Hi. I'm trying to get ProFTPd to work, with TLS - But when I try to connect with FileZilla I get this error Code: Status: Disconnected from server Status: Resolving address of ftp.** Status: Connecting to 138.201.*.*:21... Status: Connection established, waiting for welcome message... Response: 220 ProFTPD Server (***** FTP Server) [138.201.*.*] Command: AUTH TLS Response: 500 AUTH not understood Command: AUTH SSL Response: 500 AUTH not understood Error: Critical error: Could not connect to server I have followed this guide: https://www.howtoforge.com/tutorial...ver-with-proftpd-and-tls-ssl-on-ubuntu-22-04/ My "proftpd.conf" looks like this: Code: # # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes, reload proftpd after modifications, if # it runs in daemon mode. It is not required in inetd/xinetd mode. # # Includes DSO modules Include /etc/proftpd/modules.conf # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 off # If set on you can experience a longer connection delay in many cases. <IfModule mod_ident.c> IdentLookups off </IfModule> ServerName "FutureNode.dk" # Set to inetd only if you would run proftpd by inetd/xinetd/socket. # Read README.Debian for more information on proper configuration. ServerType standalone DeferWelcome off # Disable MultilineRFC2228 per https://github.com/proftpd/proftpd/issues/1085 # MultilineRFC2228on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. # RequireValidShelloff # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. PassivePorts 55521 55555 # If your host was NATted, this option is useful in order to # allow passive tranfers to work. You have to use your public # address and opening the passive ports used on your firewall as well. # MasqueradeAddress 1.2.3.4 # This is useful for masquerading address with dynamic IPs: # refresh any configured MasqueradeAddress directives every 8 hours <IfModule mod_dynmasq.c> # DynMasqRefresh 28800 </IfModule> # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User proftpd Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: # PersistentPasswd off # This is required to use both PAM-based authentication and local passwords AuthOrder mod_auth_pam.c* mod_auth_unix.c # Be warned: use of this directive impacts CPU average load! # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # # UseSendFile off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log # Logging onto /var/log/lastlog is enabled but set to off by default #UseLastlog on # In order to keep log file dates consistent after chroot, use timezone info # from /etc/localtime. If this is not set, and proftpd is configured to # chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight # savings timezone regardless of whether DST is in effect. #SetEnv TZ :/etc/localtime <IfModule mod_quotatab.c> QuotaEngine off </IfModule> <IfModule mod_ratio.c> Ratios off </IfModule> # Delay engine reduces impact of the so-called Timing Attack described in # http://www.securityfocus.com/bid/11430/discuss # It is on by default. <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine off </IfModule> # # Alternative authentication frameworks # #Include /etc/proftpd/ldap.conf #Include /etc/proftpd/sql.conf # # This is used for FTPS connections # Include /etc/proftpd/tls.conf # # This is used for SFTP connections # #Include /etc/proftpd/sftp.conf # # This is used for other add-on modules # #Include /etc/proftpd/dnsbl.conf #Include /etc/proftpd/geoip.conf #Include /etc/proftpd/snmp.conf # # Useful to keep VirtualHost/VirtualRoot directives separated # #Include /etc/proftpd/virtuals.conf # A basic anonymous configuration, no upload directories. # <Anonymous ~ftp> # User ftp # Group nogroup # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # # Cosmetic changes, all files belongs to ftp user # DirFakeUser on ftp # DirFakeGroup on