How to secure Pure-FTPd with a Let’s Encrypt cert #
Certbot is the EFF’s tool to obtain certs from Let’s Encrypt.
Pure-FTPd is a very used secure FTP server daemon.
Certbot stores all of your TLS certs in /etc/letsencrypt/live as symlinks to /etc/letsencrypt/archive. Both those directories are root-owned and root-only. It provides you with a bunch of PEM-encoded file:
privkey.pem: the private key for the certificatecert.pem: the server certificatechain.pem: the intermediate authority certificatefullchain.pem: the concatenation of the server and the intermediate cert files
Pure-FTPd on the other hand, like other daemons do, needs a bundle of the server cert and its private key that we can easily generate with cat fullchain.pem privkey.pem > pure-ftpd.pem and that has to be mode 0600 .
Every time certbot renews the certificates the bundle must be recreated so that it contains the renewd certs.
It’s therefore possible to write a script to be executed every time the certs are renewed. To automate the execution certbot provides a deploy hook that will be triggered on successful renewals:
-
if you renew it manually you could add the
--deploy-hook "/path/to/script.sh"option to therenewcommand -
if your renewal are automated:
-
if you use cron add the previous option to the command
-
you can symlink the script to
/etc/letsencrypt/renewal-hooks/deploy/to be executed when any cert is renewed -
you can edit a specific cert conf file in
/etc/letsencrypt/renewal/domain.confand append the deploy hook directive as follow:[renewalparams] renew_hook = /path/to/script.sh
-
END.