Pure-FTPd, Let's Encrypt and Certbot hooks
28 Sep 2019
Ettore Dreucci
2 minute read

[recipe, sysadmin]: How to secure Pure-FTPd with a Let’s Encrypt cert

Certbot is the EFF’s tool to obtain certs from Let’s Encrypt.

Pure-FTPd is a very used secure FTP server daemon.

Certbot stores all of your TLS certs in /etc/letsencrypt/live as symlinks to /etc/letsencrypt/archive. Both those directories are root-owned and root-only. It provides you with a bunch of PEM-encoded file:

  • privkey.pem: the private key for the certificate
  • cert.pem: the server certificate
  • chain.pem: the intermediate authority certificate
  • fullchain.pem: the concatenation of the server and the intermediate cert files

Pure-FTPd on the other hand, like other daemons do, needs a bundle of the server cert and its private key that we can easily generate with cat fullchain.pem privkey.pem > pure-ftpd.pem and that has to be mode 0600 .

Every time certbot renews the certificates the bundle must be recreated so that it contains the renewd certs.

It’s therefore possible to write a script to be executed every time the certs are renewed. To automate the execution certbot provides a deploy hook that will be triggered on successful renewals:

  • if you renew it manually you could add the --deploy-hook "/path/to/script.sh" option to the renew command

  • if your renewal are automated:

    • if you use cron add the previous option to the command

    • you can symlink the script to /etc/letsencrypt/renewal-hooks/deploy/ to be executed when any cert is renewed

    • you can edit a specific cert conf file in /etc/letsencrypt/renewal/domain.conf and append the deploy hook directive as follow:

      renew_hook = /path/to/script.sh