0

Following this tutorial I managed to add FTPS connectivity to the server.

Following step 6 in the tutorial:

  • 6.1 generate certificate

    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

  • 6.2 add certificate to /etc/vsftpd.conf

    rsa_cert_file=/etc/ssl/private/vsftpd.pem

    rsa_private_key_file=/etc/ssl/private/vsftpd.pem

It works for FileZilla but with curl it seems I can't re-use the same certificate, I downloaded the certificate file from the server and am useing it like so

$ curl -v --cert ~/.ssh/vsftpd.pem --user MYUSER:PASSWORD ftp://SERVER-IP * Trying SERVER-IP... * TCP_NODELAY set * Connected to SERVER-IP (SERVER-IP) port 21 (#0) < 220 (vsFTPd 3.0.3) > USER MYUSER < 530 Non-anonymous sessions must use encryption. * Access denied: 530 * Closing connection 0 curl: (67) Access denied: 530

With FTPS

$ curl -v --cert ~/.ssh/vsftpd.pem --user MYUSER:PASSWORD ftps://SERVER-IP * Trying SERVER-IP... * TCP_NODELAY set * Connection failed * connect to SERVER-IP port 990 failed: Connection refused * Failed to connect to SERVER-IP port 990: Connection refused * Closing connection 0 curl: (7) Failed to connect to SERVER-IP port 990: Connection refused

How can I use the same certificate for both FileZilla and curl (since git-ftp uses curl) to upload files via FTPS?

Update

Adding the parameter --ftp-ssl:

* Trying SERVER-IP... * TCP_NODELAY set * Connected to SERVER-IP (SERVER-IP) port 21 (#0) < 220 (vsFTPd 3.0.3) > AUTH SSL < 234 Proceed with negotiation. * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/etc/openssl/cert.pem CApath: /usr/local/etc/openssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self signed certificate * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Improve this question

2 Answers 2

Reset to default
0

curls parameter --cert is used to provide the client authentication certificate. As long as you are not authenticating with client certificates you don't need it.

To use ftps use the --ftp-ssl parameter.

Improve this answer
3
  • Thanks, I updated the question with the the result of adding --ftp-ssl. Maybe I'm missing something but FileZilla asked whether I wanted to connect with the self signed certificate, since I accepted I was able to connect with no problem. Does curl have a similar option? Commented Sep 20, 2018 at 13:22
  • You can either add the certificate to the trusted certificates on your system (this procedure is well documented), or you visit the URL curl suggested to you and disable the peer check. Commented Sep 20, 2018 at 13:25
  • I forgot to mention I was trying to connect from macOS, it turn's out curl on macOS does not support passing the certificate file, the file must be added to the Keychain instead. Also it seems .pem files are not recognized a valid certificates using security add-trusted-cert. Commented Sep 20, 2018 at 14:39
0

Due to curl on macOS working with the database on the Keychain Access app the instructions differer from those needed for Linux, I documented the instructions here

Working with git-ftp on macOS client and vsftpd on Linux server

Generate SSL certificate and key

$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout ~/.ssh/vsftpd.key -out ~/.ssh/vsftpd.crt

Add the generated certificate to the Keychain Access app

$ security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.ssh/vsftpd.crt

Upload certificate and key to the server and copy the files to /etc/ssl/private/

Follow the steps descrived here, in step 6 use the already generated certificates instead of generating new ones

rsa_cert_file=/etc/ssl/private/vsftpd.crt rsa_private_key_file=/etc/ssl/private/vsftpd.key

After vsftpd is running on the server, install git-ftp

$ brew install git-ftp

Add the server settings using ftpes for the protocol

$ git config git-ftp.url "ftpes://<SERVER-IP>/path/to/repository/" $ git config git-ftp.user "<FTP-USER>" $ git config git-ftp.password "<FTP-PASSWORD>" $ git config git-ftp.cacert "~/.ssh/vsftpd.crt"

Initialize git-ftp, in which case the repository will be uploaded in the initialization process

$ git ftp init -v

After additional commits are added to the repository, push changes to the ftp repository

$ git ftp push -v
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.