Enable ftps in vsftpd.
- June 4th, 2011
- Write comment
To enable ftps on my CentOS 5 server I first needed to create a self-signed certificate:
# cd /etc/pki/tls/certs
# make vsftpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > vsftpd.pem ; \
echo “” >> vsftpd.pem ; \
cat $PEM2 >> vsftpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
……….++++++
………………..++++++
writing new private key to ‘/tmp/openssl.R27560’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:Country
State or Province Name (full name) [Berkshire]:State
Locality Name (eg, city) [Newbury]:City
Organization Name (eg, company) [My Company Ltd]:Company
Organizational Unit Name (eg, section) []:Department
Common Name (eg, your name or your server’s hostname) []:Servername
Email Address []:Emailaddress
Copy the newly created certificate to /etc/vsftpd:
# cp -p vsftpd.pem /etc/vsftpd/
Add the following to the vsftpd.conf file:
# vi /etc/vsftpd/vsftpd.conf
…
ssl_enable=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
…
Note: As is above, this will not allow non-anoymous users to use plain ftp. They will have to use ftps. To change this behavior, add the following to your vsftpd.conf:
force_local_data_ssl=NO
Then, restart/start vsftpd:
service vsftpd restart
Note: This worked fine from WinSCP and SmartFTP, but Filezilla gives me the following:
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server