1

I am currently experiencing some trouble installing a StartSSL certificate in ProFTPD.

These are the files I have:

cert.pem                 - certificate file
cert.key                 - corresponding key file
sub.class2.server.ca.pem - intermediate certificate
ca.pem                   - root certificate

In Apache, I have the following configuration that works fine:

SSLCertificateFile      cert.pem
SSLCertificateKeyFile   cert.key
SSLCertificateChainFile sub.class2.server.ca.pem
SSLCACertificateFile    ca.pem

How am I supposed to configure ProFTPD for my given certificates? No matter what I try, I either get an error that the certificate chain is not complete or that the last certificate (the root one) is self-signed. I tried placing the cert.pem alone in TLSRSACertificateFile and the chain + root certs in TLSCACertificateFile, I tried placing the root in TLSCACertificateFile and the chain in TLSCertificateChainFile, I tried placing the root in TLSCACertificateFile and the cert + chain in TLSRSACertificateFile, nothing worked.

Any help would be appreciated.

Castaglia
  • 3,349
  • 3
  • 21
  • 42
  • I'm not familiar with ProFTPD, but more than a few other pieces of software support dumping all those certs into a single file and specifying it just once in the configuration. Tried that? – Chris S Feb 26 '14 at 18:20
  • Yes, but didn't work either. :( –  Feb 26 '14 at 19:41

1 Answers1

0

This comes from the ProFTPD online documentation:

<IfModule mod_dso.c>
  # If mod_tls was built as a shared/DSO module, load it
  LoadModule mod_tls.c
</IfModule>

<IfModule mod_tls.c>
  TLSEngine on
  TLSLog /var/ftpd/tls.log

  # Support both SSLv3 and TLSv1
  TLSProtocol SSLv3 TLSv1

  # Are clients required to use FTP over TLS when talking to this server?
  TLSRequired off

  # Server's certificate
  TLSRSACertificateFile /etc/ftpd/server.cert.pem
  TLSRSACertificateKeyFile /etc/ftpd/server.key.pem

  # CA the server trusts
  TLSCACertificateFile /etc/ftpd/root.cert.pem

  # Authenticate clients that want to use FTP over TLS?
  TLSVerifyClient off

  # Allow SSL/TLS renegotiations when the client requests them, but
  # do not force the renegotations.  Some clients do not support
  # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
  # clients will close the data connection, or there will be a timeout
  # on an idle data connection.
  TLSRenegotiate none

</IfModule>

Check all the possible directives related to TLS/SSL here.

You should also verify the certificate chain. You can do that using standard tools, like OpenSSL:

dawud
  • 15,096
  • 3
  • 42
  • 61
  • Right, the question is where am I supposed to put the intermediate certificate? Tried all possible combinations, but it doesn't seem to work. :-/ –  Feb 27 '14 at 09:36
  • You need to read the [TLSCertificateChainFile](http://www.proftpd.org/docs/contrib/mod_tls.html#TLSCertificateChainFile) configuration directive carefully. – dawud Feb 27 '14 at 14:57