This post is older than a year. Consider some information might not be accurate anymore.
This post illustrates a quick setup for ProFTPD with TLS. It allows only TLSv1.2 secured connections with Let’s Encrypt certificates.
First of all, make a backup of the existing configuration, after that edit the TLS configuration.
root@cinhtau:~# cp /etc/proftpd/tls.conf tls.conf.example
root@cinhtau:~# vim /etc/proftpd/tls.conf
The contents of the TLS configuration
root@cinhtau:~# cat /etc/proftpd/tls.conf
#
# Proftpd configuration for FTPS connections.
#
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSRSACertificateFile /etc/letsencrypt/live/cinhtau.net/cert.pem
TLSRSACertificateKeyFile /etc/letsencrypt/live/cinhtau.net/privkey.pem
TLSCertificateChainFile /etc/letsencrypt/live/cinhtau.net/chain.pem
TLSRequired on
TLSRenegotiate none
The important settings are the TLSProtocol
and TLSRequired
↠ on. Ensure that the TLS module conf is included (uncommented)
root@cinhtau:~# cat /etc/proftpd/proftpd.conf | grep tls
Include /etc/proftpd/tls.conf
You can restrict the access in proftpd.conf
Order allow,deny
Allow from 192.168.1.100
Deny from all
Restart the service and there you go.
root@cinhtau:~# /etc/init.d/proftpd restart
[ ok ] Restarting proftpd (via systemctl): proftpd.service.
Using FileZilla will still require to accept the certificate, but you can check if it is yours :-) . FileZilla doesn’t check the CA.