TLS Cert for my FileZilla

JKA · August 18, 2021, 12:39pm

Hi guys,
I am running a FileZilla FTP on my local network that should be secured for internet via a cert. To reach the server from outside my local network I use dynamic dns domain kastaun.ddns.net and needed port forwardings. As I can import TLS cert files into the FileZilla admin console I would like to get such files via Let's Encrypt service.

My problem is that is looks that certs are creatable for website/servers only. Does anybody has a clue how I can create the desired cert files for my FTP to run it as a FTPS afterwards?

Any suggestions are very much appreciated.

All best from Germany
Joerg

rmbolger · August 18, 2021, 3:24pm

Good news! Let's Encrypt certs (and most other standard certs from public CAs) can be used for many services beyond just websites. FTPS, RDP, SMTP, SQL among many others will all work with them. Basically, as long as the service only requires a cert with the Server Authentication (OID 1.3.6.1.5.5.7.3.1) value in the Enhanced Key Usage field, it should work.

rg305 · August 18, 2021, 4:58pm

Essentially there are two parts to using a cert.

Obtaining the cert.
Here there are many clients for many types of systems.
Installing the cert.
Here there are much less and are generally focused on installing certs into web services.

So, you may NOT find a client that can even install the cert directly into FileZilla FTP, but there should be some documentation on their site on how to do so.
And as long as the process can be automated, at the end = you win!

jens_hb · August 18, 2021, 7:04pm

the simplest would be to install a web server, imho mini web servers are also available for win.
speaks against using a third-party web server?
I am now missing software to automate it for you.
I can send you ip's by mail. then just change ip on webserver, get cert, change ip back. webserver has your domain.
since ddns is to change the ip should not be a problem.
is of course not a long-term solution.
to automate this, install your own web server

jvanasco · August 18, 2021, 7:32pm

I do not think this is worth your trouble, and you are likely better off with a self-signed certificate in this situation.

This is technically possible for all the reasons people mentioned above, but it will be a pain.

To obtain a certificate with your dynamic dns provider, you will either need to complete a challenge every 60-90 days.

run a HTTP-01 challenge, which means ensuring port80 traffic can work, which is often not an option with ISPs
run a DNS-01 challenge, which requires a TXT record, which requires a paid plan, but you can do everything off your computer and then upload the cert.

I doubt you have a paid account, as no-ip's plans cost much more than registering a domain (which will typically give you a free dns service).

So you either need to:

Have a paid plan or your own domain to use DNS-01, which is the easiest option in this situation.
Regularly run a HTTP-01 service.
Just use your own Self-Signed certificate and have your computer trust it.

Personally, I would opt for a self-signed certificate in this situation.

Osiris · August 18, 2021, 8:15pm

Paid plan for TXT record modifying? Probably setting a single CNAME to a free DNS service provider with a proper API (Cloudflare?) would do the trick.

Not sure where the paid plan came from in general by the way?

jvanasco · August 18, 2021, 8:26pm

No-IP owns ddns.net; they only support TXT records on their paid plans - $25/year. I don't know if they support CNAME on free plans, I doubt they support anything other than A records.

Cloudflare will require a registered domain. I don't know if they are compatible with any of the "free domain" services. Perhaps they are.

JKA · August 22, 2021, 8:15am

Thanks Jens, after lots of trail&error I finally TLS secured my web and ftp server.

All best
Jörg

JKA · August 22, 2021, 8:16am

Thank you Rudy, after lots of trail&error I finally TLS secured my web and ftp server.

All best
Jörg

rg305 · August 22, 2021, 8:17am

Hopefully you have it all fully automated and can forget all about it

JKA · August 22, 2021, 8:21am

Thank you very much, after lots of trail&error I finally TLS secured (with officially trusted CA) my web and ftp server.
Now knowing how it works it is quite easy and no trouble at all.

Note: As I have an app that I need to work with within my job - this app does not accept self signed certs. this is why I went down that route.

All best
Jörg

JKA · August 22, 2021, 9:05am

Still working on this little detail

system · September 21, 2021, 9:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.