diff --git a/test/33-ftp.bats b/test/33-ftp.bats
index 9c52bb2..9c0bb2f 100644
--- a/test/33-ftp.bats
+++ b/test/33-ftp.bats
@@ -8,6 +8,21 @@ load '/getssl/test/test_helper.bash'
 # This is run for every test
 setup() {
     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+
+    # enable passive and disable active mode
+    # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
+    cat <<- _FTP >> $VSFTPD_CONF
+pasv_enable=NO
+_FTP
+
+    ${CODE_DIR}/test/restart-ftpd
+}
+
+
+teardown() {
+    cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
+    ${CODE_DIR}/test/restart-ftpd
 }
 
 
@@ -16,23 +31,37 @@ setup() {
         skip "Using staging server, skipping internal test"
     fi
 
-    ${CODE_DIR}/test/restart-ftpd
     if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
         mkdir -p /var/www/html/.well-known/acme-challenge
-        chgrp -R www-data /var/www/html/.well-known
-        chmod -R g+w /var/www/html/.well-known
     fi
 
+    # Always change ownership and permissions in case previous tests created the directories as root
+    chgrp -R www-data /var/www/html/.well-known
+    chmod -R g+w /var/www/html/.well-known
+
     CONFIG_FILE="getssl-http01.cfg"
     setup_environment
     init_getssl
 
     cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
 ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
-FTP_OPTIONS="chmod 644 \\\$fromfile"
 EOF
 
+    if [[ "$GETSSL_OS" = "alpine" ]]; then
+        cat <<- EOF2 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FTP_OPTIONS="set ftp:passive-mode off"
+EOF2
+    elif [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then
+        cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FTP_OPTIONS="passive"
+EOF3
+    fi
+
     create_certificate
     assert_success
+    assert_line --partial "ftp:ftpuser:ftpuser:"
+    if [[ "$GETSSL_OS" != "alpine" ]] && [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then
+        assert_line --partial "Passive mode off"
+    fi
     check_output_for_errors
 }
diff --git a/test/34-ftp-passive.bats b/test/34-ftp-passive.bats
new file mode 100644
index 0000000..cb61dda
--- /dev/null
+++ b/test/34-ftp-passive.bats
@@ -0,0 +1,67 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+
+    # enable passive and disable active mode
+    # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
+    cat <<- _FTP >> $VSFTPD_CONF
+pasv_enable=YES
+pasv_max_port=10100
+pasv_min_port=10090
+connect_from_port_20=NO
+_FTP
+
+    ${CODE_DIR}/test/restart-ftpd
+}
+
+
+teardown() {
+    cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
+    ${CODE_DIR}/test/restart-ftpd
+}
+
+
+@test "Use Passive FTP to create challenge file" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+        mkdir -p /var/www/html/.well-known/acme-challenge
+    fi
+
+    # Always change ownership and permissions in case previous tests created the directories as root
+    chgrp -R www-data /var/www/html/.well-known
+    chmod -R g+w /var/www/html/.well-known
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+EOF
+    if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then
+        cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FTP_OPTIONS="passive"
+EOF3
+    fi
+
+    create_certificate
+    assert_success
+    assert_line --partial "ftp:ftpuser:ftpuser:"
+    if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then
+        assert_line --partial "Passive mode on"
+    else
+        refute_line --partial "Passive mode off"
+    fi
+    check_output_for_errors
+}
diff --git a/test/Dockerfile-alpine b/test/Dockerfile-alpine
index b609938..924950b 100644
--- a/test/Dockerfile-alpine
+++ b/test/Dockerfile-alpine
@@ -2,7 +2,7 @@ FROM alpine:latest
 
 # Note this image uses busybox awk instead of gawk
 
-RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash lftp vsftpd openssh-server
 
 WORKDIR /root
 
@@ -11,6 +11,18 @@ RUN mkdir /run/nginx
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-bash4-0 b/test/Dockerfile-bash4-0
index e75b74a..9b1f790 100644
--- a/test/Dockerfile-bash4-0
+++ b/test/Dockerfile-bash4-0
@@ -2,7 +2,7 @@ FROM bash:4.0
 