ftp # RequireValidShell on # # # Limit the maximum number of anonymous logins # MaxClients 10 # # # We want 'welcome.msg' displayed at login, and '.message' displayed # # in each newly chdired directory. # DisplayLogin welcome.msg # DisplayChdir .message # # # Limit WRITE everywhere in the anonymous chroot # <Directory *> # <Limit WRITE> # DenyAll # </Limit> # </Directory> # # # Uncomment this if you're brave. # # <Directory incoming> # # # Umask 022 is a good standard umask to prevent new files and dirs # # # (second parm) from being group and world writable. # # Umask022 022 # # <Limit READ WRITE> # # DenyAll # # </Limit> # # <Limit STOR> # # AllowAll # # </Limit> # # </Directory> # # </Anonymous> # Include other custom configuration files # !! Please note, that this statement will read /all/ file from this subdir, # i.e. backup files created by your editor, too !!! # Eventually create file patterns like this: /etc/proftpd/conf.d/*.conf # Include /etc/proftpd/conf.d/ My tls config (tls.conf) looks like this: Code: # # Proftpd sample configuration for FTPS connections. # # Note that FTPS impose some limitations in NAT traversing. # See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html # for more information. # <IfModule mod_tls.c> TLSEngine on TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRequired on #TLSEngine on #TLSLog /var/log/proftpd/tls.log #TLSProtocol SSLv23 # # Server SSL certificate. You can generate a self-signed certificate using # a command like: # # openssl req -x509 -newkey rsa:1024 \ # -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \ # -nodes -days 365 # # The proftpd.key file must be readable by root only. The other file can be # readable by anyone. # # chmod 0600 /etc/ssl/private/proftpd.key # chmod 0640 /etc/ssl/private/proftpd.key # #TLSRSACertificateFile /etc/ssl/certs/proftpd.crt #TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key # # CA the server trusts... #TLSCACertificateFile /etc/ssl/certs/CA.pem # ...or avoid CA cert and be verbose #TLSOptions NoCertRequest EnableDiags # ... or the same with relaxed session use for some clients (e.g. FireFtp) #TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # #TLSOptions AllowClientRenegotiations # # Authenticate clients that want to use FTP over TLS? # #TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # #TLSRequired on # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off </IfModule> My Modules config (modules.conf) looks like this: Code: # # This file is used to manage DSO modules and features. # # This is the directory where DSO modules reside ModulePath /usr/lib/proftpd # Allow only user root to load and unload modules, but allow everyone # to see which modules have been loaded ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user * #This is required only if you need to set IdentLookups on #LoadModule mod_ident.c LoadModule mod_ctrls_admin.c # Install proftpd-mod-crypto to use this module for TLS/SSL support. LoadModule mod_tls.c # Even these modules depend on the previous one #LoadModule mod_tls_fscache.c #LoadModule mod_tls_shmcache.c # Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other # SQL backend engine to use this module and the required backend. # This module must be mandatory loaded before anyone of # the existent SQL backeds. #LoadModule mod_sql.c # Install proftpd-mod-ldap to use this for LDAP support. #LoadModule mod_ldap.c # # 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives # are required to have SQL authorization working. You can also comment out the # unused module here, in alternative. # # Install proftpd-mod-mysql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_mysql.c # Install proftpd-mod-pgsql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_postgres.c # Install proftpd-mod-sqlite and decomment the previous # mod_sql.c module to use this #LoadModule mod_sql_sqlite.c # Install proftpd-mod-odbc and decomment the previous # mod_sql.c module to use this #LoadModule mod_sql_odbc.