Understanding openssl cert for PureFTPd

Discussion in 'Installation/Configuration' started by TonyG, Sep 9, 2022.

  1. TonyG

    TonyG Active Member

    The Perfect Server docs detail usage of certbot/LE for web servers, and openssl for PureFTPd. I believe I understand some reasons about why different methods are used for each, but I'd like to hear it from you guys. My guesses are: 1) LE wasn't supported in the past so the openssl command is just a legacy instruction that hasn't required a change. 2) The openssl command generates a self-signed cert, which some might prefer to getting a cert from a CA, even LE. 3) Some admins might not want a renewing cert for FTP and LE certs have a max 90 day lifetime.

    But the instructions are provided in the Perfect docs like openssl is the only way to do this, with no indication that LE is an alternative. I can't tell if this is intentional.

    For secure FTP, is there any reason not to use 4096 bits? There used to be a Java limit that was related to this (I forgot how) but not anymore.

    Related:
    The openssl command for dhparam isn't in the Ubuntu Perfect guides, though I know it was added to Debian.
    For anyone else using LE, I believe the DH file needs to be created for either method, certbot or openssl.
    The latest details posted by @Yasin Karabulak are awesome - about SNI for PureFTPd. I don't have personal need for this, too small here, but while some folks don't care, for others it's a big deal. I hope that gets separated out into a HowTo so it's not lost to history in the forum.

    Thanks.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Since ISPConfig 3.2 (or was it maybe even 3.1 ?), ISPConfig takes care of managing all SSL certs for the system incl. the one from pure-ftpd and also creates the dhparam files if needed, no matter if you use any of the manual perfect server guides or the auto-installer and there is also no need to create any dhparam files, that's why all the guides work still perfectly and use LE, even the older ones. The self-signed SSL cert created for pure-ftpd is overridden at install anyway, it was used in older ISPConfig versions several years ago. We did not remove the step as users might stop at that chapter as pure-ftpd would fail to start then due to the missing cert. Always keep in mind that ISPConfig 3 is under active development for about 15 years now, so things evolved and changed over time.

    So there is nothing missing in any of the guides and also LE works perfectly fine on any of them. The self-signed SSL cert used in case of a LE failure has 4096 bits.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw. You added a tag SFTP to the post which is about FTP, so I guess it's better I'll explain the differences between SFTP and FTPS here again as this is often mixed up by users.

    The short form is: SFTP is not FTP, it is SSH. While FTPS is a secure form of FTP. SFTP is provided by sshd and not pure-ftpd, so something quite different. Even if SFPT and FTPS both allow file transfers from and to the server.

    SFTP is SSH file transfer protocol while FTPS is FTP over SSL/TLS. So when you want to use SFTP, you must create a shell user, while if you want to use FTPS, you create an FTP user.
     
    Yasin Karabulak likes this.
  4. TonyG

    TonyG Active Member

    Typo on the tag fixed. Thanks for the quick and thorough response. I've been revising scripts, verifying with Perfect docs, in preparation for a new installation followed by Migration Tool. Didn't know these changes were already in the latest versions and will disable my own cert handling.

    Ongoing appreciation to all who contribute to this fine software - as seen here, it just keeps getting better.
     
  5. ahrasis

    ahrasis Well-Known Member

    In short, ISPConfig already uses LE SSL certs for about 5 years and dhparam is already part of its installation (for ftp and others). However, the latter is not related to SNI but as I said in the link that you mentioned, it is not worth it.

    The only thing I haven't checked or followed up, because to me it is not that important, is how the ISPConfig auto installer created dhparam, which I think is still using 2048 instead of 4096 because the latter would take longer time.

    As originally suggested, by @Steini86 in his post in other thread, is to use Pre-defined DHE groups which by pasting it instead of creating it which definitely takes a lot of time depending on the machine.

    Using this is actually recommended by the IETF in RFC 7919 and the suggested ffdhe4096 is simply just this:
    Code:
    -----BEGIN DH PARAMETERS-----
    MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
    +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
    87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
    YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
    7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
    ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
    7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
    nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
    8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
    iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
    zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
    -----END DH PARAMETERS-----
    
    In the same thread, I was personally skeptical about this but I proposed it to be used in ISPConfig auto installer since it will save time in installing ISPConfig and is actually considered more secure than self created one.