 # https://hub.docker.com/_/bash
 
-RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server
 
 WORKDIR /root
 
@@ -11,6 +11,18 @@ RUN mkdir /run/nginx
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-bash4-2 b/test/Dockerfile-bash4-2
index 720884c..d9386f6 100644
--- a/test/Dockerfile-bash4-2
+++ b/test/Dockerfile-bash4-2
@@ -2,7 +2,7 @@ FROM bash:4.2
 
 # https://hub.docker.com/_/bash
 
-RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server
 
 WORKDIR /root
 
@@ -11,6 +11,18 @@ RUN mkdir /run/nginx
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-bash5-0 b/test/Dockerfile-bash5-0
index ba0295a..2d776eb 100644
--- a/test/Dockerfile-bash5-0
+++ b/test/Dockerfile-bash5-0
@@ -2,7 +2,7 @@ FROM bash:5.0
 
 # https://hub.docker.com/_/bash
 
-RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server
 
 WORKDIR /root
 
@@ -11,6 +11,18 @@ RUN mkdir /run/nginx
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-centos6 b/test/Dockerfile-centos6
index 6874cb2..a8d59b0 100644
--- a/test/Dockerfile-centos6
+++ b/test/Dockerfile-centos6
@@ -5,16 +5,29 @@ FROM centos:centos6
 # [wsl2]
 # kernelCommandLine = vsyscall=emulate
 
-# Centos 6 is EOL and is no longer available from the usual mirrors, so switch
-# to https://vault.centos.org
+# Centos 6 is EOL and is no longer available from the usual mirrors, so switch to https://vault.centos.org
 RUN sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf && \
     sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo && \
     sed -i 's;^#baseurl=http://mirror;baseurl=https://vault;g' /etc/yum.repos.d/*.repo
 
 # Update and install required software
-#RUN yum -y update
 RUN yum -y install epel-release
 RUN yum -y install git curl dnsutils ldns wget nginx
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
@@ -22,10 +35,12 @@ RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
 
 # BATS (Bash Automated Testings)
-RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core # --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
 RUN git clone https://github.com/bats-core/bats-assert /bats-assert
 RUN /bats-core/install.sh /usr/local
+# Hack to disable BATS pretty formatter which stopped working on centos6
+ENV CI=yes
 
 EXPOSE 80 443
 
diff --git a/test/Dockerfile-centos7 b/test/Dockerfile-centos7
index e86f521..8bf8fa9 100644
--- a/test/Dockerfile-centos7
+++ b/test/Dockerfile-centos7
@@ -4,6 +4,8 @@ FROM centos:centos7
 RUN yum -y update
 RUN yum -y install epel-release
 RUN yum -y install git curl ldns bind-utils wget which nginx
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
@@ -11,6 +13,19 @@ RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
 COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-centos8 b/test/Dockerfile-centos8
index 4ccb817..64f4381 100644
--- a/test/Dockerfile-centos8
+++ b/test/Dockerfile-centos8
@@ -6,6 +6,8 @@ FROM centos:centos8
 RUN yum -y update
 RUN yum -y install epel-release
 RUN yum -y install git curl bind-utils wget which nginx
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
@@ -13,6 +15,19 @@ RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
 COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-debian b/test/Dockerfile-debian
index b39f915..fa74995 100644
--- a/test/Dockerfile-debian
+++ b/test/Dockerfile-debian
@@ -5,11 +5,24 @@ FROM debian:latest
 # Update and install required software
 RUN apt-get update --fix-missing
 RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
+RUN apt-get install -y ftp vsftpd
+RUN apt-get install -y openssh-server
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=false
+COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu
index 4e80409..68813f8 100644
--- a/test/Dockerfile-ubuntu
+++ b/test/Dockerfile-ubuntu
@@ -12,7 +12,10 @@ RUN apt-get install -y vim dos2unix # for debugging
 RUN apt-get install -y ftp vsftpd
 RUN apt-get install -y openssh-server
 
