Where is Pure-FTPD config file where I can manage cert for TLS?

aw11 · May 9, 2019, 6:52pm

Hello,

CyberPanel · May 9, 2019, 7:46pm

/etc/pure-ftpd/pure-ftpd.conf

ricardofh · May 10, 2019, 3:40am

ricardofh
May 5 in FTP Server Flag
Hi,

I get these errors on any FTP client:

Hostname does not match certificate
Certificate expired!

In the info it says it expired 2 days ago, how to I renew that certificate? which certificate it is? It does not matter what I use as FTP server: site IP, site URL or server hostname, the same issue persists.

anyone?

ricardofh · May 10, 2019, 3:51am

Following this solved it: https://www.howtoforge.com/tutorial/pureftpd-tls-on-centos/

aw11 · May 10, 2019, 3:21pm

ChrootEveryone yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous no
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
PAMAuthentication yes
LimitRecursion 10000 8
AnonymousCanCreateDirs no
MaxLoad 4
AntiWarez yes
Umask 133:022
MinUID 1000
UseFtpUsers no
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload yes
AltLog clf:/var/log/pureftpd.log
CreateHomeDir yes
MaxDiskUsage 99
CustomerProof yes
TLS 1
PassivePortRange 40110 40210

Where is cert?

Richard · May 19, 2019, 7:59pm

Hi,

So this has been driving me nuts for hours trying to work out a method of making this work from the CyberPanel installed SSL for the host.

Here’s what I’ve done to get it working:

cd /usr/local/lscp/; cat key.pem cert.pem >> /etc/ssl/private/pure-ftpd.pem

Now update the config file [ /etc/pure-ftpd/pure-ftpd.conf ]:

TLS 3 // This is to encrypt auth + data steam [Max Security Level]

Add to bottom:

TLSCipherSuite HIGH //This should use higher version of TLS i.e. TLS 1.2 etc…
CertFile /etc/ssl/private/pure-ftpd.pem

Finally, restart service:

systemctl restart pure-ftpd

The file location shouldn’t be required as it’s the default but, I needed it adding for it to work for some reason.

The only problem I see with this is that when CertBot fetches a new certificate in a couple of months for the main site/host this FTP certificate will be outdated. and you’ll need to run that one-liner at the top again, and restart the service.

CertFileandKey with the direct files didn’t work, even symlinked to this private ssl directory and key remapped to the proper name still didn’t work for me. Odd as it really should have done.

This should be mandatory default setup for CyberPanel when you create the SSL (map SSL) for the host to do this for pure-FTP and also offer service restart at that point with CertBot renewal. I doubt this would require much effort.

There is NO! excuse for not doing this as default, anyone stupid enough to use FTP without TLS is asking to be hacked. Sending passwords over plaintext is utterly stupid.

If you want to forget and leave this until CyberPanel sort this out properly. I’d suggest following the above first to ensure config is set up correctly for you. Then set up a cron job for this:

cd /usr/local/lscp/; cat key.pem cert.pem >> /etc/ssl/private/pure-ftpd.pem; systemctl restart pure-ftpd

Richard · June 18, 2019, 11:51pm

So I found my self in a pickle again and for some reason, didn’t realise the certs I was copying was wrong ones. (sorry to anyone who used the above version!)
Therefore I’ve created a simple to add workaround script that will fix this issue once and for all for none SNI pure-ftpd implementations.

Do be sure to adjust the config file explained above to improve security.

If you’ve manually pushed for a new certificate, then this might cause a delay, since it’s not part of any CyberPanel hooks. If that’s bothering you make cron faster like
*/5 * * * * /root/cp-pure-ftpd-ssl.sh > /dev/null This would be once every 5 mins. At the cost of writing a file to the hard drive every 5 minutes.

For those that can’t read cron easily, the below runs once a day at 1:36am, which is an hour after acme does it’s thing each night. Thereby catching any new auto replacements.

If you need to fix this like now! create the file and run: sh /root/cp-pure-ftpd-ssl.sh

#!/bin/bash

CyberPanel SSL Fix for pure-ftpd by R Small 19th June 2019.

Copies the host SSL for CyberPanel and set’s it for Pure-ftpd for none SNI.

Add below to your crontab -e and save this script as /root/cp-pure-ftpd-ssl.sh

36 1 * * * /root/cp-pure-ftpd-ssl.sh > /dev/null

rm -f /etc/ssl/private/pure-ftpd.pem;
cd /etc/letsencrypt/live/$HOSTNAME/;
cat privkey.pem fullchain.pem >> /etc/ssl/private/pure-ftpd.pem;
systemctl restart pure-ftpd

CyberPanel, I found the js files that are used to trigger SSL from the webpage. But, I don’t understand what’s monitoring it, or how it gets actioned to make acme do its thing on demand. Could you please share how? (is there something like a python main loop?), so I can improve this fix.

Hope this helps others.