ssl

Vsftpd with SSL/TLS support on Ubuntu

Configure vsftpd to use SSL/TLS on Ubuntu VPS, dedi or physical machine. This how-to assumes vsftpd is already configured and running without encryption support.

Generate SSL certificate

Let’s create some SSL certificates to use with vsftpd. Change -nodes-days to desired number of days, example bellow assumes  one year (365 days).

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Edit /etc/vsftpd.conf

Add the following lines to vsftpd config file:

# Uncomment or add the path to cert
# we generated in previous step
rsa_cert_file=/etc/ssl/private/vsftpd.pem

# Enable SSL support
ssl_enable=YES

# Force local users to use SSL
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

# allow only TLS, not SSL
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

# Some additional security and compatibility settings
# Filezilla reports GnuTLS error without strong ciphers
require_ssl_reuse=NO
ssl_ciphers=HIGH

# Optional: enable passive connection if not already configured
# (add appropriate rules to your firewall - iptables/UFW etc.)
pasv_enable=YES
pasv_min_port=63000
pasv_max_port=63100

Restart service

sudo service vsftpd restart

Connect with client

Now connect with your favourite client (like Filezilla), don’t forget to set Require explicit FTP over TLS. Port stays default 21, if you didn’t specify otherwise in the config file of course.

 

Fix SSL sec_error_unknown_issuer with Comodo PositiveSSL in Firefox (Apache2)

Installing Comodo PositiveSSL certificate on Apache server for a client, everything worked fine in Chrome, Firefox on OS X and (surprisingly) even in IE, but Firefox on Windows was complaining with the following error (might be something to do with older version or some other settings, but didn’t really test it that extensively):

Invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

After a bit of googling I came across a blog post by John Bakker, where he describes a quick and easy fix, merging all .crt files you receive from Comodo into one .ca_bundle.

To do this, the easiest way is to combine (concatenate) multiple certificates into one file, named www_yourdomain_com.ca_bundle (of course replace www_yourdomain_com with your actual domain with underscores):

  1. AddTrustExternalCARoot.crt
  2. COMODORSAAddTrustCA.crt
  3. COMODORSADomainValidationSecureServerCA.crt
  4. www_yourdomain_com.crt
cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www_yourdomain_com.ca_bundle

Note: Device/Entity Cert Intermediates need to be in reversed order.

Place it in the same place you put your .key and .crt and .csr files for your certificate.
Now instead of pointing it to the individual files you point to just the bundle from your vhost.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/www_yourdomain_com.crt
SSLCertificateKeyFile /etc/ssl/certs/www_yourdomain_com.key
SSLCertificateChainFile /etc/ssl/certs/www_yourdomain_com.ca-bundle

Restart apache and enjoy secure connection to your site without SSL errors in all browsers.