Use Let's Encrypt certificate for ProFTPd?

vincen · April 1, 2020, 5:17pm

Hi

I generated a Let’s Encrypt certificate for Virtualmin/webmin that I have setup to be used for SMTP/POP/IMAP services too but for FTP when I access the FTP server I get a warning of Filezilla stating it doesn’t recognise the certificate unless it’s well the good one ! I guess it’s missing the root certificate file no ? and if so how can I setup that in ProFTPd ?

Thanks

Vincèn

DrCarsonBeckett · April 1, 2020, 6:32pm

If you request a cert for a host (virtual server), you can select to copy the cert to different subsystems like webmin.
I noticed that it sometimes doesnt properly work, so you need to edit the proftpd config yourself.
You need to at least unmark (remove the #) from this line:
Include /etc/proftpd/tls.conf
And you should make sure that “TLSCACertificateFile” path is set in the config.

The tls.conf should at least contain (unmarked):
<-IfModule mod_tls.c>
TLSEngine
TLSLog
TLSProtocol
TLSRSACertificateFile
TLSRSACertificateKeyFile
TLSOptions
TLSRequired
TLSRenegotiate
<-/IfModule>
If necessary, you need to enable TLSEngine and some others if they are pre-set to off.
The minus (-) after the < needs to be removed, I just needed to do that otherwise that line wouldnt be visible in the forum.

Restart proftpd after that.

vincen · April 21, 2020, 1:38pm

Thanks but you didn’t indicate the option to use with each parameter ! Here is what I have here. I think that I need an extra argument to indicate the root server of Let’s Encrypt as it uses well my certificate but doesn’t recognise it as valid in FTP clients as it misses the authority…

TLSEngine                     on
TLSRequired                   on
TLSRSACertificateFile         /etc/webmin/letsencrypt-cert.pem
TLSRSACertificateKeyFile      /etc/webmin/letsencrypt-key.pem
TLSOptions                    NoCertRequest
TLSVerifyClient               off
TLSLog                        /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
  TLSSessionCache             shm:/file=/var/run/proftpd/sesscache
</IfModule>

vincen · April 21, 2020, 1:49pm

Problem solved I downloaded the root certificate from Let’s Encrypt website, saved in a file in my system and added that in ProFTPD configuration:

TLSCACertificateFile /etc/ssh/letsencrypt.root.cert.pem

And now no more warning from ftp client about certificate not trusted

system · April 23, 2020, 1:49pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.