Shared key for use with FIleZilla + Let's Encrypt?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: misterprotocol.photos

I ran this command: FTP

It produced this output: (None)

My web server is (include version): (None, this is FTPS)

The operating system my web server runs on is (include version): MacOS Sonoma

My hosting provider, if applicable, is: (None)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): FileZilla 1.8.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Sony A7iv camera, firmware version 3.00

Sony cameras support FTPS for secure transfer of photos. I have set up a FileZilla FTP server on MacOS Sonoma and have successfully configured it with a Let's Encrypt certificate for FTPS. I have also successfully loaded the Let's Encrypt root certificate into the camera.

My problem is that the camera, when enabling IPSEC, wants a destination address (not a problem) and a shared key (BIG PROBLEM). I have no idea what to enter for a shared key. The camera believes a shared key should be between 8 and 20 letters. It also says,

  • On this camera, IPsec operates in transport mode only and uses IKEv2.
    The algorithm is AES with 128-bit keys in CBC mode/Diffie-Hellman 3072-bit modp group/PRF-HMAC-SHA-256/HMAC-SHA-384-192.
    The authentication expires after 24 hours.

Any clues as to how I might find or generate a shared key with the required properties?

Thanks!

Hello @misterprotocol, welcome to the Let's Encrypt community. :slightly_smiling_face:

FTP is not in the set of Challenge Types - Let's Encrypt
There is

  • HTTP-01 challenge challenge can only be done on port 80.
  • DNS-01 challenge your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>.
  • TLS-ALPN-01 it is performed via TLS on port 443.
1 Like

I does look like a certificate was issued crt.sh | 12571764658 on 2024-04-02.

1 Like

The IPsec configuration should have nothing whatsoever to do with configuring Let’s Encrypt or FTPS. It is completely separate.

5 Likes

@misterprotocol FAQ - Let's Encrypt states

Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?

Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.

2 Likes

IPSEC is unrelated to DV certificates [which are mainly used to secure websites].
IPSEC works more like the WPA2 encryption on your WiFi; It can be setup using preshared keys much like using a passphrase on your WiFi.

3 Likes

IPSEC = VPN tunnel.
FTPS = FTP over a secure connection.

You can even do both: FTPS through an IPSEC tunnel.

3 Likes

Please read further in my post: FileZilla FTP server does use a Let’s Encrypt certificate for FTPS.

And you are trying to connect to FTPS via IPSEC [those are incompatible/unrelated to each other].

Like dialing a phone with an FM radio.

1 Like

Yes, that’s not the problem. The problem is that I’m looking to see if there’s a “shared key” string available. PLEASE read the rest of my post...

Ok, which Challenge Types - Let's Encrypt are supported for domain validation?

1 Like

IPSEC can use shared secrets - TLS does not | FTPS does not.

1 Like

@misterprotocol I found these two links

1 Like

Choose a TLS supported choice in the camera instead of IPSEC.

Thanks! More research to do...

1 Like

That would be great if it had one. Actually, it does…but only for connecting to Sony’s own cloud server.

Sounds like Let’s Encrypt certificates are not the answer.

Thanks for the prompt responses!

2 Likes