ettore.dreucci/ettore.dreucci.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New post: Pure-FTPd, Let's Encrypt and Certbot hooks

Browse Source 
Signed-off-by: Ettore Dreucci <ettore.dreucci@gmail.com>
This commit is contained in:
Ettore Dreucci
2019-09-28 19:49:00 +02:00
parent 66e488f63a
commit 69e4126d8f
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
content/blog/pureftpd-letsencrypt-hook.md Normal file
View File

@@ -0,0 +1,45 @@
---
title: "Pure-FTPd, Let's Encrypt and Certbot hooks"
tags: ["pure-ftpd", "letsencrypt", "certbot", "hooks"]
categories: ["recipe", "sysadmin"]
description: "How to secure Pure-FTPd with a Lets Encrypt cert"
date: 2019-09-28T14:50:36+02:00
author: "Ettore Dreucci"
draft: false
---
## [[recipe]({{< ref "/categories/recipe" >}}), [sysadmin]({{< ref "/categories/sysadmin" >}})]: How to secure Pure-FTPd with a Lets Encrypt cert
[Certbot](https://certbot.eff.org/) is the [EFF](https://www.eff.org/)s tool to obtain certs from [Lets Encrypt](https://letsencrypt.org/).
[Pure-FTPd](https://www.pureftpd.org) is a very used secure FTP server daemon.
Certbot stores all of your TLS certs in `/etc/letsencrypt/live` as symlinks to `/etc/letsencrypt/archive`. Both those directories are **root-owned** and **root-only**. It provides you with a bunch of PEM-encoded file:
- `privkey.pem`: the private key for the certificate
- `cert.pem`: the server certificate
- `chain.pem`: the intermediate authority certificate
- `fullchain.pem`: the concatenation of the server and the intermediate cert files
Pure-FTPd on the other hand, like other daemons do, needs a bundle of the server cert and its private key that we can easily generate with `cat fullchain.pem privkey.pem > pure-ftpd.pem` and that has to be mode `0600` .
Every time certbot renews the certificates the bundle must be recreated so that it contains the renewd certs.
Its therefore possible to write a script to be executed every time the certs are renewed. To automate the execution certbot provides a deploy hook that will be triggered on successful renewals:
- if you renew it manually you could add the `--deploy-hook "/path/to/script.sh"` option to the `renew` command
- if your renewal are automated:
- if you use cron add the previous option to the command
- you can symlink the script to `/etc/letsencrypt/renewal-hooks/deploy/` to be executed when **any** cert is renewed
- you can edit a specific cert conf file in `/etc/letsencrypt/renewal/domain.conf` and append the deploy hook directive as follow:
```
[renewalparams]
renew_hook = /etc/letsencrypt/courier.sh
```
END.