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sql_passwd.c LoadModule mod_radius.c LoadModule mod_quotatab.c LoadModule mod_quotatab_file.c # Install proftpd-mod-ldap to use this #LoadModule mod_quotatab_ldap.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_quotatab_sql.c LoadModule mod_quotatab_radius.c # Install proftpd-mod-wrap module to use this #LoadModule mod_wrap.c LoadModule mod_rewrite.c LoadModule mod_load.c LoadModule mod_ban.c LoadModule mod_wrap2.c LoadModule mod_wrap2_file.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_wrap2_sql.c LoadModule mod_dynmasq.c LoadModule mod_exec.c LoadModule mod_shaper.c LoadModule mod_ratio.c LoadModule mod_site_misc.c # Install proftpd-mod-crypto to use this module for SFTP support. #LoadModule mod_sftp.c #LoadModule mod_sftp_pam.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sftp_sql.c LoadModule mod_facl.c LoadModule mod_unique_id.c LoadModule mod_copy.c LoadModule mod_deflate.c LoadModule mod_ifversion.c LoadModule mod_memcache.c # Install proftpd-mod-crypto to use this module for TLS/SSL support. #LoadModule mod_tls_memcache.c #LoadModule mod_redis.c # Install proftpd-mod-crypto to use this module for TLS/SSL support. #LoadModule mod_tls_redis.c #LoadModule mod_wrap2_redis.c #LoadModule mod_auth_otp.c LoadModule mod_readme.c # Install proftpd-mod-geoip to use the GeoIP feature #LoadModule mod_geoip.c # Install proftpd-mod-snmp to use the SNMP feature #LoadModule mod_snmp.c # keep this module the last one LoadModule mod_ifsession.c EDIT 1: No errors show in the var/log/proftpd/ EDIT 2: I use FileZilla as a client EDIT 3: The server works fine without SSL
Hi, edit your tls.conf and set these: Code: <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSOptions AllowClientRenegotiations TLSRequired on </IfModule> Make sure to check the permissions on the key and cert aswell or just set them again: Code: sudo chmod 600 /etc/ssl/private/proftpd.key sudo chmod 600 /etc/ssl/certs/proftpd.crt Then restart the service with this: Code: sudo systemctl restart proftpd Try with filezilla again, and check the /var/log/proftpd/tls.log file afterwards.
Hi @pyte - Thanks for your answer I have followed the steps.... My "/etc/proftpd/tls.conf" now look like this: Code: # # Proftpd sample configuration for FTPS connections. # # Note that FTPS impose some limitations in NAT traversing. # See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html # for more information. # <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSOptions AllowClientRenegotiations TLSRequired on </IfModule> #TLSEngine on #TLSLog /var/log/proftpd/tls.log #TLSProtocol SSLv23 # # Server SSL certificate. You can generate a self-signed certificate using # a command like: # # openssl req -x509 -newkey rsa:1024 \ # -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \ # -nodes -days 365 # # The proftpd.key file must be readable by root only. The other file can be # readable by anyone. # # chmod 0600 /etc/ssl/private/proftpd.key # chmod 0640 /etc/ssl/private/proftpd.key # #TLSRSACertificateFile /etc/ssl/certs/proftpd.crt #TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key # # CA the server trusts... #TLSCACertificateFile /etc/ssl/certs/CA.pem # ...or avoid CA cert and be verbose #TLSOptions NoCertRequest EnableDiags # ... or the same with relaxed session use for some clients (e.g. FireFtp) #TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # #TLSOptions AllowClientRenegotiations # # Authenticate clients that want to use FTP over TLS? # #TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # #TLSRequired on # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off #</IfModule> In the /var/log/proftpd dir, there is only 3 files... controls.log -- empty xferlog -- empty proftpd.log - look like this: Code: 2023-03-21 14:06:42,130 skytower.futurenode.dk proftpd[3704842] skytower.futurenode.dk: ProFTPD 1.3.7c (maint) (built Fri Dec 3 2021 13:35:22 UTC) standalone mode STARTUP 2023-03-21 14:13:12,448 skytower.futurenode.dk proftpd[3704842] skytower.futurenode.dk: ProFTPD killed (signal 15) 2023-03-21 14:13:12,449 skytower.futurenode.dk proftpd[3704842] skytower.futurenode.dk: ProFTPD 1.3.7c standalone mode SHUTDOWN 2023-03-21 14:13:15,925 skytower.futurenode.dk proftpd[3705392] skytower.futurenode.dk: ProFTPD 1.3.7c (maint) (built Fri Dec 3 2021 13:35:22 UTC) standalone mode STARTUP 2023-03-21 14:13:17,126 skytower.futurenode.dk proftpd[3705392] skytower.futurenode.dk: ProFTPD killed (signal 15) 2023-03-21 14:13:17,126 skytower.futurenode.dk proftpd[3705392] skytower.futurenode.dk: ProFTPD 1.3.7c standalone mode SHUTDOWN 2023-03-21 14:13:17,147 skytower.futurenode.dk proftpd[3705398] skytower.futurenode.dk: ProFTPD 1.3.7c (maint) (built Fri Dec 3 2021 13:35:22 UTC) standalone mode STARTUP 2023-03-21 14:17:53,407 skytower.futurenode.dk proftpd[3705398] skytower.futurenode.dk: ProFTPD killed (signal 15) 2023-03-21 14:17:53,407 skytower.futurenode.dk proftpd[3705398] skytower.futurenode.dk: ProFTPD 1.3.7c standalone mode SHUTDOWN EDIT: The FileZilla log look like this: Code: Status: Resolving address of ftp.futurenode.dk Status: Connecting to 138.201.226.246:21... Status: Connection established, waiting for welcome message... Response: 220 ProFTPD Server (ProFTPD) [::ffff:138.201.226.246] Command: AUTH TLS Response: 500 AUTH not understood Command: AUTH SSL Response: 500 AUTH not understood Error: Critical error: Could not connect to server EDIT 2 I have try to reboot the hole server, but it did not help.. Regards Thomas
Can you please change the modules.conf to look like this: Code: # Install proftpd-mod-crypto to use this module for TLS/SSL support. LoadModule mod_tls.c # Even these modules depend on the previous one LoadModule mod_tls_fscache.c LoadModule mod_tls_shmcache.c After that restart the service again and run this: Code: /usr/sbin/proftpd --configtest -c /etc/proftpd/proftpd.conf If that seems fine too, check the certificates from another host with: Code: openssl s_client -connect yourdomain.tld:21 -starttls ftp
Hi @pyte Thanks for the answer. I have changed the "modules.conf" to this Code: # # This file is used to manage DSO modules and features. # # This is the directory where DSO modules reside ModulePath /usr/lib/proftpd # Allow only user root to load and unload modules, but allow everyone # to see which modules have been loaded ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user * #This is required only if you need to set IdentLookups on #LoadModule mod_ident.c LoadModule mod_ctrls_admin.c # Install proftpd-mod-crypto to use this module for TLS/SSL support. LoadModule mod_tls.c # Even these modules depend on the previous one LoadModule mod_tls_fscache.c LoadModule mod_tls_shmcache.c # Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other # SQL backend engine to use this module and the required backend. # This module must be mandatory loaded before anyone of # the existent SQL backeds. #LoadModule mod_sql.c # Install proftpd-mod-ldap to use this for LDAP support. #LoadModule mod_ldap.c # # 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives # are required to have SQL authorization working. You can also comment out the # unused module here, in alternative. # # Install proftpd-mod-mysql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_mysql.c # Install proftpd-mod-pgsql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_postgres.c # Install proftpd-mod-sqlite and decomment the previous # mod_sql.c module to use this #LoadModule mod_sql_sqlite.c # Install proftpd-mod-odbc and decomment the previous # mod_sql.c module to use this #LoadModule mod_sql_odbc.