
--- a/test/test-config/alpine-supervisord.conf
+++ b/test/test-config/alpine-supervisord.conf
@@ -1,3 +1,12 @@
+[unix_http_server]
+file=/etc/supervisor.sock
+
+[supervisorctl]
+serverurl=unix:///etc/supervisor.sock
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
 [supervisord]
 nodaemon=false
 logfile=/tmp/supervisord.log