Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 25th January 2011, 14:34
pavljiks pavljiks is offline
Junior Member
 
Join Date: Dec 2010
Posts: 17
Thanks: 2
Thanked 0 Times in 0 Posts
Default PureFTP TLS problem - sucked for 2 days.

Ubuntu 10.10, ISPconfog 3.0.3.2.
Installed following http://www.howtoforge.com/perfect-se...ispconfig-3-p4
and
http://download.pureftpd.org/pub/pur...doc/README.TLS

Double check using http://www.howtoforge.com/how-to-con...n-debian-lenny
Try dozen of self signed and godaddy certificates.
But still can't login using FTPES (explict TLS/SSL)
Usual plain FTP works fine.

Switching FTP+TLS
Code:
root@server1:/home/user# echo 1 > /etc/pure-ftpd/conf/TLS
Ilustrate full certificate generation process:
Code:
root@server1:/home/user# /etc/init.d/pure-ftpd-mysql restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -D -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -u 1000 -H -E -8 UTF-8 -b -A -d -B
root@server1:/home/user# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 2048 bit RSA private key
..............+++
...............................................+++
writing new private key to '/etc/ssl/private/pure-ftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LV
State or Province Name (full name) [Some-State]:LV
Locality Name (eg, city) []:LV
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LV
Organizational Unit Name (eg, section) []:LV
Common Name (eg, YOUR name) []:server1.mydomain.me
Email Address []:email@mydomain.me
Restarting pure-ftpd-mysql
Code:
root@server1:/home/user# /etc/init.d/pure-ftpd-mysql restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -D -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -u 1000 -H -E -8 UTF-8 -b -A -d -B
Got normally looking certificate and key.
Code:
cat pure-ftpd.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuFOxcX9pBvt9qBR8rLQ0q222y3rCtnZUJNTxZxLHKxt9gfVD
30WOqf7dX4JuNbZU9WkRC9iVBV/GfH4Pddh/XpHtvUUMfI/CX7uUqJkAoCPiRPlE
......
faAs69cSo9UrkCg6+9wRWfi24tOkzqbiOqoC0yceIWxoYYErbwfpG5fJ6Ybzzsko
0MHXwckPaBirJd4gFVVOTaHLYgGVJvyQQFu+gO/NFysGcRvQKU9A0w==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIJAPGR8PXLd+qXMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
.........
JATs50UFqxej5QWWDn+ozsfcYH1px8CDR1LJiBF68D6eh0KPC9HnIvqfR+4WNJFJ
Oibz9buSPbZ3CpcF2ci2PRdzC6tss0BE+g/ziNFXWObE0/pvOQB02z/Jzzf0o1/M
RPCIR87dvbpEQ/E=
-----END CERTIFICATE-----

And when i try to connect. Using filezilla with explicit TLS method as described i get.

Code:
Status:	Resolving address of server1.mydomain.at
Status:	Connecting to 1.1.1.1:21...
Status:	Connection established, waiting for welcome message...
Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:	220-You are user number 1 of 50 allowed.
Response:	220-Local time is now 15:25. Server port: 21.
Response:	220-This is a private system - No anonymous login
Response:	220-IPv6 connections are also welcome on this server.
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	AUTH TLS
Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Error:	GnuTLS error -73: ASN1 parser: Error in TAG.
Error:	Could not connect to server
Status:	Waiting to retry...
Status:	Resolving address of server1.mydomain.at
Status:	Connecting to 1.1.1.1:21...
Status:	Connection established, waiting for welcome message...
Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:	220-You are user number 1 of 50 allowed.
Response:	220-Local time is now 15:25. Server port: 21.
Response:	220-This is a private system - No anonymous login
Response:	220-IPv6 connections are also welcome on this server.
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	AUTH TLS
Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Error:	GnuTLS error -73: ASN1 parser: Error in TAG.
Error:	Could not connect to server
Debug log from server:
Code:
Jan 25 15:25:33 server1 pure-ftpd: (?@1.1.1.1) [INFO] New connection from 1.1.1.1
Jan 25 15:25:33 server1 pure-ftpd: (?@1.1.1.1) [DEBUG] Command [auth] [TLS]
Jan 25 15:25:33 server1 pure-ftpd: (?@1.1.1.1) [WARNING] Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.
Have tried different ftp client SmartFTP (which is also pureftp TLS supported).