-RUN echo "write_enable=YES" >> /etc/vsftpd.conf
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=false
+COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
 RUN adduser ftpuser
 RUN echo 'ftpuser:ftpuser' | chpasswd
 RUN adduser ftpuser www-data
diff --git a/test/Dockerfile-ubuntu16 b/test/Dockerfile-ubuntu16
index 41be837..184db87 100644
--- a/test/Dockerfile-ubuntu16
+++ b/test/Dockerfile-ubuntu16
@@ -6,12 +6,27 @@ FROM ubuntu:xenial
 # Update and install required software
 RUN apt-get update --fix-missing
 RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
+RUN apt-get install -y ftp vsftpd
+RUN apt-get install -y openssh-server
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=false
+COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
+# The default init.d script seems to have an incorrect check that vsftpd has started
+COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
 RUN git clone https://github.com/bats-core/bats-support /bats-support
diff --git a/test/Dockerfile-ubuntu18 b/test/Dockerfile-ubuntu18
index 5e4c574..ed1fae3 100644
--- a/test/Dockerfile-ubuntu18
+++ b/test/Dockerfile-ubuntu18
@@ -6,12 +6,27 @@ FROM ubuntu:bionic
 # Update and install required software
 RUN apt-get update --fix-missing
 RUN apt-get install -y git curl dnsutils ldnsutils wget gawk nginx-light
+RUN apt-get install -y ftp vsftpd
+RUN apt-get install -y openssh-server
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
 
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=false
+COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
+# The default init.d script seems to have an incorrect check that vsftpd has started
+COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
 # Prevent "Can't load /root/.rnd into RNG" error from openssl
 RUN touch /root/.rnd
 
diff --git a/test/restart-ftpd b/test/restart-ftpd
index 279c2ff..f87d9d8 100644
--- a/test/restart-ftpd
+++ b/test/restart-ftpd
@@ -2,10 +2,8 @@
 
 if [ "$GETSSL_OS" = "alpine" ]; then
     killall -HUP vsftpd >&3-
-    sleep 5
 elif [[ "$GETSSL_OS" == "centos"[78] ]]; then
     pgrep vsftpd | head -1 | xargs kill -HUP
-    sleep 5
 else
     service vsftpd restart >/dev/null >&3-
 fi
diff --git a/test/run-test.cmd b/test/run-test.cmd
index 5908de7..61b360e 100644
--- a/test/run-test.cmd
+++ b/test/run-test.cmd
@@ -1,51 +1,52 @@
 @echo off
 IF %1.==. GOTO NoOS
-set OS=%1
+SET OS=%1
 
 :CheckCommand
 IF %2.==. GOTO NoCmd
-set COMMAND=%2 %3
+SET COMMAND=%2 %3
 
 :CheckAlias
 REM check if OS *contains* staging
 IF NOT x%OS:duck=%==x%OS% GOTO duckdns
 IF NOT x%OS:dynu=%==x%OS% GOTO dynu
 IF NOT x%OS:bash=%==x%OS% GOTO bash
-set ALIAS=%OS%.getssl.test
-set STAGING=
-set GETSSL_OS=%OS%
+SET ALIAS=%OS%.getssl.test
+SET STAGING=
+SET GETSSL_OS=%OS%
 GOTO Run
 
 :NoOS
-set OS=ubuntu
+SET OS=ubuntu
 GOTO CheckCommand
 
 :NoCmd
-REM set COMMAND=/getssl/test/run-bats.sh
-set COMMAND=bats /getssl/test --timing
+REM SET COMMAND=/getssl/test/run-bats.sh
+SET COMMAND=bats /getssl/test --timing
 GOTO CheckAlias
 
 :duckdns
-set ALIAS=%OS:-duckdns=%-getssl.duckdns.org
-set STAGING=--env STAGING=true --env dynamic_dns=duckdns
-set GETSSL_OS=%OS:-duckdns=%
+SET ALIAS=%OS:-duckdns=%-getssl.duckdns.org
+SET STAGING=--env STAGING=true --env dynamic_dns=duckdns
+SET GETSSL_OS=%OS:-duckdns=%
 GOTO Run
 
