enable ftps with different certificates for each mebsite

Discussion in 'Installation/Configuration' started by michel!!, Jul 29, 2021.

  1. michel!!

    michel!! New Member

    Hello all,

    I checked the manual for the ftps part; it it only talks about generating one certificate for every site.
    Is it possible to let each website use it's own tls certificate, so the domains will match and not generate an error on the certificate?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Not in the default setup. All connections via FTP should be made via server hostname, not by using a client domain. But it might be possible that you manually implement it, see: https://www.howtoforge.com/community/threads/pure-ftpd-sni-with-letsencrypt.85488/
     
    ahrasis likes this.
  3. michel!!

    michel!! New Member

    So I followed the manual here: https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

    I am trying to use pure-ftpd with tls certs, but is isn't working.
    First of all I discovered the pure-certd deamon package wasn't included with the latest pure-ftpd packages in ubuntu 20.04. (10.0.49)

    So after manually compiling with the --with-tls option and using the instructions I tried running it like this:

    pure-certd --run /home/michel/certificate-handler.sh \
    --socket /var/run/ftpd-certs.sock

    the certificate-handler.sh:
    #! /bin/sh
    echo 'action:strict'
    echo 'key_file:/var/www/ubuntu-server2.local/ssl/server.pem'
    echo 'key_file:/var/www/ubuntu.local/ssl/server.pem'
    echo 'done'

    But it's not using the right certificates, still the default one, and I am still getting the untrusted certificate warnings, do you guys have any idea what goes wrong in my setup, and is anyone using this feature?
     
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    did you create the ExtCert configuration file in /etc/pure-ftpd/conf and restart pure-ftpd-mysql?
     
  5. michel!!

    michel!! New Member

    Yes, I uncommented the "ExtCert /var/run/ftpd-certs.sock" line in the /etc/pure-ftpd/pure-ftpd.conf file
     
  6. michel!!

    michel!! New Member

    Any ideas? We've got this running in production but with ftp disabled due to the security concerns.
     
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    nope. the ExtCert config was the only thing i could think of.
    it's something i've wanted to look at properly but never had the time, so i've only got as far as trying to get pure-certd compiled.

    that said, i don't see any reason to disable ftp without this, just have a single cert with the servers fqdn. ok, clients connecting will get a message asking them if they trust the certificate, but it's no less secure than providing pure-ftpd with each domains own cert.
    just avoids the annoyance of having to keep telling clients it's all fine and they can still use their domain name as the ftp host, they just have to click the checkbox and carry on.
     
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    just a thought, but is the cert you're referencing in your certificate-handler.sh a full CA certificate, or a self-signed certificate?
    it might still have issues with a self-signed cert, maybe retry it with a full CA cert...

    also, looking at your certificate-handler.sh script again,
    Code:
    echo 'key_file:/var/www/ubuntu-server2.local/ssl/server.pem'
    echo 'key_file:/var/www/ubuntu.local/ssl/server.pem'
    
    two key_file paths, i take it for 2 different domains / cert chains?
    should one/both of those not be cert_file?
    it they're two separate cert chains, and the pem includes the key, i believe only the cert_file line is needed:

    also, if you're supplying two different complete cert chains, how is it supposed to know which one to use? i believe the script is supposed to determine which domain is in the request and only return the relevant single certificate (and key file if separate) for that actual domain. if your script contains two full cert chains, then it's returning both of those for one request.
    the script needs to find the domain requested (env variable CERTD_SNI_NAME) and only return the certificate that matches that.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Why don't you simply let every user connect to the hostname of the server? The FTPS cert is issued for the hostname of the server and users should connect to FTP by using that hostname and not any other domains which you might have pointed to the system as well.
     
    ahrasis likes this.
  10. michel!!

    michel!! New Member

    So the certfile and the keys are combined in 1 file.
    I changed the key_file to cert_file, and the certs are selfsingend.
    I know its easier to just use 1 cert, but my boss wants to use seperate certfiles for each domain so they won't show the incorrect cert warnings.
    It should be possible with tihis script to serve each domain a different certificate righ? or am i missing something here?
    Sadly the documantation is very limited
     
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i believe the certificate-handler.sh script, as it's shown in the pure-ftpd documentation, is just an example to return the correct cert details for the domain they're testing with, the real life, production script would need to determine which domain is being requested (by using the CERTD_SNI_NAME env variable), find the correct details within a list file of domains/certs, mysql, or whatever method you find easiest, and returning (echoing) only those particular cert_file (and key_file if separate) back to the ftpd-certs.sock socket.

    unfortunately none of the documentation shows any method/example of checking the env variable and finding the correct cert details, so that's the bit you need to work out, and script.
    should be a simple enough script to do, assuming the domain name and certificate details are added to a file/database manually (also need to add every SAN name as well, no guarantee a client won't try ftp'ing to an aliasdomain/subdomain). the hard part would be writing the code to get it done automatically when a cert's added/changed/deleted via ispconfig.
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Surpisingly, more and more people want to implement this hard way of doing thing, whether for this ftp server or mail server etc. Is doing this really worth it?
     
  13. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    just for ftp? probably not. it's gonna need too many changes to ispconfig to get it working automatically.
    but those same changes would be needed to implement automatic SNI for postfix/dovecot on ispconfig servers (add certbot/acme requested certs to the ispconfig databases on all web / mail servers) which may well be worth all the effort.
    and if that's done, the extra bits needed for pure-ftpd SNI should be minimal.
    the biggest problem would be the certd binary not being included in the pure-ftpd-common package on debian/ubuntu. but maybe pure-ftpd can be installed as currently normal and the certd binary precompiled and included in the installer? probably a lot less hassle than having the installer download the source and compiling it, that's going to cause so many different problems on so many different servers.
     
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Good luck with that. :D
     

Share This Page