Hello all,
My question is about securing the FTP connection and the webconfig of my ClearOS server 7.7.2.
When setting up a connection from the internet to my FTPs server, the calling party gets the message of an unknown certificate. And when I enter the dashboard of the server (using a local IP address) I get the warning of a wrong certificate (SSL_ERROR_BAD_CERT_DOMAIN).
The Lets Encrypt app is installed and is being used for several websites that are hosted on my server. But those websites have a name and a DNS record somewhere.
The webconfig and FTP can only be reached via an IP address, so in my opinion it is not possible to attach a certificate to them. At least, I tried to get a certificate and that failed. Also I tried to get a certificate on the name of my server, but because there is no DNS record, this was also not possible.
I scanned all the articles in the community, but I'm afraid that my knowledge on this subject is not sufficient to understand.
So, what do I want to know?
1: how can I successful add a certificate for my server?
2: how can I force the webconfig page to use HTTPS?
3: how can I let FTP use that certificate?
I hope that someone of you could send me in the right direction.
Best regards,
Joop
My question is about securing the FTP connection and the webconfig of my ClearOS server 7.7.2.
When setting up a connection from the internet to my FTPs server, the calling party gets the message of an unknown certificate. And when I enter the dashboard of the server (using a local IP address) I get the warning of a wrong certificate (SSL_ERROR_BAD_CERT_DOMAIN).
The Lets Encrypt app is installed and is being used for several websites that are hosted on my server. But those websites have a name and a DNS record somewhere.
The webconfig and FTP can only be reached via an IP address, so in my opinion it is not possible to attach a certificate to them. At least, I tried to get a certificate and that failed. Also I tried to get a certificate on the name of my server, but because there is no DNS record, this was also not possible.
I scanned all the articles in the community, but I'm afraid that my knowledge on this subject is not sufficient to understand.
So, what do I want to know?
1: how can I successful add a certificate for my server?
2: how can I force the webconfig page to use HTTPS?
3: how can I let FTP use that certificate?
I hope that someone of you could send me in the right direction.
Best regards,
Joop
Share this post:
Responses (9)
-
Accepted Answer
You have a ????.poweredbyclear.com DNS record if you activate the ClearOS DDNS (it is free). You can change the ???? to something more meaningful than the default if you can pick an available name. For the webconfig, you'd probably want then to add this record to your DNS server for your LAN IP as well. You can get a Let's Encrypt certifivate for this FQDN. You then asign it through System > Settings > General Settings.
It seems like you have Let's Encrypt certificates for your websites. You could use one of them, but similarly would have to add the website to your DNS for it to work on your LAN.
FTP is more problematic and I'd say virtually impossible. Certificates seem to be in /etc/proftpd.d/flex-990.conf and /etc/proftpd.d/flex-21.conf but these files are created on-the-fly when the flexshare app is updated so changes there will get overwritten. You could patch the underlying code but it would be specifically for you and may also get overwritten if there is an app update. -
Accepted Answer
Hello Nick,
Thanks for your quick reply. I already have a static IP address, so do I also need to install the Dynamic DNS? And LetsEncrypt looks for a public DNS record when requesting for an certificate, I think, so what's the need for adding a local DNS record?
In the settings I used an existing certificate of a locally hosted website. But still I get the error message of a wrong SSL certificate, because I connect to my server using a local address. Would that be the reason? Or does the entry of a local address to the DNS solve this problem?
Joop -
Accepted Answer
-
Accepted Answer
I did a little further work on this:
Not fully tested but seems to work
All at your own risk.
I strongly reccomend reading ALL this.
https://documentation.clearos.com/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
/Claus
If i missed something - tell me
ClearOS FTPS and LetsEncrypt Certificates
This is NOT fully tested but seems to work.
All at your OWN RISK
Like me someone in the community asked for FTP certificates.
https://sfj48-fkj200.heiksthsd.cf/clearfoundation/social/community/lets-encrypt-on-ftp-s-and-webconfig
As an answer on the Q, Nick Howitt gives a lot of useful information.
I did some further Reverse engineering, and found that
What did I do?
I had completed the mail setup described here:
https://documentation.clearos.com/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
You need to do at least this from that last document linked above.
• Background
• Requirements and
• Configuration and Common Let’s encrypt setup
Somehow I figured out that two files used by FTP are located here:
Run this [root@home lets_encrypt]# ls -al /etc/proftpd.d
total 20
drwxr-xr-x 2 root root 47 Feb 7 12:08 .
drwxr-xr-x. 112 root root 8192 Feb 7 11:37 ..
-rw-r--r-- 1 root root 2184 Feb 7 12:08 flex-21.conf
-rw-r--r-- 1 root root 2200 Feb 7 12:08 flex-990.conf
[root@home lets_encrypt]#
The flex-990 file has an area:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/tls.log
TLSOptions NoCertRequest UseImplicitSSL
TLSRequired off
TLSRSACertificateFile /etc/pki/CA/bootstrap.crt
TLSRSACertificateKeyFile /etc/pki/CA/bootstrap.key
TLSVerifyClient off
</IfModule>
It looks like these bootstrap files are created during installation.
