# ProFTPD and SSL/TLS server HOWTO...

## xanthax

Oki first off all this is just a remake of a debian Proftpd-SSL/TLS howto,

With some additional information. And by the way the original was on GERMAN

and i don't even know ONE word of german so if there is anything wrong please

tell me and i will fix it. And i wrote this because i didnt find a good and complete

solution to proftpd with ssl connections in gentoo forums.

This installation requiers a working installation of ProFTPD with SSL compiled in.

If you got Version "1.2.9-r2" as i got it already has it enabled in the ebuild

Oki here is the things you need to do to make your PROFTPD SSL/TLS Enabled.

* Install openssl

* Create certificate and key files

* Enter som stuff into your proftpd.conf

* Restart your proftpd server

First you got to install OpenSSL by emerging it.

```

# emerge openssl

```

When this is done you have to use OpenSSL to create your cetrificate and key files.

This is done by running the command below. What this command is creating 1 keyfile

and one certificate file that is in the x509 standard and lasts 365 days.

```

# openssl req -new -x509 -days 365 -nodes  -out /etc/ssl/certs/proftpd.cert.pem -keyout /etc/ssl/certs/proftpd.key.pem

```

When you run this command you get alot of questions about you whereabouts n stuff

you can just press enter stright through that if you don't want everybodey that connects

to your server to get all this info about you.

Now it's just the configuring of your proftpd file left. so here is the rows your gonna add

and a breif explanation of what they do. So here is the lines you got to include into your proftpd.conf

```

TLSEngine                         on                               # Basicly to turn on TLS/SSH

TLSLog                            /var/log/tls.log                 # Path to logfile

TLSProtocol                       SSLv23                           # Wich Types of SSL that is approved

TLSOptions                        NoCertRequest                    # In here to make client less buggy.

TLSRSACertificateFile             /etc/ssl/certs/proftpd.cert.pem  # Path to certificate file

TLSRSACertificateKeyFile          /etc/ssl/certs/proftpd.key.pem   # Path to key file

TLSVerifyClient                   off                              # Turned off to accept clent certificates without verifying it "Less buggy"

TLSRequired                       on                               # Wether Clients has to have SSL/TLS to be able to logged in.

                                                                   # Set this to "off" if you don't want client's to have to use SSL/TLS

```

Now restart the ProFTPD server and WOILA.. IT's ready to connect to  :Wink: 

My resources and more information at.

http://www.debianhowto.de/howtos/de/proftpd-tls_sarge/c_proftpd-tls_sarge.html

http://members.hellug.gr/nmav/misc/proftpd/mod_gnutls.html

----------

## eeknay

very nice, but somehow I get this wenn I want to log in:

```

...

AUTH TLS

234 AUTH TLS successful

Error with certificate at depth: 0

Issuer = /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Subject = /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Error 18:self signed certificate

Disconnecting from site ip_address

```

I tried about a dozen howto's to generate a ssl certificate...I get the same error every single time  :Sad: 

----------

## arcanus

It apears as your client does not allow self-signed certificates.. Try with a different ftp-client or allow self-signed certs in the one you use now.. That should work.

----------

## newtonian

had this error:

```
20 Responses to “SOLVED: FireFTP / ProFTPd Error ‘Unable to build data connection: Operation not permitted’”
```

had to add a tweak to the config to get it to work for me

commented the TLSOptions line above and added the following line:

```
TLSOptions NoSessionReuseRequired
```

----------

## axl

You don't need self signed certificates. You can use letsencrypt/certbot EFF certificates which are free, as long as you have a real domain. 

 *Quote:*   

> 
> 
> <IfModule mod_tls.c>
> 
>    TLSEngine on
> ...

 

----------

## Hu

 *axl wrote:*   

> You don't need self signed certificates. You can use letsencrypt/certbot EFF certificates which are free, as long as you have a real domain.

 Now, yes.  Let's Encrypt was not available when this HOWTO was written 14 years ago.

----------

## axl

I noticed after I posted that it was an old revived thread. None the less, perhaps some will find the information useful.

----------

