A weird error was seen today when a TLS certificate needed to be replaced on a FTP server using pure-ftpd.
Once the certificate file (by default /etc/ssl/private/pure-ftpd.pem) was replaced with the new content (it's actually a bundle of private key + certificate), the following error showed up after pure-ftpd was restarted:
root@ftp:~# systemctl status pure-ftpd
- pure-ftpd.service
Loaded: loaded (/etc/init.d/pure-ftpd; generated)
Active: active (exited) since Tue 2024-07-30 12:34:31 CEST; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 2164432 ExecStart=/etc/init.d/pure-ftpd start (code=exited, status=0/SUCCESS)
CPU: 43ms
Jul 30 12:34:31 ftp systemd[1]: Starting pure-ftpd.service...
Jul 30 12:34:31 ftp pure-ftpd[2164432]: Starting ftp server:
Jul 30 12:34:31 ftp pure-ftpd[2164440]: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -l pam -A -O clf:/var/log/pure-ftpd/transfer.log -J HIGH:ME>
Jul 30 12:34:31 ftp systemd[1]: Started pure-ftpd.service.
Jul 30 12:34:31 ftp pure-ftpd[2164441]: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
By reading this error, it looks like a typical permission problem. However the documentation (README.TLS) confirms that chmod 600 should be set on this file:
mkdir -p /etc/ssl/private
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem
And the file does indeed exist:
root@ftp:~# cat /etc/ssl/private/pure-ftpd.pem
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
After a lot of research, which led to no real hint, it turned out to be a copy+paste error.
The certificates (server certificate, intermediate certificate and root ca certificate) were copied from a Confluence page into the file on the Linux server (pasted using vim). This somehow added weird characters or spaces, leading to an invalid (internal) verification. The error, that the file doesn't exist, is therefore misleading.
Once the key+certificates bundle was properly created on a Linux system and then copied from the command line, everything turned out to be good.
$ cat private.key server.crt ica.pem rootca.crt > pure-ftpd.pem
Once this was placed on the FTP server and pure-ftpd restarted, no error anymore:
root@ftp:~# systemctl status pure-ftpd
- pure-ftpd.service
Loaded: loaded (/etc/init.d/pure-ftpd; generated)
Active: active (running) since Tue 2024-07-30 12:39:17 CEST; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 2167138 ExecStart=/etc/init.d/pure-ftpd start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 9434)
Memory: 2.0M
CPU: 41ms
CGroup: /system.slice/pure-ftpd.service
|-2167148 "pure-ftpd (SERVER)
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder