0

Following this tutorial I managed to add FTPS connectivity to the server.

Following step 6 in the tutorial:

  • 6.1 generate certificate

    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

  • 6.2 add certificate to /etc/vsftpd.conf

    rsa_cert_file=/etc/ssl/private/vsftpd.pem

    rsa_private_key_file=/etc/ssl/private/vsftpd.pem

It works for FileZilla but with curl it seems I can't re-use the same certificate, I downloaded the certificate file from the server and am useing it like so

$ curl -v --cert ~/.ssh/vsftpd.pem --user MYUSER:PASSWORD ftp://SERVER-IP
*   Trying SERVER-IP...
* TCP_NODELAY set
* Connected to SERVER-IP (SERVER-IP) port 21 (#0)
< 220 (vsFTPd 3.0.3)
> USER MYUSER
< 530 Non-anonymous sessions must use encryption.
* Access denied: 530
* Closing connection 0
curl: (67) Access denied: 530

With FTPS

$ curl -v --cert ~/.ssh/vsftpd.pem --user MYUSER:PASSWORD ftps://SERVER-IP
*   Trying SERVER-IP...
* TCP_NODELAY set
* Connection failed
* connect to SERVER-IP port 990 failed: Connection refused
* Failed to connect to SERVER-IP port 990: Connection refused
* Closing connection 0
curl: (7) Failed to connect to SERVER-IP port 990: Connection refused

How can I use the same certificate for both FileZilla and curl (since git-ftp uses curl) to upload files via FTPS?

Update

Adding the parameter --ftp-ssl:

*   Trying SERVER-IP...
* TCP_NODELAY set
* Connected to SERVER-IP (SERVER-IP) port 21 (#0)
< 220 (vsFTPd 3.0.3)
> AUTH SSL
< 234 Proceed with negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
rraallvv
  • 123
  • 6

2 Answers2

0

curls parameter --cert is used to provide the client authentication certificate. As long as you are not authenticating with client certificates you don't need it.

To use ftps use the --ftp-ssl parameter.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • Thanks, I updated the question with the the result of adding `--ftp-ssl`. Maybe I'm missing something but FileZilla asked whether I wanted to connect with the self signed certificate, since I accepted I was able to connect with no problem. Does curl have a similar option? – rraallvv Sep 20 '18 at 13:22
  • You can either add the certificate to the trusted certificates on your system (this procedure is well documented), or you visit the URL curl suggested to you and disable the peer check. – Gerald Schneider Sep 20 '18 at 13:25
  • I forgot to mention I was trying to connect from macOS, it turn's out curl on macOS does not support passing the certificate file, the file must be added to the Keychain instead. Also it seems .pem files are not recognized a valid certificates using `security add-trusted-cert`. – rraallvv Sep 20 '18 at 14:39
0

Due to curl on macOS working with the database on the Keychain Access app the instructions differer from those needed for Linux, I documented the instructions here

Working with git-ftp on macOS client and vsftpd on Linux server

Generate SSL certificate and key

$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout ~/.ssh/vsftpd.key -out ~/.ssh/vsftpd.crt

Add the generated certificate to the Keychain Access app

$ security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.ssh/vsftpd.crt

Upload certificate and key to the server and copy the files to /etc/ssl/private/

Follow the steps descrived here, in step 6 use the already generated certificates instead of generating new ones

rsa_cert_file=/etc/ssl/private/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key

After vsftpd is running on the server, install git-ftp

$ brew install git-ftp

Add the server settings using ftpes for the protocol

$ git config git-ftp.url "ftpes://<SERVER-IP>/path/to/repository/"
$ git config git-ftp.user "<FTP-USER>"
$ git config git-ftp.password "<FTP-PASSWORD>"
$ git config git-ftp.cacert "~/.ssh/vsftpd.crt"

Initialize git-ftp, in which case the repository will be uploaded in the initialization process

$ git ftp init -v

After additional commits are added to the repository, push changes to the ftp repository

$ git ftp push -v
rraallvv
  • 123
  • 6