ssl certificate renewal for vsftpd on ubuntu

replica88 · 04-07-2010, 03:11 PM

I am currently using vsftpd with ssl support

Currently when the certificate expires I have to generate a new certificate and distribute that new certificate among the clients.

Ideally I would like automatic renewal of the certificate and that certificate to then be transferred to the client upon connection.

I am relatively new to Linux and this is a problem I cant seem to overcome myself, any advice or links to how-to's would be appreciated.

The ftp client I am using is curlFTPfs as I need to ftp directory to be mounted locally, below is the command with debugging:

Code:

root@Fileserver:/scripts# curlftpfs -v -o ssl -o cacert=/certificate/ssl-cert-snakeoil.pem -o no_verify_hostname ftp://ftpaccount:ftppassword@192.168.1.254 /backup
* Couldn't find host 192.168.1.254 in the .netrc file, using defaults
* About to connect() to 192.168.1.254 port 21 (#0)
*   Trying 192.168.1.254... * connected
* Connected to 192.168.1.254 (192.168.1.254) port 21 (#0)
< 220 (vsFTPd 2.0.6)
> AUTH SSL
< 234 Proceed with negotiation.
* found 1 certificates in /certificate/ssl-cert-snakeoil.pem
*        server certificate verification OK
*        common name: FTPserver.cable.virginmedia.net (does not match '192.168.1.254')
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #1
*        subject: C=XX,ST=There is no such thing outside US,L=Everywhere,O=OCOSA,OU=Office for Complication of Otherwise Simple Affairs,CN=FTPserver.cable.virginmedia.net,EMAIL=root@FTPserver.cable.virginmedia.net
*        start date: Wed, 07 Apr 2010 18:19:37 GMT
*        expire date: Fri, 07 May 2010 18:19:37 GMT
*        issuer: C=XX,ST=There is no such thing outside US,L=Everywhere,O=OCOSA,OU=Office for Complication of Otherwise Simple Affairs,CN=FTPserver.cable.virginmedia.net,EMAIL=root@FTPserver.cable.virginmedia.net
*        compression: DEFLATE
*        cipher: 3DES 168 CBC
*        MAC: SHA
> USER ftpaccount
< 331 Please specify the password.
> PASS ftppassword
< 230 Login successful.
> PBSZ 0
< 200 PBSZ set to 0.
> PROT P
< 200 PROT now Private.
> PWD
< 257 "/"
* Entry path is '/'
* Remembering we are in dir ""
* Connection #0 to host 192.168.1.254 left intact

Many thanks

r0b0 · 04-09-2010, 08:51 AM

Why do your certificates expire every month? Usually they are valid for 1-2 years. If you are not a bank or an intelligence agency, you could as well go up to 5 years.

Anyway, if you really need to automate the process of certificate renewal then I suggest that you write a script to 1. generate the new certificate 2. put it somewhere on a known path inside the FTP so that users can download the new cert 3. restart your ftp server. Shouldn't be that difficult.

replica88 · 04-14-2010, 05:28 AM

Quote:

Originally Posted by r0b0

Why do your certificates expire every month? Usually they are valid for 1-2 years. If you are not a bank or an intelligence agency, you could as well go up to 5 years.

Anyway, if you really need to automate the process of certificate renewal then I suggest that you write a script to 1. generate the new certificate 2. put it somewhere on a known path inside the FTP so that users can download the new cert 3. restart your ftp server. Shouldn't be that difficult.

Yes that is abit excessive, I will look it to it... thanks