pure-ftp uses old certificate

Discussion in 'ISPConfig 3 Priority Support' started by stst, Mar 12, 2025.

  1. stst

    stst Member HowtoForge Supporter

    Hi,
    although /etc/pure-ftpd/pure-ftpd.conf links the new certificate connecting via ftp complains about an old certificate. Where do I set the correct certificate file?
     
    stst, Mar 12, 2025
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to restart pure-ftpd-mysql.
     
    till, Mar 12, 2025
    #2
  3. stst

    stst Member HowtoForge Supporter

    i did that already.
    What is the correct config file?
     
    stst, Mar 12, 2025
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Depends on your Linux distribution. On Debian and Ubuntu, you do not change any config file if you want to change to a different cert, instead you would change the symlink to the certificate in /etc/ssl/private/ folder:

    root@server1:~# ls -la /etc/ssl/private/
    total 16
    drwx--x--- 2 root ssl-cert 4096 Mar 6 10:04 .
    drwxr-xr-x 4 root root 4096 Mar 6 09:39 ..
    lrwxrwxrwx 1 root root 50 Mar 6 10:04 pure-ftpd-dhparams.pem -> /usr/local/ispconfig/interface/ssl/dhparam4096.pem
    lrwxrwxrwx 1 root root 48 Mar 6 10:04 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
     
    till, Mar 12, 2025
    #4
  5. stst

    stst Member HowtoForge Supporter

    I tried to change it to point to /etc/letsencrypt/live/hosting.digso.at/cert.pem, but pureftp complains:
    Code:
    Mar 24 08:06:44 hosting.digso.at pure-ftpd[2705951]: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    although:
    Code:
    $ ll /etc/ssl/private/pure-ftpd.pem
lrwxrwxrwx 1 root root 48 Mar 24 08:15 /etc/ssl/private/pure-ftpd.pem -> /etc/letsencrypt/live/hosting.digso.at/cert.pem
$ ll /etc/letsencrypt/live/hosting.digso.at/cert.pem
lrwxrwxrwx 1 root root 46 Mar  3 03:01 /etc/letsencrypt/live/hosting.digso.at/cert.pem -> ../../archive/hosting.digso.at-0001/cert25.pem
$ ll /etc/letsencrypt/archive/hosting.digso.at-0001/cert25.pem
-rw-r--r-- 1 root root 2118 Mar  3 03:01 /etc/letsencrypt/archive/hosting.digso.at-0001/cert25.pem
    so should be readable by everyone...

    originally it was pointing to /usr/local/ispconfig/interface/ssl/ispserver.pem, what is the intentional path, but this certificate doesn't seem to renew automatically anymore.

    So what is the better solution and how can I make it work?
     
    stst, Mar 24, 2025
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Then you might better fix that instead of pointing pure-ftpd cert to another place. Did you maybe created a website for the server hostname? This might cause the ISPConfig cert to fail to renew.
     
    till, Mar 24, 2025
    #6
  7. stst

    stst Member HowtoForge Supporter

    Yes, how can I fix it?
     
    stst, Mar 24, 2025
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You could try to do whats decribed here in chapter "Create auro renewal script":

    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    Please note that if anyone finds this thread in the future, the link above is for a legacy setup using certbot only and is not a recommended way of doing this. All recent setups of ISPConfig use acme.sh, and the setup for them is different in case you have a website for the hostname, for acme.sh setups, you can find instructions here: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
     
    till, Mar 24, 2025
    #8

Share This Page