    I am not sure what is the current status of this suggestion because it was made only in this forum.
     
    Yasin Karabulak and Steini86 like this.
  6. Yasin Karabulak

    Yasin Karabulak New Member

    Hello everyone,
    In my needed scenario (as i mention the steps in this post) i use the ftp server without of the ispconfig3 box (only DNS), because i can't use port 21 with domain's cert. But this is not the real issue.
    We need some modifications over the original structure,
    1st pure-certd binary implemented pure-ftpd package.
    2nd we already have LE managed by ISPConfig but we can't select certificate for the port 21
    3rd a simple line append to pure-ftpd-wrapper (ExtCert)
    4th a simple shell script and it's service for the SNI socket

    So i compile a package of pure-ftpd that includes pure-certd tool.
    For the SNI supported pure-ftpd FTPS server, pure-certd tool and make a modification on pure-ftpd-wrapper perl script modification. These steps are the key points of the working ftps server using pure-ftpd with TLS&SNI.

    I don't have much knowledge about isp config even i am using it since 2015,
    In ISPConfig if it is possible, it might be appened a precompiled pure-ftpd package for the Linux admins like me and a simple sed command can append a line for the ExtCert config.

    From outside lookage always simple tho :)

    Sincerely,
    Yasin

    P.S. this is my second post on the forum so i can share an outside link after this (I couldn't),
     
    Last edited: Sep 28, 2022
  7. Yasin Karabulak

    Yasin Karabulak New Member

    It is Turkish, but commands are universal :)
    When I get a chance i will write it in English
    TLS, SNI supported pure-ftpd FTPS Server Installation
    https:// yasinkarabulak. com/tr/gnu-linux/hosting-ortami/ftp-server/tls-sni-destekli-pure-ftpd-ftps-server-kurulumu/
    Full steps of the server installation.

    Have a nice day.
     
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    the certd package should be included in pure-ftpd 1.0.49 so an install from the default apt repo on ubuntu 22.04 should have it, although ispconfig doesn't support that version yet. i believe debian 11 also already has it.

    unfortunately, ispconfig also doesn't yet support pure-ftpd SNI, although it can be managed manually. there was a post on here not too long ago where someone gave instructions on how they set it up: https://forum.howtoforge.com/threads/pure-ftpd-sni-with-letsencrypt.85488/
     
    Yasin Karabulak likes this.
  9. Yasin Karabulak

    Yasin Karabulak New Member

    Unfortunately Bullseye doesn't have pure-certd and i am using Debian all of my hosting needs. I don't know Ubuntu side.
     
  10. ahrasis

    ahrasis Well-Known Member

    Yasin Karabulak likes this.
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

  12. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    just created a new vm to double-check the pure-ftpd-mysql install on ubuntu 22.04
    by default it installs pure-ftpd v1.0.50 and pure-certd is installed along with it, the binary is available at /usr/sbin/pure-certd

    20.04 is still only installing pure-ftpd-mysql 1.0.49-4 and is missing the pure-certd binary.
     
    Yasin Karabulak likes this.
  13. ahrasis

    ahrasis Well-Known Member

    Noted that it should but it doesn't install pure-certd by default.

    Did you also create the new vm for ubuntu 20.04 too as I wish to know whether it doesn't install because it was merely updating it and not installing it fresh. Does that makes sense to you?
     
  14. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    not created a new vp for ubuntu 20.04, but i did install a fresh pure-ftpd-mysql onto a 20.04 vm that didn't have any ftp / mysql / apache stuff already installed on it. the 1.0.49-4 release definitely doesn't include the pure-certd binary.

    i'm sure i remember also trying to install a 1.0.49 release on ubuntu 22.04 prior to the 1.0.50 release being added to the ubuntu repo, and that didn't install a pure-certd binary either, but i could be misremembering that.
     
  15. ahrasis

    ahrasis Well-Known Member

    So it is truly a bug in pure-ftpd-common for pure-ftpd-mysql 1.0.49-4 install or update for Ubuntu 20.04 which supposedly should have pure-certd binary in it.

    1.0.49 alone doesn't have it because it supposedly should be available from 1.0.49-4.
     
    Yasin Karabulak likes this.

Share This Page