The Perfect Server docs detail usage of certbot/LE for web servers, and openssl for PureFTPd. I believe I understand some reasons about why different methods are used for each, but I'd like to hear it from you guys. My guesses are: 1) LE wasn't supported in the past so the openssl command is just a legacy instruction that hasn't required a change. 2) The openssl command generates a self-signed cert, which some might prefer to getting a cert from a CA, even LE. 3) Some admins might not want a renewing cert for FTP and LE certs have a max 90 day lifetime. But the instructions are provided in the Perfect docs like openssl is the only way to do this, with no indication that LE is an alternative. I can't tell if this is intentional. For secure FTP, is there any reason not to use 4096 bits? There used to be a Java limit that was related to this (I forgot how) but not anymore. Related: The openssl command for dhparam isn't in the Ubuntu Perfect guides, though I know it was added to Debian. For anyone else using LE, I believe the DH file needs to be created for either method, certbot or openssl. The latest details posted by @Yasin Karabulak are awesome - about SNI for PureFTPd. I don't have personal need for this, too small here, but while some folks don't care, for others it's a big deal. I hope that gets separated out into a HowTo so it's not lost to history in the forum. Thanks.
Since ISPConfig 3.2 (or was it maybe even 3.1 ?), ISPConfig takes care of managing all SSL certs for the system incl. the one from pure-ftpd and also creates the dhparam files if needed, no matter if you use any of the manual perfect server guides or the auto-installer and there is also no need to create any dhparam files, that's why all the guides work still perfectly and use LE, even the older ones. The self-signed SSL cert created for pure-ftpd is overridden at install anyway, it was used in older ISPConfig versions several years ago. We did not remove the step as users might stop at that chapter as pure-ftpd would fail to start then due to the missing cert. Always keep in mind that ISPConfig 3 is under active development for about 15 years now, so things evolved and changed over time. So there is nothing missing in any of the guides and also LE works perfectly fine on any of them. The self-signed SSL cert used in case of a LE failure has 4096 bits.
Btw. You added a tag SFTP to the post which is about FTP, so I guess it's better I'll explain the differences between SFTP and FTPS here again as this is often mixed up by users. The short form is: SFTP is not FTP, it is SSH. While FTPS is a secure form of FTP. SFTP is provided by sshd and not pure-ftpd, so something quite different. Even if SFPT and FTPS both allow file transfers from and to the server. SFTP is SSH file transfer protocol while FTPS is FTP over SSL/TLS. So when you want to use SFTP, you must create a shell user, while if you want to use FTPS, you create an FTP user.
Typo on the tag fixed. Thanks for the quick and thorough response. I've been revising scripts, verifying with Perfect docs, in preparation for a new installation followed by Migration Tool. Didn't know these changes were already in the latest versions and will disable my own cert handling. Ongoing appreciation to all who contribute to this fine software - as seen here, it just keeps getting better.
In short, ISPConfig already uses LE SSL certs for about 5 years and dhparam is already part of its installation (for ftp and others). However, the latter is not related to SNI but as I said in the link that you mentioned, it is not worth it. The only thing I haven't checked or followed up, because to me it is not that important, is how the ISPConfig auto installer created dhparam, which I think is still using 2048 instead of 4096 because the latter would take longer time. As originally suggested, by @Steini86 in his post in other thread, is to use Pre-defined DHE groups which by pasting it instead of creating it which definitely takes a lot of time depending on the machine. Using this is actually recommended by the IETF in RFC 7919 and the suggested ffdhe4096 is simply just this: Code: -----BEGIN DH PARAMETERS----- MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e 8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= -----END DH PARAMETERS----- In the same thread, I was personally skeptical about this but I proposed it to be used in ISPConfig auto installer since it will save time in installing ISPConfig and is actually considered more secure than self created one. I am not sure what is the current status of this suggestion because it was made only in this forum.
Hello everyone, In my needed scenario (as i mention the steps in this post) i use the ftp server without of the ispconfig3 box (only DNS), because i can't use port 21 with domain's cert. But this is not the real issue. We need some modifications over the original structure, 1st pure-certd binary implemented pure-ftpd package. 2nd we already have LE managed by ISPConfig but we can't select certificate for the port 21 3rd a simple line append to pure-ftpd-wrapper (ExtCert) 4th a simple shell script and it's service for the SNI socket So i compile a package of pure-ftpd that includes pure-certd tool. For the SNI supported pure-ftpd FTPS server, pure-certd tool and make a modification on pure-ftpd-wrapper perl script modification. These steps are the key points of the working ftps server using pure-ftpd with TLS&SNI. I don't have much knowledge about isp config even i am using it since 2015, In ISPConfig if it is possible, it might be appened a precompiled pure-ftpd package for the Linux admins like me and a simple sed command can append a line for the ExtCert config. From outside lookage always simple tho Sincerely, Yasin P.S. this is my second post on the forum so i can share an outside link after this (I couldn't),
It is Turkish, but commands are universal When I get a chance i will write it in English TLS, SNI supported pure-ftpd FTPS Server Installation https:// yasinkarabulak. com/tr/gnu-linux/hosting-ortami/ftp-server/tls-sni-destekli-pure-ftpd-ftps-server-kurulumu/ Full steps of the server installation. Have a nice day.
the certd package should be included in pure-ftpd 1.0.49 so an install from the default apt repo on ubuntu 22.04 should have it, although ispconfig doesn't support that version yet. i believe debian 11 also already has it. unfortunately, ispconfig also doesn't yet support pure-ftpd SNI, although it can be managed manually. there was a post on here not too long ago where someone gave instructions on how they set it up: https://forum.howtoforge.com/threads/pure-ftpd-sni-with-letsencrypt.85488/
Unfortunately Bullseye doesn't have pure-certd and i am using Debian all of my hosting needs. I don't know Ubuntu side.
According to its manual, it is already available to Ubuntu 20.04 - https://manpages.ubuntu.com/manpages/focal/en/man8/pure-certd.8.html
on ubuntu 20.04, it installs the manpages for it. but not the pure-certd binary itself. https://answers.launchpad.net/ubuntu/+source/pure-ftpd/+question/696585
just created a new vm to double-check the pure-ftpd-mysql install on ubuntu 22.04 by default it installs pure-ftpd v1.0.50 and pure-certd is installed along with it, the binary is available at /usr/sbin/pure-certd 20.04 is still only installing pure-ftpd-mysql 1.0.49-4 and is missing the pure-certd binary.
Noted that it should but it doesn't install pure-certd by default. Did you also create the new vm for ubuntu 20.04 too as I wish to know whether it doesn't install because it was merely updating it and not installing it fresh. Does that makes sense to you?
not created a new vp for ubuntu 20.04, but i did install a fresh pure-ftpd-mysql onto a 20.04 vm that didn't have any ftp / mysql / apache stuff already installed on it. the 1.0.49-4 release definitely doesn't include the pure-certd binary. i'm sure i remember also trying to install a 1.0.49 release on ubuntu 22.04 prior to the 1.0.50 release being added to the ubuntu repo, and that didn't install a pure-certd binary either, but i could be misremembering that.
So it is truly a bug in pure-ftpd-common for pure-ftpd-mysql 1.0.49-4 install or update for Ubuntu 20.04 which supposedly should have pure-certd binary in it. 1.0.49 alone doesn't have it because it supposedly should be available from 1.0.49-4.
