Hi, I'm using ISPConfig3 with pure-ftp. The SSL Config says: pure-ftpd/pure-ftpd.conf:CertFileAndKey "/etc/letsencrypt/live/hosting.digso.at-0001/cert.pem" "/etc/letsencrypt/live/hosting.digso.at-0001/privkey.pem" This points to lrwxrwxrwx 1 root root 46 May 13 03:06 cert.pem -> ../../archive/hosting.digso.at-0001/cert14.pem which was obviously generatet May 13th. However, when connecting to ftp, filezilla keeps complaining about an old certificate, which expired december 2021. So what am I doing wrong?
On Ubuntu 22.04, pure-ftpd uses the SSL cert file /etc/ssl/private/pure-ftpd.pem. This can be a symlink to another file like the global ISPConfig SSL cert, depending on your setup.
pure-ftpd seems to have problems with linked files... besides fullchain.pem I also tried to link cert.pem and chain.pem, nothing works Code: root@hosting:/usr/local/ispconfig/interface/ssl# systemctl status pure-ftpd-mysql ● pure-ftpd-mysql.service Loaded: loaded (/etc/init.d/pure-ftpd-mysql; generated) Active: active (exited) since Wed 2023-07-12 08:27:53 UTC; 2s ago Docs: man:systemd-sysv-generator(8) Process: 787308 ExecStart=/etc/init.d/pure-ftpd-mysql start (code=exited, status=0/SUCCESS) CPU: 30ms Jul 12 08:27:53 hosting.digso.at systemd[1]: Starting pure-ftpd-mysql.service... Jul 12 08:27:53 hosting.digso.at pure-ftpd-mysql[787308]: Starting ftp server: Jul 12 08:27:53 hosting.digso.at pure-ftpd-mysql[787318]: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -E -P 18.198.173.34 -O clf:/var/log/pure-ftpd/transfer.log -b -D -p 32768:60999 -J H> Jul 12 08:27:53 hosting.digso.at systemd[1]: Started pure-ftpd-mysql.service. Jul 12 08:27:53 hosting.digso.at pure-ftpd[787319]: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] root@hosting:/usr/local/ispconfig/interface/ssl# ll /etc/ssl/private/pure-ftpd.pem lrwxrwxrwx 1 root root 48 Jul 12 08:20 /etc/ssl/private/pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem root@hosting:/usr/local/ispconfig/interface/ssl# ll /usr/local/ispconfig/interface/ssl/ispserver.pem lrwxrwxrwx 1 root root 57 Jul 12 08:27 /usr/local/ispconfig/interface/ssl/ispserver.pem -> /etc/letsencrypt/live/hosting.digso.at-0001/fullchain.pem root@hosting:/usr/local/ispconfig/interface/ssl# ll /etc/letsencrypt/live/hosting.digso.at-0001/fullchain.pem lrwxrwxrwx 1 root root 51 Jul 12 03:06 /etc/letsencrypt/live/hosting.digso.at-0001/fullchain.pem -> ../../archive/hosting.digso.at-0001/fullchain15.pem root@hosting:/usr/local/ispconfig/interface/ssl# ll /etc/letsencrypt/archive/hosting.digso.at-0001/fullchain15.pem -rw-r--r-- 1 root root 5867 Jul 12 03:06 /etc/letsencrypt/archive/hosting.digso.at-0001/fullchain15.pem root@hosting:/usr/local/ispconfig/interface/ssl# ll total 44 drwxr-x--- 2 root root 4096 Jul 12 08:27 ./ drwxr-x--- 9 ispconfig ispconfig 4096 Nov 27 2020 ../ -rwxr-x--- 1 root root 768 Feb 15 06:48 dhparam4096.pem* -rwxr-x--- 1 root root 45 Feb 15 06:48 empty.dir* lrwxrwxrwx 1 root root 57 Sep 25 2021 ispserver.crt -> /etc/letsencrypt/live/hosting.digso.at-0001/fullchain.pem -rwxr-x--- 1 root root 1716 Mar 22 2021 ispserver.csr* lrwxrwxrwx 1 root root 55 Sep 25 2021 ispserver.key -> /etc/letsencrypt/live/hosting.digso.at-0001/privkey.pem -rwxr-x--- 1 root root 3311 Mar 22 2021 ispserver.key.secure* lrwxrwxrwx 1 root root 57 Jul 12 08:27 ispserver.pem -> /etc/letsencrypt/live/hosting.digso.at-0001/fullchain.pem -rwxr-x--- 1 root root 5160 Mar 24 2021 ispserver.pem.old* -rwxr-x--- 1 root root 9213 Sep 28 2021 ispserver.pem.old2*
Quite unlikely, as it works fine on any other system. But maybe your symlink chain is too long, so you can try to shorten it by making a direct symlink to the cert file from /etc/ssl/private/pure-ftpd.pem. But take care that this file must contain the SSL key, then the SSL cert and then the SSL chain certs, all in one file, one after another.
in the original ispserver.pem private key is the very last entry... however, in letsencrypt folder, there is no file which includes all of these. What is the global ISPconfig SSL cert, where is it and how is it renewed?
The file(s) are in the folder /usr/local/ispconfig/interface/ssl/ and how SSL gets renewed depends on your setup, there are various alternatives depending on how you have set that up and which LE client you are using. if the cert was set up by ISPConfig at install time, then ISPConfig takes care to build the combines file at renewal. If you are using a different approach like using the SSL cert of a website for ISPConfig itself, then you must take care to build that combined SSL cert after renewal.
actually I followed the "Perfect Server" How-To, to set it up, originally with ubuntu 20.04, later updatet to 22.04. Seems, that I misconfigured something, so that the certificate is not re-generated anymore in /usr/local/ispconfig/interface/ssl/ Any hint, how I can reactivate the automatic renewing?
As a first step, try creating a certificate file manually in the ISPConfig SSL folder that contains the SSL key, the SSL cert and then the chain certs, one after another, Then try to point the /etc/ssl/private/pure-ftpd.pem symlink to that file and restart pure-ftpd-mysql to see if this fixes your issue.