 :dynu
-set ALIAS=%OS:-dynu=%-getssl.freeddns.org
-set STAGING=--env STAGING=true --env dynamic_dns=dynu
-set GETSSL_OS=%OS:-dynu=%
+SET ALIAS=%OS:-dynu=%-getssl.freeddns.org
+SET STAGING=--env STAGING=true --env dynamic_dns=dynu
+SET GETSSL_OS=%OS:-dynu=%
 GOTO Run
 
 :bash
-set ALIAS=%OS%.getssl.test
-set STAGING=
-set GETSSL_OS=alpine
+SET ALIAS=%OS%.getssl.test
+SET STAGING=
+SET GETSSL_OS=alpine
 
 :Run
-for %%I in (.) do set CurrDirName=%%~nxI
+FOR %%I in (.) DO SET CurrDirName=%%~nxI
 
 docker build --pull --rm -f "test\Dockerfile-%OS%" -t getssl-%OS% .
+IF %ErrorLevel% EQU 1 GOTO End
 @echo on
 docker run -it ^
   --env GETSSL_HOST=%ALIAS% %STAGING% ^
@@ -69,3 +70,5 @@ docker run -it ^
   --name getssl-%OS% ^
   getssl-%OS% ^
   %COMMAND%
+
+:End
diff --git a/test/test-config/alpine-supervisord.conf b/test/test-config/alpine-supervisord.conf
index 9759570..bbf671e 100644
--- a/test/test-config/alpine-supervisord.conf
+++ b/test/test-config/alpine-supervisord.conf
@@ -12,3 +12,12 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=false
 startretries=0
+
+[program:vsftpd]
+command=vsftpd
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0
diff --git a/test/test-config/vsftpd.conf b/test/test-config/vsftpd.conf
new file mode 100644
index 0000000..59ca78a
--- /dev/null
+++ b/test/test-config/vsftpd.conf
@@ -0,0 +1,66 @@
+# Example config file /etc/vsftpd.conf (alpine) /etc/vsftpd/vsftpd.conf
+#
+# The default compiled in settings are fairly paranoid. This sample file
+# loosens things up a bit, to make the ftp daemon more usable.
+# Please see vsftpd.conf.5 for all compiled in defaults.
+#
+# Run standalone?  vsftpd can run either from an inetd or as a standalone
+# daemon started from an initscript.
+listen=YES
+#
+# This directive enables listening on IPv6 sockets. By default, listening
+# on the IPv6 "any" address (::) will accept connections from both IPv6
+# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
+# sockets. If you want that (perhaps because you want to listen on specific
+# addresses) then you must run two copies of vsftpd with two configuration
+# files.
+#listen_ipv6=NO
+#
+# Allow anonymous FTP? (Disabled by default).
+anonymous_enable=NO
+#
+# Uncomment this to allow local users to log in.
+local_enable=YES
+#
+# Uncomment this to enable any form of FTP write command.
+write_enable=YES
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+local_umask=022
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+#
+# If enabled, vsftpd will display directory listings with the time
+# in  your  local  time  zone.  The default is to display GMT. The
+# times returned by the MDTM FTP command are also affected by this
+# option.
+use_localtime=YES
+#
+# Activate logging of uploads/downloads.
+xferlog_enable=YES
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+#
+# You may change the default value for timing out an idle session.
+#idle_session_timeout=600
+#
+# You may change the default value for timing out a data connection.
+#data_connection_timeout=120
+#
+# You may restrict local users to their home directories.  See the FAQ for
+# the possible risks in this before using chroot_local_user or
+# chroot_list_enable below.
+chroot_local_user=NO