I did a readout of the bootstrap certificates using:
https://www.sslshopper.com/certificate-decoder.html
Certificate Information:
Common Name: system.lan
Organization: ClearOS
Organization Unit: ClearOS
Locality: Toronto
Country: CA
Valid From: February 5, 2022
Valid To: April 24, 2030
Issuer: system.lan, ClearOS
Serial Number: 1644072441 (0x61fe8df9)
Make a backup of these files:
Run cd /etc/pki/CA
[root@home CA]# pwd
/etc/pki/CA
cp /etc/pki/CA/bootstrap.crt /etc/pki/CA/bootstrap.crt-Backup
cp /etc/pki/CA/bootstrap.key /etc/pki/CA/bootstrap.key-Backup
Your certificates are found here:
[root@home CA]# ls /etc/letsencrypt/live/
README Your_Domain_Name
your certificate files are here:
[root@home CA]# ls -al /etc/letsencrypt/live/Your_Domain_Name/
total 4
drwxr-xr-x 2 root root 93 Feb 6 16:22 .
drwxr-x--- 4 root ssl-cert 61 Feb 6 16:22 ..
lrwxrwxrwx 1 root root 34 Feb 6 16:22 cert.pem -> ../../archive/Your_Domain_Name/cert1.pem
lrwxrwxrwx 1 root root 35 Feb 6 16:22 chain.pem -> ../../archive/Your_Domain_Name/chain1.pem
lrwxrwxrwx 1 root root 39 Feb 6 16:22 fullchain.pem -> ../../archive/Your_Domain_Name/fullchain1.pem
lrwxrwxrwx 1 root root 37 Feb 6 16:22 privkey.pem -> ../../archive/Your_Domain_Name/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 6 16:22 README
[root@home CA]#
Find the FTP user
[root@home CA]# cat /etc/passwd | grep ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@home CA]#
Add the ftp user to the ssl-cert group:
usermod -a -G ssl-cert ftp
Now copy and overwrite the bootstrap certificates with yours.
… DID YOU make the copy above?
\cp /etc/letsencrypt/live/Your_Domain_Name/cert.pem /etc/pki/CA/bootstrap.crt
\cp /etc/letsencrypt/live/Your_Domain_Name/privkey.pem /etc/pki/CA/bootstrap.key
Check ! ls -al
And restart service
systemctl restart proftpd
You should now be able to do a test using the new certificates FTPS on port 990
But - when the certificate updates ...
You need some automation.
cd /var/clearos/events/lets_encrypt/
[root@home lets_encrypt]#
Create a file here:
Run:
nano proftp
And enter: -
#!/bin/sh
if [ "$(basename $RENEWED_LINEAGE )" = "Your_Domain_Name" ]; then
sleep 10
\cp /etc/letsencrypt/live/Your_Domain_Name/cert.pem /etc/pki/CA/bootstrap.crt
\cp /etc/letsencrypt/live/Your_Domain_Name/privkey.pem /etc/pki/CA/bootstrap.key
systemctl restart proftpd
fi
Save and exit.
Make the file executable:
[root@home lets_encrypt]# chmod 0755 proftp
CHECK !!
[root@home lets_encrypt]# ls -al
total 20
drwxr-xr-x 2 root root 74 Feb 7 13:54 .
drwxr-xr-x. 21 root root 4096 Feb 5 19:11 ..
-rwxr-xr-x 1 root root 126 Feb 6 18:53 cyrus-imapd
-rwxr-xr-x 1 root root 111 Nov 16 15:17 lets_encrypt
-rwxr-xr-x 1 root root 122 Feb 6 18:49 postfix
-rwxr-xr-x 1 root root 49 Feb 7 13:54 proftp
[root@home lets_encrypt]#
Restart service
systemctl restart proftpd
and Check !
Do final reboot ? -
Accepted Answer
Just to say this is a bit dangerous as the bootstrap certificate can be copied and used in other apps on their installation, but you may get away with it. There does not seem to be a safe way of achieving what you want. The conf file is generated by /usr/clearos/apps/flexshare/libraries/Flexshare.php, but any update to the Flexshare app will override anything you change in this file. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick, OK i thought you were afraid of the system getting compromised, due to this change.
But you are afraid of other parts stop working because these certificates are getting renew frequently. and shared by other services.
- Then these services of cause needs to be included in the update scripts as well.
But ... using system.lan.... at all ... Systems and clients should avoid, and block non matching CN`s --- just my 10c -
Accepted Answer
I can't change the clients! Also it would preclude you from using IP addresses. Web Sites work that way. In general mail apps just require a certificate - any certificate - so they can encrypt the data. Often mail apps don't care about the FQDN or validity but some, such as outlook and, to an extent, Thunderbird do.. I can't speak for FTP apps or other apps.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »