ettore.dreucci/ettore.dreucci.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
69e4126d8f3fa940c9e9a107dd6c3143d0f3ae9b
ettore.dreucci.it/content/blog/pureftpd-letsencrypt-hook.md

45 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Pure-FTPd, Let's Encrypt and Certbot hooks"
tags: ["pure-ftpd", "letsencrypt", "certbot", "hooks"]
categories: ["recipe", "sysadmin"]
description: "How to secure Pure-FTPd with a Lets Encrypt cert"
date: 2019-09-28T14:50:36+02:00
author: "Ettore Dreucci"
draft: false
---
## [[recipe]({{< ref "/categories/recipe" >}}), [sysadmin]({{< ref "/categories/sysadmin" >}})]: How to secure Pure-FTPd with a Lets Encrypt cert
[Certbot](https://certbot.eff.org/) is the [EFF](https://www.eff.org/)s tool to obtain certs from [Lets Encrypt](https://letsencrypt.org/).
[Pure-FTPd](https://www.pureftpd.org) is a very used secure FTP server daemon.
Certbot stores all of your TLS certs in `/etc/letsencrypt/live` as symlinks to `/etc/letsencrypt/archive`. Both those directories are **root-owned** and **root-only**. It provides you with a bunch of PEM-encoded file:
- `privkey.pem`: the private key for the certificate
- `cert.pem`: the server certificate
- `chain.pem`: the intermediate authority certificate
- `fullchain.pem`: the concatenation of the server and the intermediate cert files
Pure-FTPd on the other hand, like other daemons do, needs a bundle of the server cert and its private key that we can easily generate with `cat fullchain.pem privkey.pem > pure-ftpd.pem` and that has to be mode `0600` .
Every time certbot renews the certificates the bundle must be recreated so that it contains the renewd certs.
Its therefore possible to write a script to be executed every time the certs are renewed. To automate the execution certbot provides a deploy hook that will be triggered on successful renewals:
- if you renew it manually you could add the `--deploy-hook "/path/to/script.sh"` option to the `renew` command
- if your renewal are automated:
- if you use cron add the previous option to the command
- you can symlink the script to `/etc/letsencrypt/renewal-hooks/deploy/` to be executed when **any** cert is renewed
- you can edit a specific cert conf file in `/etc/letsencrypt/renewal/domain.conf` and append the deploy hook directive as follow:
```
[renewalparams]
renew_hook = /etc/letsencrypt/courier.sh
```
END.
Reference in New Issue View Git Blame Copy Permalink