--- title: "Pure-FTPd, Let's Encrypt and Certbot hooks" tags: ["pure-ftpd", "letsencrypt", "certbot", "hooks"] categories: ["recipe", "sysadmin"] description: "How to secure Pure-FTPd with a Let’s Encrypt cert" date: 2019-09-28T14:50:36+02:00 author: "Ettore Dreucci" draft: false --- ## How to secure Pure-FTPd with a Let’s Encrypt cert [Certbot](https://certbot.eff.org/) is the [EFF](https://www.eff.org/)’s tool to obtain certs from [Let’s Encrypt](https://letsencrypt.org/). [Pure-FTPd](https://www.pureftpd.org) is a very used secure FTP server daemon. Certbot stores all of your TLS certs in `/etc/letsencrypt/live` as symlinks to `/etc/letsencrypt/archive`. Both those directories are **root-owned** and **root-only**. It provides you with a bunch of PEM-encoded file: - `privkey.pem`: the private key for the certificate - `cert.pem`: the server certificate - `chain.pem`: the intermediate authority certificate - `fullchain.pem`: the concatenation of the server and the intermediate cert files Pure-FTPd on the other hand, like other daemons do, needs a bundle of the server cert and its private key that we can easily generate with `cat fullchain.pem privkey.pem > pure-ftpd.pem` and that has to be mode `0600` . Every time certbot renews the certificates the bundle must be recreated so that it contains the renewd certs. It’s therefore possible to write a script to be executed every time the certs are renewed. To automate the execution certbot provides a deploy hook that will be triggered on successful renewals: - if you renew it manually you could add the `--deploy-hook "/path/to/script.sh"` option to the `renew` command - if your renewal are automated: - if you use cron add the previous option to the command - you can symlink the script to `/etc/letsencrypt/renewal-hooks/deploy/` to be executed when **any** cert is renewed - you can edit a specific cert conf file in `/etc/letsencrypt/renewal/domain.conf` and append the deploy hook directive as follow: ``` [renewalparams] renew_hook = /path/to/script.sh ``` END.