Hi all, I've read many posts about letsencrypt ssl but they all seem to be out of date. Would someone please confirm which is the recommended way to secure with SSL (enable TLS) the pureftpd. If it matters it is a multi-server setup and I'm interesting in using the default SSL which is working and is under /etc/letsencrypt/live/myservername/ to automate the process for future updates. Thanks
You can symlink it when creating a cert through the installer. If you did it manually, you most likely used this guide which explains how to set it up for Pure-FTPd with auto renewal aswell: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
Thom, I don't remember the installer asked me anything about ssl and other services. There was only once it was asking about to enable ssl which I select y but the pureftpd hasn't use that ssl. This is on a new installation of a new web/ftp server.
Do a force upgrade, choose y for getting a new SSL cert, and then choose y to symlink it to pure-ftpd Code: ispconfig_update.sh --force
Thom, I run the update with force but it doesn't ask me anywhere about SSL or to symlink anything. See output below: Code: >> Update Operating System: Debian 10.0 (Buster) or compatible This application will update ISPConfig 3 on your server. Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no MySQL master server hostname [controlpanel.myserver.com]: MySQL master server port [3306]: MySQL master server root username [root]: MySQL master server root password []: mypass MySQL master server database name [dbispconfig]: Checking ISPConfig database .. OK Starting incremental database update. Loading SQL patch file: /tmp/update_runner.sh.wOlYK2cJgJ/install/sql/incremental/upd_dev_collection.sql Reconfigure Permissions in master database? (yes,no) [no]: yes Service 'mail_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: Service 'db_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: Reconfigure Services? (yes,no,selected) [yes]: Configuring Pureftpd Configuring Apache Configuring vlogger Configuring Apps vhost Configuring Jailkit Configuring Ubuntu Firewall Configuring Database Updating ISPConfig Certificate exists. Not creating a new one. Reconfigure Crontab? (yes,no) [yes]: Updating Crontab Restarting services ... Update finished. root@web3:~#
I see, this is because a valid cert is in place: "Certificate exists. Not creating a new one." You can remove this cert and then let it create a new oen and let the installer symlink it.
I removed the cert, run again the update and indeed it asked me for symlink. After restarting pureftpd I still can't use it with TLS, just the plain. Do I need to adjust the settings of pureftpd as well?
There is no firewall on this server yet. The ftp client warns that is not over TLS the connection as the server doesn't support that.
I have: TLS 1 CertFile /etc/ssl/private/pure-ftpd.pem restarted the service and same, it doesn't use the TLS
Code: root@web4:/etc/ssl/private# ls -la total 16 drwx--x--- 2 root ssl-cert 4096 Jan 10 18:24 . drwxr-xr-x 4 root root 4096 Jan 7 13:02 .. -rw-r--r-- 1 root root 424 Jan 7 13:43 dhparam2048.pem lrwxrwxrwx 1 root root 15 Jan 7 13:43 pure-ftpd-dhparams.pem -> dhparam2048.pem lrwxrwxrwx 1 root root 48 Jan 10 18:24 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem lrwxrwxrwx 1 root root 48 Jan 7 13:43 pure-ftpd.pem-20210110182416.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem -rw-r----- 1 root ssl-cert 1704 Jan 7 13:03 ssl-cert-snakeoil.key root@web4:/etc/ssl/private#
I tried with both filizilla and with webftp that I got in place. The filezilla the moment it tried to connect throws a warning that the server does not support TLS and clear text login will be used.
Thom, the settings I got are fine; the message is very clear: Code: Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Response: 220-You are user number 1 of 50 allowed. Response: 220-Local time is now 12:19. Server port: 21. Response: 220-This is a private system - No anonymous login Response: 220-IPv6 connections are also welcome on this server. Response: 220 You will be disconnected after 15 minutes of inactivity. Command: AUTH TLS Response: 500 This security scheme is not implemented Command: AUTH SSL Response: 500 This security scheme is not implemented Error: Critical error: Could not connect to server and if I choose to auto select authentication instead of forcing TLS as above: Code: Status: Resolving address of web4.mydomain.com Status: Connecting to myIP:21... Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Status: Logged in Status: Retrieving directory listing... Status: Directory listing of "/" successful
ok found it after comparing all files from other servers that were working. I removed the TLS 1 from pure-ftpd.conf and also the cert file and instead I create a file called TLS with just the number 1 inside under: /etc/pure-ftpd/conf After that it worked fine.