What is the best way to use an other domain with TLS for Pureftpd?

Discussion in 'Installation/Configuration' started by tijn, Oct 27, 2023.

  1. tijn

    tijn New Member

    So i have migrated a server with the migration tool and it went pretty well!
    On the old server i used: le4ispc_pem.sh which worked great, but should not be needed anymore for ISPconfig 3.2.

    However, pureftpd was working with ftp.clientdomain.nl and TLS just fine. With ISPconfig 3.2 only the server hostname name is present in the certfificate. I tried to change the pureftpd.conf and added:
    CertFileAndKey "/root/.acme.sh/clientdomain.nl/clientdomain.nl.cer" "/root/.acme.sh/clientdomain.nl/clientdomain.nl.key"

    But Pureftpd does not seem to read this setting? When i change /etc/ssl/private/pureftpd.pem by copy-pasting the acme.sh key and cert.. it does (kinda of) work but this is quite a hassle when certificates are renewed.

    So, what is the best way to do this? Can i expand the certificate for the hostname?

    Thans in advance!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    tijn likes this.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Multi domain is not supported but as @till mentioned you can try @Th0m's approach for expanding the domain covered in the hostname certs.

    Personally, unless using commercial SSL certs, I kinda dislike this multi domains in one LE certs as failure of one domain's certs' renewal may impact all others.

    I am curious about this method though, since to my understanding you simply copy-pasted the other domain certs into it and it works?!

    I think this is different than expanding hostname certs to add other domains in them, as this on the contrary seems to work by appending other domains certs into it, though potential failure like in expanding hostname certs to add other domains may not happen here.

    Very interesting, though for this approach to succeed, I think you will need a very good script to cover automatic inclusion of certs upon their creation and their replacement on their renewal.

    The hardest part is may be to code a check for old certs in it to be replaced upon their renewal, each time.

    Plus, we do not know the limit of certs we can append to it, if we are to use this append method, and how efficient it is when there are too many appends.

    If I have time, I will into this too.
    Last edited: Oct 28, 2023
  4. tijn

    tijn New Member

    Well, in this case the customer has multiple domains, but only uses FTP for 1 client and wants to promote ftp.domain.nl since this includes his own domain. I created the site domain.nl and added ftp.domain.nl as an alias. The certificate is expanded with the alias domain. (same approach Th0m uses for e-mail). I simpy created the .pem file by combining the .key and .crt

    I wonder how other people do this, i mean.. i can't be the only one who wants to use multiple domains to use ftp and e-mail? :)
    Do they tell the clients to just use the server hostname?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You usually use the hostame of the server to connect to the FTP server.
    remkoh and ahrasis like this.
  6. remkoh

    remkoh Active Member

    Keep in mind that when adding muliple customers domains to your server certificate you could be potentially braking laws.
    You'll be telling the whole world who your client base is on that server with that one certificate.
    Unless ofcourse the server is for one customer only and the certificate contains only that customer's domains.

    A way around could be some sort of FTP proxy.
    Not sure if any with SNI (alike) support exist though.
    Otherwise you'll need an IP for every certificate like in the old days you'd for HTTPS predating SNI.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am not sure I fully understood on how this become illegal especially on how this could be disclosed. The client's domains are pointed to that server and the ftp link need to be secured when they access it via their domain, otherwise it could be proven more dangerous and fatal than if the access is not secured.
    Agreed on this. Indeed this is possible, except ISPConfig only supports http proxy for the time being.

    I would further submit that, ISPConfig should consider utilizing / manipulating reverse proxy features of nginx and apache2 like upstream to the maximum as one of its main feature, as this could be very useful in securing things like this ftp service (via workaround).

    For the time being, I am focus on developing a web ftp - elfinder - extra customizations so that it will automatically acess the server hostname securely, (only user and password needed), without a need to enter domain name which can be confusing for general users. I may add this extra in the elfinder filemanager tool script later once it is fully tested and ready.

Share This Page