Author Topic: [SOLVED] Letsencrypt configuration (TLS)  (Read 153 times)

Offline danjde

  • New user
  • *
  • Posts: 4
    • View Profile
[SOLVED] Letsencrypt configuration (TLS)
« on: August 08, 2017, 10:20:02 am »
Hi friends,
I'm trying to configure Proftpd with Letsencrypt certificates on Debian Jessie.
So I've created  "/etc/proftpd/conf.d/sftp.conf" as suggested from: http://www.proftpd.org/docs/howto/TLS.html


Code: [Select]
  <IfModule mod_dso.c>
    # If mod_tls was built as a shared/DSO module, load it
    LoadModule mod_tls.c
  </IfModule>

  <IfModule mod_tls.c>
    TLSEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

    # Support both SSLv3 and TLSv1
    TLSProtocol SSLv3 TLSv1

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
TLSEngine                  on
TLSRSACertificateFile      /etc/letsencrypt/live/server.sio4.org/cert.pem
TLSRSACertificateKeyFile   /etc/letsencrypt/live/server.sio4.org/privkey.pem
TLSCACertificateFile       /etc/letsencrypt/live/server.sio4.org/chain.pem

#        SFTPAuthMethods password

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off


    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate none


        # Enable compression
        SFTPCompression delayed

</IfModule>

But now if I try to connect from Filezilla obtain:

Code: [Select]
Stato: Disconnesso dal server
Stato: Risoluzione dell'indirizzo IP server.sio4.org in corso
Stato: Connessione a 91.205.175.213:2222...
Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
Stato: Inizializzazione TLS in corso...
Stato: Verifica del certificato in corso...
Stato: Connessione TLS stabilita.
Stato: Accesso effettuato
Stato: Lettura elenco cartelle...


And then a timeout logout (and no any log to /var/log/proftpd/sftp.log)

Where I'm wrong?

Many thanks!


Davide
Italy



« Last Edit: August 09, 2017, 12:16:41 pm by danjde »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Letsencrypt configuration
« Reply #1 on: August 08, 2017, 03:21:24 pm »
First, the mod_tls module uses the TLSLog directive, not the SFTPLog directive: TLS and SFTP are two very different protocols.  I recommend configuring a TLSLog file, and then seeing what that log file shows, when your FileZilla tries to connect.

Offline danjde

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Letsencrypt configuration
« Reply #2 on: August 08, 2017, 04:22:08 pm »
Well, I've changed the log type to "TLSLog" and now something print:

Code: [Select]
2017-08-08 17:58:52,505 mod_tls/2.6[14765]: TLS/TLS-C requested, starting TLS handshake
2017-08-08 17:58:52,619 mod_tls/2.6[14765]: client supports secure renegotiations
2017-08-08 17:58:52,619 mod_tls/2.6[14765]: TLSv1/SSLv3 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2017-08-08 17:58:52,830 mod_tls/2.6[14765]: Protection set to Private


From the client this is the output:

Code: [Select]
Comando: PWD
Stato: In attesa di un nuovo tentativo...
Stato: Risoluzione dell'indirizzo IP server.sio4.org in corso
Stato: Connessione a 91.205.175.213:2222...
Stato: Connessione stabilita, inizializzazione TLS in corso...
Errore: Errore GnuTLS -15: An unexpected TLS packet was received.


But no connection again.

Now I open a post to letsencrypt too..

Thanks again

Offline danjde

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Letsencrypt configuration
« Reply #3 on: August 08, 2017, 04:55:35 pm »
I understand the reason: Shorewall drop the connection:

(I've changed the ips)

Code: [Select]
Aug  8 18:50:10 server kernel: [16438563.572121] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=132.142.22.10 DST=44.320.032.111 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=63283 DF PROTO=TCP SPT=33175 DPT=55298 WINDOW=29200 RES=0x00 SYN URGP=0

And now?
Why Shorewall drop the Proftpd tls connection?  :'(
Shoud I open a thread on Shorewall forum?


Thanks again!


Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Letsencrypt configuration
« Reply #4 on: August 09, 2017, 03:24:19 am »
It definitely sounds like a Shorewall configuration-related question; these ProFTPD forums are not the best place for that.

Offline danjde

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Letsencrypt configuration
« Reply #5 on: August 09, 2017, 12:15:57 pm »
Quote
castaglia:[...]these ProFTPD forums are not the best place for that.

Found the issues:

1) must assign passive ports to proftpd:

# Specify the ftp-data port range to be used
PassivePorts                    70000 75000

2) must open the same ports on shorewall:

ACCEPT  net     fw      tcp     -      70000:75000



et voilą