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+ssl_enable=NO
diff --git a/test/test-config/vsftpd.initd b/test/test-config/vsftpd.initd
new file mode 100644
index 0000000..d5b2b00
--- /dev/null
+++ b/test/test-config/vsftpd.initd
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:		vsftpd
+# Required-Start:	$network $remote_fs $syslog
+# Required-Stop:	$network $remote_fs $syslog
+# Default-Start:	2 3 4 5
+# Default-Stop:		0 1 6
+# Short-Description:	Very secure FTP server
+# Description:		Provides a lightweight, efficient FTP server written
+#			for security.
+### END INIT INFO
+
+set -e
+
+DAEMON="/usr/sbin/vsftpd"
+NAME="vsftpd"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin"
+LOGFILE="/var/log/vsftpd.log"
+CHROOT="/var/run/vsftpd/empty"
+
+test -x "${DAEMON}" || exit 0
+
+. /lib/lsb/init-functions
+
+if [ ! -e "${LOGFILE}" ]
+then
+	touch "${LOGFILE}"
+	chmod 640 "${LOGFILE}"
+	chown root:adm "${LOGFILE}"
+fi
+
+if [ ! -d "${CHROOT}" ]
+then
+	mkdir -p "${CHROOT}"
+fi
+
+case "${1}" in
+	start)
+		log_daemon_msg "Starting FTP server" "${NAME}"
+
+		if [ -e /etc/vsftpd.conf ] && ! egrep -iq "^ *listen(_ipv6)? *= *yes" /etc/vsftpd.conf
+		then
+			log_warning_msg "vsftpd disabled - listen disabled in config."
+			exit 0
+		fi
+
+		start-stop-daemon --start --background -m --oknodo --pidfile /var/run/vsftpd/vsftpd.pid --exec ${DAEMON}
+
+		n=0
+		while [ ${n} -le 5 ]
+		do
+			_PID="$(if [ -e /var/run/vsftpd/vsftpd.pid ]; then cat /var/run/vsftpd/vsftpd.pid; fi)"
+			if ! ps -C vsftpd | grep -qs "${_PID}"
+			then
+				break
+			fi
+			sleep 1
+			n=$(( $n + 1 ))
+		done
+
+		if ps -C vsftpd | grep -qs "${_PID}"
+		then
+			log_warning_msg "vsftpd failed - probably invalid config."
+			exit 1
+		fi
+
+		log_end_msg 0
+		;;
+
+	stop)
+		log_daemon_msg "Stopping FTP server" "${NAME}"
+
+		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --oknodo --exec ${DAEMON}
+		rm -f /var/run/vsftpd/vsftpd.pid
+
+		log_end_msg 0
+		;;
+
+	restart)
+		${0} stop
+		${0} start
+		;;
+
+	reload|force-reload)
+		log_daemon_msg "Reloading FTP server configuration"
+
+		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --signal 1 --exec $DAEMON
+
+		log_end_msg "${?}"
+		;;
+
+	status)
+		status_of_proc "${DAEMON}" "FTP server"
+		;;
+
+	*)
+		echo "Usage: ${0} {start|stop|restart|reload|status}"
+		exit 1
+		;;
+esac
+
+exit 0
diff --git a/test/test_helper.bash b/test/test_helper.bash
index c5d5320..3adcdfa 100644
--- a/test/test_helper.bash
+++ b/test/test_helper.bash
@@ -70,16 +70,21 @@ setup_environment() {
   /getssl/test/restart-nginx
 }
 
-# start nginx in background on alpine via supervisord
+# start nginx and vsftpd in background on alpine via supervisord
 # shellcheck disable=SC2153 # Ignore GETSSL_OS looks like typo of GETSSL_IP
 if [[ -f /usr/bin/supervisord && -f /etc/supervisord.conf ]]; then
   if [[ ! $(pgrep supervisord) ]]; then
     /usr/bin/supervisord -c /etc/supervisord.conf >&3-
+    # Give supervisord time to start
+    sleep 1
   fi
 elif [[ "$GETSSL_OS" == "centos"[78] ]]; then
   if [ -z "$(pgrep nginx)" ]; then
     nginx >&3-
   fi
+  if [ -z "$(pgrep vsftpd)" ]; then
+    vsftpd >&3-
+  fi
 fi
 
 # Find NGINX configuration directory for HTTP-01 testing (need to add SSL to config)