Where is Pure-FTPD config file where I can manage cert for TLS?

edited May 9 in FTP Server
Hello,

Where is Pure-FTPD config file where I can manage cert for TLS?

Comments

  • /etc/pure-ftpd/pure-ftpd.conf
  • ricardofh
    May 5 in FTP Server Flag
    Hi,

    I get these errors on any FTP client:

    Hostname does not match certificate
    Certificate expired!

    In the info it says it expired 2 days ago, how to I renew that certificate? which certificate it is? It does not matter what I use as FTP server: site IP, site URL or server hostname, the same issue persists.

    anyone?
  • ChrootEveryone yes
    BrokenClientsCompatibility no
    MaxClientsNumber 50
    Daemonize yes
    MaxClientsPerIP 8
    VerboseLog no
    DisplayDotFiles yes
    AnonymousOnly no
    NoAnonymous no
    SyslogFacility ftp
    DontResolve yes
    MaxIdleTime 15
    MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
    PAMAuthentication yes
    LimitRecursion 10000 8
    AnonymousCanCreateDirs no
    MaxLoad 4
    AntiWarez yes
    Umask 133:022
    MinUID 1000
    UseFtpUsers no
    AllowUserFXP no
    AllowAnonymousFXP no
    ProhibitDotFilesWrite no
    ProhibitDotFilesRead no
    AutoRename no
    AnonymousCantUpload yes
    AltLog clf:/var/log/pureftpd.log
    CreateHomeDir yes
    MaxDiskUsage 99
    CustomerProof yes
    TLS 1
    PassivePortRange 40110 40210

    Where is cert?
  • Hi,

    So this has been driving me nuts for hours trying to work out a method of making this work from the CyberPanel installed SSL for the host.

    Here's what I've done to get it working:

    cd /usr/local/lscp/; cat key.pem cert.pem >> /etc/ssl/private/pure-ftpd.pem

    Now update the config file [ /etc/pure-ftpd/pure-ftpd.conf ]:

    TLS 3 // This is to encrypt auth + data steam [Max Security Level]

    Add to bottom:

    TLSCipherSuite HIGH //This should use higher version of TLS i.e. TLS 1.2 etc...
    CertFile /etc/ssl/private/pure-ftpd.pem

    Finally, restart service:

    systemctl restart pure-ftpd

    The file location shouldn't be required as it's the default but, I needed it adding for it to work for some reason.

    The only problem I see with this is that when CertBot fetches a new certificate in a couple of months for the main site/host this FTP certificate will be outdated. and you'll need to run that one-liner at the top again, and restart the service.

    CertFileandKey with the direct files didn't work, even symlinked to this private ssl directory and key remapped to the proper name still didn't work for me. Odd as it really should have done.

    This should be mandatory default setup for CyberPanel when you create the SSL (map SSL) for the host to do this for pure-FTP and also offer service restart at that point with CertBot renewal. I doubt this would require much effort.

    There is NO! excuse for not doing this as default, anyone stupid enough to use FTP without TLS is asking to be hacked. Sending passwords over plaintext is utterly stupid.

    If you want to forget and leave this until CyberPanel sort this out properly. I'd suggest following the above first to ensure config is set up correctly for you. Then set up a cron job for this:

    cd /usr/local/lscp/; cat key.pem cert.pem >> /etc/ssl/private/pure-ftpd.pem; systemctl restart pure-ftpd
Sign In or Register to comment.
Support CyberPanel CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!