Hello all, I checked the manual for the ftps part; it it only talks about generating one certificate for every site. Is it possible to let each website use it's own tls certificate, so the domains will match and not generate an error on the certificate?
Not in the default setup. All connections via FTP should be made via server hostname, not by using a client domain. But it might be possible that you manually implement it, see: https://www.howtoforge.com/community/threads/pure-ftpd-sni-with-letsencrypt.85488/
So I followed the manual here: https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS I am trying to use pure-ftpd with tls certs, but is isn't working. First of all I discovered the pure-certd deamon package wasn't included with the latest pure-ftpd packages in ubuntu 20.04. (10.0.49) So after manually compiling with the --with-tls option and using the instructions I tried running it like this: pure-certd --run /home/michel/certificate-handler.sh \ --socket /var/run/ftpd-certs.sock the certificate-handler.sh: #! /bin/sh echo 'action:strict' echo 'key_file:/var/www/ubuntu-server2.local/ssl/server.pem' echo 'key_file:/var/www/ubuntu.local/ssl/server.pem' echo 'done' But it's not using the right certificates, still the default one, and I am still getting the untrusted certificate warnings, do you guys have any idea what goes wrong in my setup, and is anyone using this feature?
Yes, I uncommented the "ExtCert /var/run/ftpd-certs.sock" line in the /etc/pure-ftpd/pure-ftpd.conf file
nope. the ExtCert config was the only thing i could think of. it's something i've wanted to look at properly but never had the time, so i've only got as far as trying to get pure-certd compiled. that said, i don't see any reason to disable ftp without this, just have a single cert with the servers fqdn. ok, clients connecting will get a message asking them if they trust the certificate, but it's no less secure than providing pure-ftpd with each domains own cert. just avoids the annoyance of having to keep telling clients it's all fine and they can still use their domain name as the ftp host, they just have to click the checkbox and carry on.
just a thought, but is the cert you're referencing in your certificate-handler.sh a full CA certificate, or a self-signed certificate? it might still have issues with a self-signed cert, maybe retry it with a full CA cert... also, looking at your certificate-handler.sh script again, Code: echo 'key_file:/var/www/ubuntu-server2.local/ssl/server.pem' echo 'key_file:/var/www/ubuntu.local/ssl/server.pem' two key_file paths, i take it for 2 different domains / cert chains? should one/both of those not be cert_file? it they're two separate cert chains, and the pem includes the key, i believe only the cert_file line is needed: also, if you're supplying two different complete cert chains, how is it supposed to know which one to use? i believe the script is supposed to determine which domain is in the request and only return the relevant single certificate (and key file if separate) for that actual domain. if your script contains two full cert chains, then it's returning both of those for one request. the script needs to find the domain requested (env variable CERTD_SNI_NAME) and only return the certificate that matches that.
Why don't you simply let every user connect to the hostname of the server? The FTPS cert is issued for the hostname of the server and users should connect to FTP by using that hostname and not any other domains which you might have pointed to the system as well.
So the certfile and the keys are combined in 1 file. I changed the key_file to cert_file, and the certs are selfsingend. I know its easier to just use 1 cert, but my boss wants to use seperate certfiles for each domain so they won't show the incorrect cert warnings. It should be possible with tihis script to serve each domain a different certificate righ? or am i missing something here? Sadly the documantation is very limited
i believe the certificate-handler.sh script, as it's shown in the pure-ftpd documentation, is just an example to return the correct cert details for the domain they're testing with, the real life, production script would need to determine which domain is being requested (by using the CERTD_SNI_NAME env variable), find the correct details within a list file of domains/certs, mysql, or whatever method you find easiest, and returning (echoing) only those particular cert_file (and key_file if separate) back to the ftpd-certs.sock socket. unfortunately none of the documentation shows any method/example of checking the env variable and finding the correct cert details, so that's the bit you need to work out, and script. should be a simple enough script to do, assuming the domain name and certificate details are added to a file/database manually (also need to add every SAN name as well, no guarantee a client won't try ftp'ing to an aliasdomain/subdomain). the hard part would be writing the code to get it done automatically when a cert's added/changed/deleted via ispconfig.
Surpisingly, more and more people want to implement this hard way of doing thing, whether for this ftp server or mail server etc. Is doing this really worth it?
just for ftp? probably not. it's gonna need too many changes to ispconfig to get it working automatically. but those same changes would be needed to implement automatic SNI for postfix/dovecot on ispconfig servers (add certbot/acme requested certs to the ispconfig databases on all web / mail servers) which may well be worth all the effort. and if that's done, the extra bits needed for pure-ftpd SNI should be minimal. the biggest problem would be the certd binary not being included in the pure-ftpd-common package on debian/ubuntu. but maybe pure-ftpd can be installed as currently normal and the certd binary precompiled and included in the installer? probably a lot less hassle than having the installer download the source and compiling it, that's going to cause so many different problems on so many different servers.