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sql_passwd.c LoadModule mod_radius.c LoadModule mod_quotatab.c LoadModule mod_quotatab_file.c # Install proftpd-mod-ldap to use this #LoadModule mod_quotatab_ldap.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_quotatab_sql.c LoadModule mod_quotatab_radius.c # Install proftpd-mod-wrap module to use this #LoadModule mod_wrap.c LoadModule mod_rewrite.c LoadModule mod_load.c LoadModule mod_ban.c LoadModule mod_wrap2.c LoadModule mod_wrap2_file.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_wrap2_sql.c LoadModule mod_dynmasq.c LoadModule mod_exec.c LoadModule mod_shaper.c LoadModule mod_ratio.c LoadModule mod_site_misc.c # Install proftpd-mod-crypto to use this module for SFTP support. #LoadModule mod_sftp.c #LoadModule mod_sftp_pam.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sftp_sql.c LoadModule mod_facl.c LoadModule mod_unique_id.c LoadModule mod_copy.c LoadModule mod_deflate.c LoadModule mod_ifversion.c LoadModule mod_memcache.c # Install proftpd-mod-crypto to use this module for TLS/SSL support. #LoadModule mod_tls_memcache.c #LoadModule mod_redis.c # Install proftpd-mod-crypto to use this module for TLS/SSL support. #LoadModule mod_tls_redis.c #LoadModule mod_wrap2_redis.c #LoadModule mod_auth_otp.c LoadModule mod_readme.c # Install proftpd-mod-geoip to use the GeoIP feature #LoadModule mod_geoip.c # Install proftpd-mod-snmp to use the SNMP feature #LoadModule mod_snmp.c # keep this module the last one LoadModule mod_ifsession.c And installed this packet: proftpd-mod-crypto Then I run this command: Code: sudo systemctl restart proftpd But if I run: Code: sudo systemctl status proftpd - I get this warning. Code: Mar 22 12:22:19 skytower.futurenode.dk systemd[1]: Starting ProFTPD FTP Server... Mar 22 12:22:19 skytower.futurenode.dk proftpd[8213]: Checking syntax of configuration file Mar 22 12:22:19 skytower.futurenode.dk proftpd[8213]: 2023-03-22 12:22:19,985 skytower.futurenode.dk proftpd[8213]: mod_memcache/0.1: compiled using libmemcached-1.0.18 headers, but linked to libmemcached-1.1.3 library Mar 22 12:22:19 skytower.futurenode.dk proftpd[8213]: 2023-03-22 12:22:19,985 skytower.futurenode.dk proftpd[8213]: warning: handling possibly truncated configuration data at line 120 of '/etc/proftpd/modules.conf' Mar 22 12:22:19 skytower.futurenode.dk proftpd[8214]: 2023-03-22 12:22:19,995 skytower.futurenode.dk proftpd[8214]: mod_memcache/0.1: compiled using libmemcached-1.0.18 headers, but linked to libmemcached-1.1.3 library Mar 22 12:22:19 skytower.futurenode.dk proftpd[8214]: 2023-03-22 12:22:19,995 skytower.futurenode.dk proftpd[8214]: warning: handling possibly truncated configuration data at line 120 of '/etc/proftpd/modules.conf' Mar 22 12:22:20 skytower.futurenode.dk systemd[1]: Started ProFTPD FTP Server. Now I run this command: Code: /usr/sbin/proftpd --configtest -c /etc/proftpd/proftpd.conf And I get this output: Code: root@skytower /var/log/proftpd # /usr/sbin/proftpd --configtest -c /etc/proftpd/proftpd.conf Checking syntax of configuration file 2023-03-22 12:25:05,084 skytower.futurenode.dk proftpd[8327]: mod_memcache/0.1: compiled using libmemcached-1.0.18 headers, but linked to libmemcached-1.1.3 library 2023-03-22 12:25:05,084 skytower.futurenode.dk proftpd[8327]: warning: handling possibly truncated configuration data at line 120 of '/etc/proftpd/modules.conf' Syntax check complete. root@skytower /var/log/proftpd # I now run this command: Code: openssl s_client -connect ftp.futurenode.dk:21 -starttls ftp And I then get this output: Code: root@skytower /var/log/proftpd # openssl s_client -connect ftp.futurenode.dk:21 -starttls ftp CONNECTED(00000003) write:errno=32 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 10 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- root@skytower /var/log/proftpd # The /var/log/proftpd/ show this warning / error Code: 2023-03-22 12:14:23,316 skytower.futurenode.dk proftpd[7145] skytower.futurenode.dk (5.186.54..static.fibianet.dk[5.186.54.]): mod_tls.c: error initializing session: No such file or directory 2023-03-22 12:16:35,271 skytower.futurenode.dk proftpd[7373] skytower.futurenode.dk (skytower.futurenode.dk[138.201.226.246]): mod_tls/2.9: error loading TLSRSACertificateFile '/etc/ssl/certs/proftpd.crt': (1) error:0A00018F:SSL routines::ee key too small 2023-03-22 12:16:35,271 skytower.futurenode.dk proftpd[7373] skytower.futurenode.dk (skytower.futurenode.dk[138.201.226.246]): mod_tls.c: error initializing session: No such file or directory 2023-03-22 12:16:49,586 skytower.futurenode.dk proftpd[7378] skytower.futurenode.dk (5.186.54..static.fibianet.dk[5.186.54.]): mod_tls/2.9: error loading TLSRSACertificateFile '/etc/ssl/certs/proftpd.crt': (1) error:0A00018F:SSL routines::ee key too small 2023-03-22 12:16:49,586 skytower.futurenode.dk proftpd[7378] skytower.futurenode.dk (5.186.54..static.fibianet.dk[5.186.54.]): mod_tls.c: error initializing session: No such file or directory 2023-03-22 12:16:54,635 skytower.futurenode.dk proftpd[7379] skytower.futurenode.dk (5.186.54..static.fibianet.dk[5.186.54.]): mod_tls/2.9: error loading TLSRSACertificateFile '/etc/ssl/certs/proftpd.crt': This tls.log now show this Code: 2023-03-22 12:12:11,516 mod_tls/2.9[6643]: error initializing OpenSSL context for this session 2023-03-22 12:12:28,970 mod_tls/2.9[6645]: error initializing OpenSSL context for this session 2023-03-22 12:12:34,025 mod_tls/2.9[6646]: error initializing OpenSSL context for this session 2023-03-22 12:12:48,327 mod_tls/2.9[6663]: error initializing OpenSSL context for this session 2023-03-22 12:12:53,382 mod_tls/2.9[6668]: error initializing OpenSSL context for this session 2023-03-22 12:14:18,258 mod_tls/2.9[7144]: error initializing OpenSSL context for this session 2023-03-22 12:14:23,316 mod_tls/2.9[7145]: error initializing OpenSSL context for this session 2023-03-22 12:16:35,271 mod_tls/2.9[7373]: error initializing OpenSSL context for this session 2023-03-22 12:16:49,586 mod_tls/2.9[7378]: error initializing OpenSSL context for this session 2023-03-22 12:16:54,635 mod_tls/2.9[7379]: error initializing OpenSSL context for this session 2023-03-22 12:17:04,580 mod_tls/2.9[7384]: error initializing OpenSSL context for this session 2023-03-22 12:17:09,629 mod_tls/2.9[7385]: error initializing OpenSSL context for this session 2023-03-22 12:26:48,198 mod_tls/2.9[8335]: error initializing OpenSSL context for this session BTW.. I can't connect to the server now.. EDIT: Filezilla log: Code: Status: Resolving address of ftp.futurenode.dk Status: Connecting to 138.201.226.246:21... Status: Connection established, waiting for welcome message... Error: Connection closed by server Error: Could not connect to server
Is the certificate located there? And are the permission correct? The "TLSRequired yes" denies connections without TLS, so if you want to use unencrypted, remove that line
Yes.. The file is there... and it has chmod 600 /etc/ssl/private/proftpd.key /etc/ssl/certs/proftpd.crt
Well one last idea, the certificate may be to weak. Regenerate them with this: Code: openssl req -x509 -newkey rsa:2048 -sha256 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365 chmod 600 /etc/ssl/private/proftpd.key chmod 600 /etc/ssl/certs/proftpd.crt Restart the service and check again
Great news! I am a bit confused why a guide for 22.04 generates a certificate with only rsa1024. I will comment on the guide
