vsftpd and SSL
This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.
Edit vsftpd.conf so that SSL is enabled:
ssl_enable=YES
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
force_local_data_ssl=NO
force_local_logins_ssl=NO
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
force_local_data_ssl=NO
force_local_logins_ssl=NO
It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.
—–BEGIN CERTIFICATE—–
(your_domain_name.crt)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
(chaining certificate 3)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
(chaining certificate 2)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
(chaining certificate 1)
—–END CERTIFICATE KEY—–
—–BEGIN RSA PRIVATE KEY—–
(your_domain_name.key)
—–END RSA PRIVATE KEY—–
(your_domain_name.crt)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
(chaining certificate 3)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
(chaining certificate 2)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
(chaining certificate 1)
—–END CERTIFICATE KEY—–
—–BEGIN RSA PRIVATE KEY—–
(your_domain_name.key)
—–END RSA PRIVATE KEY—–
This is how to check a SSL enabled FTP service (FTP Secure). See the result below:
$ lftp -u username localhost -e "debug;set ftp:ssl-protect-data true;ls;exit"
Password:
—- Connecting to ftp.student.vu.nl (130.37.129.243) port 21
<— 220 Welcome to the Storage FTP service.
—> FEAT
<— 211-Features:
<— AUTH SSL
<— AUTH TLS
<— EPRT
<— EPSV
<— MDTM
<— PASV
<— PBSZ
<— PROT
<— REST STREAM
<— SIZE
<— TVFS
<— UTF8
<— 211 End
—> AUTH TLS
<— 234 Proceed with negotiation.
—> OPTS UTF8 ON
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
Issued by: C=NL,O=TERENA,CN=TERENA SSL CA
Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
Issued by: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
<— 200 Always in UTF8 mode.
—> USER xxx330
<— 331 Please specify the password.
—> PASS XXXX
<— 230 Login successful.
—> PWD
<— 257 "/"
—> PBSZ 0
<— 200 PBSZ set to 0.
—> PROT P
<— 200 PROT now Private.
—> PROT P
<— 200 PROT now Private.
—> PASV
<— 227 Entering Passive Mode (130,37,129,243,196,139).
—- Connecting data socket to (130.37.129.243) port 50315
—- Data connection established
—> LIST
<— 150 Here comes the directory listing.
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
Issued by: C=NL,O=TERENA,CN=TERENA SSL CA
Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
Issued by: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
—- Got EOF on data connection
—- Closing data socket
drwxrwsr-x 3 72745 513 4096 Oct 23 14:28 public_html
<— 226 Directory send OK.
—> QUIT
—- Closing control socket
$
Password:
—- Connecting to ftp.student.vu.nl (130.37.129.243) port 21
<— 220 Welcome to the Storage FTP service.
—> FEAT
<— 211-Features:
<— AUTH SSL
<— AUTH TLS
<— EPRT
<— EPSV
<— MDTM
<— PASV
<— PBSZ
<— PROT
<— REST STREAM
<— SIZE
<— TVFS
<— UTF8
<— 211 End
—> AUTH TLS
<— 234 Proceed with negotiation.
—> OPTS UTF8 ON
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
Issued by: C=NL,O=TERENA,CN=TERENA SSL CA
Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
Issued by: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
<— 200 Always in UTF8 mode.
—> USER xxx330
<— 331 Please specify the password.
—> PASS XXXX
<— 230 Login successful.
—> PWD
<— 257 "/"
—> PBSZ 0
<— 200 PBSZ set to 0.
—> PROT P
<— 200 PROT now Private.
—> PROT P
<— 200 PROT now Private.
—> PASV
<— 227 Entering Passive Mode (130,37,129,243,196,139).
—- Connecting data socket to (130.37.129.243) port 50315
—- Data connection established
—> LIST
<— 150 Here comes the directory listing.
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
Issued by: C=NL,O=TERENA,CN=TERENA SSL CA
Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
Issued by: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Trusted
—- Got EOF on data connection
—- Closing data socket
drwxrwsr-x 3 72745 513 4096 Oct 23 14:28 public_html
<— 226 Directory send OK.
—> QUIT
—- Closing control socket
$