His output.
Code:
[15:30:28] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
[15:30:28] 220-You are user number 2 of 50 allowed.
[15:30:28] 220-Local time is now 15:30. Server port: 21.
[15:30:28] 220-This is a private system - No anonymous login
[15:30:28] 220-IPv6 connections are also welcome on this server.
[15:30:28] 220 You will be disconnected after 15 minutes of inactivity.
[15:30:28] AUTH TLS
[15:30:28] 234 AUTH TLS OK.
[15:30:28] SSL: Error (Error=0x80090308).
[15:30:28] The token supplied to the function is invalid
[15:30:28] Client closed the connection.
[15:30:28] Connect failed. Waiting to retry (30s)...
Maybe someone has find some solution. I am so
Reply With Quote
Sponsored Links
  #2  
Old 26th January 2011, 14:16
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,726 Times in 2,565 Posts
Default

Have you tried to accept the default values (by just pressing ENTER) when you generated the certificate?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 26th January 2011, 14:36
pavljiks pavljiks is offline
Junior Member
 
Join Date: Dec 2010
Posts: 17
Thanks: 2
Thanked 0 Times in 0 Posts
Default

yes also default values including correct CN and excluding it.
Reply With Quote
  #4  
Old 26th January 2011, 14:38
pavljiks pavljiks is offline
Junior Member
 
Join Date: Dec 2010
Posts: 17
Thanks: 2
Thanked 0 Times in 0 Posts
Default

is it possible for you to paste here correct working certificate (self tested). i know it sounds stupid but i just can't imagine what else i could try to test.
Reply With Quote
  #5  
Old 26th January 2011, 14:39
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,239 Times in 4,107 Posts
Default

Did you install the pure-ftpd package from Ubuntu or did you compile it yourself or got it from any other source?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 26th January 2011, 14:43
pavljiks pavljiks is offline
Junior Member
 
Join Date: Dec 2010
Posts: 17
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
Did you install the pure-ftpd package from Ubuntu or did you compile it yourself or got it from any other source?
following instructions from
http://www.howtoforge.com/perfect-se...ispconfig-3-p4

aptitude install pure-ftpd-common pure-ftpd-mysql quota quotatool
Reply With Quote
  #7  
Old 26th January 2011, 14:52
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,239 Times in 4,107 Posts
Default

It seems as if ubuntu compiles pure-ftpd with the gnutls library for ssl instead of openssl. I've read in the internet that certs created with openssl sometimes cause parsing errors with gnutls. So you might want to try to create a new self signed certificate with the cert tool that comes with gnutls instaed of the openssl tool and try to use that with pure-ftpd. Here is a tutorial to create a key and certificate with gnutls:

http://ubuntuforums.org/showthread.php?t=1241136
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 11th February 2011, 18:24
pavljiks pavljiks is offline
Junior Member
 
Join Date: Dec 2010
Posts: 17
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default

gnutls certificates helps. But i can't find any how to compile pure-ftp with openssl library. becouse i need to use legimite openssl certificate from godaddy.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 14:15
postfix TLS problem - please help! ryanhs HOWTO-Related Questions 17 3rd March 2007 01:55
Problem with TLS connection the_idol Installation/Configuration 5 21st April 2006 17:09
postfix TLS cannot read cert ryanhs Server Operation 1 9th March 2006 22:48
SMTP TLS Problem with Mail Client dschmid Installation/Configuration 1 9th December 2005 01:56


All times are GMT +2. The time now is 03:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.