Certificate Valid but FileZilla says it is expired

Discussion in 'Installation/Configuration' started by cansin, Feb 25, 2020.

  1. cansin

    cansin New Member

    I have an ISPConfig installation running on Ubuntu 18.04. I installed it following the perfect server guide about a year ago.

    I have LetsEncrypt enabled for a bunch of domains and subdomains, they all work fine. My ISPConfig is installed on server.X.com but when I am connecting with FileZilla it gives an error saying certificate is expired.

    Troubleshooting I tried:
    • When I go to that subdomain on the browser it says the certificate is valid,
    • I tried "sudo certbot renew" and it said no renewals attempted because none of the certificates are due for one. In the list I can see server.X.com and its expiration date which is in the future.
    Can anyone tell me what I am missing here? Is there something I need to do to make sure ftp service recognizes the current valid certificate?

    Thank you.
    Last edited: Feb 25, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    ahrasis and Steini86 like this.
  3. Steini86

    Steini86 Active Member

    The LetsEncrypt setting in ISPC only installs the certificates for the web service. For all other services (like mail, ftp, ..) you have to do that by hand (some of the services do not support SNI, so only a single certificate is used and the service needs to know which of the many it should use).
    Basically: Activate letsencrypt for your main domain. Then link the certificates of the other services to that cert. See https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
    For pureftpd:
    cd /etc/ssl/private/
    mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
    chmod 600 pure-ftpd.pem
    service pure-ftpd-mysql restart
    Depends on your setup, you could also link directly to /etc/letsencrypt/live/domain/fullchain.pem ...

    Should refresh the page before answering ;-)
    @Taleman was faster
    ahrasis likes this.
  4. cansin

    cansin New Member

    I don't know why but /usr/local/ispconfig/interface/ssl/ispserver.pem is not automatically renewed on my server. I now realized that I set up a symlink to that when I first installed the server but, because it is not renewed, it started giving this error after it expired.

    /etc/letsencrypt/live/domain/fullchain.pem is the renewed certificate but I could not link to that either, somehow FTP requests are denied when I do that.

    Quick and dirty fix I did for now is to copy the contents of /etc/letsencrypt/live/domain/fullchain.pem and /etc/letsencrypt/archive/server.cansin.net/privkey5.pem into /usr/local/ispconfig/interface/ssl/ispserver.pem and linking to that as you and the guide suggested.

    This works for now, filezilla recognizes the renewed certificate; but I will have the same issue in a couple of months because the certificate on my /usr/local/ispconfig/interface/ssl/ispserver.pem is not updated when the certificate is renewed.

    Do you have any idea why my /usr/local/ispconfig/interface/ssl/ispserver.pem is not updated automatically?
  5. Steini86

    Steini86 Active Member

    Certbot only updates the files in /etc/letsencrypt
    You have to do that by yourself. You can:
    • Use a cronjob to create the ispserver.pem file regularly (does no harm, if the file contents are the same)
    • Use a symlink to /etc/letsencrypt/... I don't know, why this didn't work for you. Maybe the software does not like several symlinks. You could directly link to the /etc/letsencrypt/live file
    • In the linked article is a solution via incron (Chapter: "Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem)"
  6. cansin

    cansin New Member

    Thank you for your help. I will create a crobjob as you said. I must have missed that last part about Auto Renewal Script the first time I've installed it. :)
    Steini86 likes this.

Share This Page