Where is Pure-FTPD config file where I can manage cert for TLS?

edited May 9 in FTP Server

Where is Pure-FTPD config file where I can manage cert for TLS?


  • /etc/pure-ftpd/pure-ftpd.conf
  • ricardofh
    May 5 in FTP Server Flag

    I get these errors on any FTP client:

    Hostname does not match certificate
    Certificate expired!

    In the info it says it expired 2 days ago, how to I renew that certificate? which certificate it is? It does not matter what I use as FTP server: site IP, site URL or server hostname, the same issue persists.

  • ChrootEveryone yes
    BrokenClientsCompatibility no
    MaxClientsNumber 50
    Daemonize yes
    MaxClientsPerIP 8
    VerboseLog no
    DisplayDotFiles yes
    AnonymousOnly no
    NoAnonymous no
    SyslogFacility ftp
    DontResolve yes
    MaxIdleTime 15
    MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
    PAMAuthentication yes
    LimitRecursion 10000 8
    AnonymousCanCreateDirs no
    MaxLoad 4
    AntiWarez yes
    Umask 133:022
    MinUID 1000
    UseFtpUsers no
    AllowUserFXP no
    AllowAnonymousFXP no
    ProhibitDotFilesWrite no
    ProhibitDotFilesRead no
    AutoRename no
    AnonymousCantUpload yes
    AltLog clf:/var/log/pureftpd.log
    CreateHomeDir yes
    MaxDiskUsage 99
    CustomerProof yes
    TLS 1
    PassivePortRange 40110 40210

    Where is cert?
  • Hi,

    So this has been driving me nuts for hours trying to work out a method of making this work from the CyberPanel installed SSL for the host.

    Here's what I've done to get it working:

    cd /usr/local/lscp/; cat key.pem cert.pem >> /etc/ssl/private/pure-ftpd.pem

    Now update the config file [ /etc/pure-ftpd/pure-ftpd.conf ]:

    TLS 3 // This is to encrypt auth + data steam [Max Security Level]

    Add to bottom:

    TLSCipherSuite HIGH //This should use higher version of TLS i.e. TLS 1.2 etc...
    CertFile /etc/ssl/private/pure-ftpd.pem

    Finally, restart service:

    systemctl restart pure-ftpd

    The file location shouldn't be required as it's the default but, I needed it adding for it to work for some reason.

    The only problem I see with this is that when CertBot fetches a new certificate in a couple of months for the main site/host this FTP certificate will be outdated. and you'll need to run that one-liner at the top again, and restart the service.

    CertFileandKey with the direct files didn't work, even symlinked to this private ssl directory and key remapped to the proper name still didn't work for me. Odd as it really should have done.

    This should be mandatory default setup for CyberPanel when you create the SSL (map SSL) for the host to do this for pure-FTP and also offer service restart at that point with CertBot renewal. I doubt this would require much effort.

    There is NO! excuse for not doing this as default, anyone stupid enough to use FTP without TLS is asking to be hacked. Sending passwords over plaintext is utterly stupid.

    If you want to forget and leave this until CyberPanel sort this out properly. I'd suggest following the above first to ensure config is set up correctly for you. Then set up a cron job for this:

    cd /usr/local/lscp/; cat key.pem cert.pem >> /etc/ssl/private/pure-ftpd.pem; systemctl restart pure-ftpd
  • edited June 19
    So I found my self in a pickle again and for some reason, didn't realise the certs I was copying was wrong ones. (sorry to anyone who used the above version!)
    Therefore I've created a simple to add workaround script that will fix this issue once and for all for none SNI pure-ftpd implementations.

    Do be sure to adjust the config file explained above to improve security.

    If you've manually pushed for a new certificate, then this might cause a delay, since it's not part of any CyberPanel hooks. If that's bothering you make cron faster like
    */5 * * * * /root/ > /dev/null This would be once every 5 mins. At the cost of writing a file to the hard drive every 5 minutes.

    For those that can't read cron easily, the below runs once a day at 1:36am, which is an hour after acme does it's thing each night. Thereby catching any new auto replacements.

    If you need to fix this like now! create the file and run: sh /root/

    # CyberPanel SSL Fix for pure-ftpd by R Small 19th June 2019.
    # Copies the host SSL for CyberPanel and set's it for Pure-ftpd for none SNI.
    # Add below to your crontab -e and save this script as /root/
    # 36 1 * * * /root/ > /dev/null

    rm -f /etc/ssl/private/pure-ftpd.pem;
    cd /etc/letsencrypt/live/$HOSTNAME/;
    cat privkey.pem fullchain.pem >> /etc/ssl/private/pure-ftpd.pem;
    systemctl restart pure-ftpd


    CyberPanel, I found the js files that are used to trigger SSL from the webpage. But, I don't understand what's monitoring it, or how it gets actioned to make acme do its thing on demand. Could you please share how? (is there something like a python main loop?), so I can improve this fix.

    Hope this helps others.
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!