Wildcard SSL Cert for FTP Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: joelmueller.ch

I ran this command:

It produced this output:

My web server is (include version): nginx vsftpd

The operating system my web server runs on is (include version): ArchLinux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme

Hi,
I have a working wildcard cert.
How can I use as vsftpd SSL Cert for ftp.joelmueller.ch

I used fullchain.pem and joelmueller.ch.key as fullchain.csr and 1:1 as key.

Have I to convert fullchain.pem with OpenSSL?

Have I to use private.key or joelmueller.ch.key?

FileZilla do reclamation with my SSL Setup other clients like lftp are working. Why?

I have no experience with vsftpd but found this. It says a cert is not even required for FileZilla client
https://help.ubuntu.com/community/vsftpd#TLS.2FSSL.2FFTPS

To use a cert with it I just googled and saw this which says use the fullchain.pem and privkey.pem files.

2 Likes

My advice? Don't use FTPS for file transfers. IMO the best option is to use SFTP. A subtle difference in abbreviation, but a BIG difference in the underlying technique. FileZilla can also do SFTP.

4 Likes

A wildcard cert has no privkey.pem they have two keys private.key and "url".key. Also fullchain.pem so isn't possible to use this two files.

FTPS is much faster then over ssh

There are patches for OpenSSH so that SFTP can be a lot faster than usual: HPN-SSH download | SourceForge.net

3 Likes

The link I provided used certbot to get the cert files and that does create a privkey.pem and fullchain.pem for wildcard certs. The author of that article successfully used certbot with vsftpd. I am sorry if the article was not helpful. As noted I do not have personal experience with vsftpd.

A .key file is often a valid .pem file and needs no conversion. I don't understand how you got the files you describe so don't know how to advise.

3 Likes

I get the files over ace-me client on OPNsense(FreeBSD13) machine and after I transfer to the remote machine over scp. So I have only to change private.key to privkey.pem? and what is the second key? (joelmueller.ch.key) or have I to merge both keys in one privkey.pem?

Yeah, I am sorry but I do not understand how you are describing your cert and key files. And, I could not find any info on an ace-me program for OPNsense.

Your post said you have an nginx server although I cannot reach it on https://joelmueller.com (it times out). I can reach it using http but the http response headers do not identify it as nginx (which is optional).

If you get your nginx server working with https and your wildcard you would use the same two files in vsftpd as you used for it. For example, if these are your valid nginx lines:

ssl_certificate  /etc/letsencrypt/live/example.org/fullchain.pem; 
ssl_certificate_key  /etc/letsencrypt/live/example.org/privkey.pem; 

You would use those two files in the vsftpd.conf file:

rsa_cert_file=/etc/letsencrypt/live/example.org/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/example.org/privkey.pem

I do not know what your files names mean. Perhaps you could ask on the OPNsense forum for more advice.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.