Secure your FTP server with Let's Encrypt certificates

:heavy_exclamation_mark: This post is older than a year. Consider some information might not be accurate anymore. :heavy_exclamation_mark:

This post illustrates a quick setup for ProFTPD with TLS. It allows only TLSv1.2 secured connections with Let’s Encrypt certificates.

First of all, make a backup of the existing configuration, after that edit the TLS configuration.

root@cinhtau:~# cp /etc/proftpd/tls.conf tls.conf.example
root@cinhtau:~# vim /etc/proftpd/tls.conf

The contents of the TLS configuration

root@cinhtau:~# cat /etc/proftpd/tls.conf
# Proftpd configuration for FTPS connections.
TLSEngine                    on
TLSLog                       /var/log/proftpd/tls.log
TLSProtocol                  TLSv1.2
TLSRSACertificateFile        /etc/letsencrypt/live/cinhtau.net/cert.pem
TLSRSACertificateKeyFile     /etc/letsencrypt/live/cinhtau.net/privkey.pem
TLSCertificateChainFile      /etc/letsencrypt/live/cinhtau.net/chain.pem
TLSRequired                  on
TLSRenegotiate               none

The important settings are the TLSProtocol and TLSRequired ↠ on. Ensure that the TLS module conf is included (uncommented)

root@cinhtau:~# cat /etc/proftpd/proftpd.conf | grep tls
Include /etc/proftpd/tls.conf

You can restrict the access in proftpd.conf

Order allow,deny
Allow from
Deny from all

Restart the service and there you go.

root@cinhtau:~# /etc/init.d/proftpd restart
[ ok ] Restarting proftpd (via systemctl): proftpd.service.

Using FileZilla will still require to accept the certificate, but you can check if it is yours :-) . FileZilla doesn’t check the CA.

Please remember the terms for blog comments.