Author Topic: FileZilla with Let's Encrypt  (Read 3812 times)

0 Members and 1 Guest are viewing this topic.

Online T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 19267
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
FileZilla with Let's Encrypt
« on: November 16, 2021, 09:32:46 pm »
Setting up a new FTP today.  I've used FZ before, seems reasonable enough.  Let's go get the current version and see.

I see an option for Let's Encrypt, integrating the ACME interface.  Cool.

I already have an account for that, even.  So I just need to... hmm, no, I can't just link it with my existing account, it looks like it has to make a completely new one?  Weird.

Well, I don't need to administer it that way either, I can just point it to the same files then.

Right?

LE doesn't make a private key file though.  I see the PEM and PFX files.  Do those work?

It doesn't even tell me what extensions it's looking for...

(From what I've seen in searching, it seems to want a *.key and *.pem respectively.  Still not entirely sure.  It seems to do nothing about an incorrect file, and one of them seems to use the *.pem but without the *.key it emits some random bullshit gnuTLS error. Thanks.)

No one is talking about this, any conceivable query I search on returns irrelevant results: sure, configure LE integration, but I don't want that; configure a 3rd-party cert (with all the related files included as a package), no not quite the same thing; it seems like the more insistent I am, trying to query this one narrow subject, the harder it pushes me towards something completely not that.

Am I just a complete idiot?  I know I don't know much about certificates and keys, as actually used by applications.  Is this just a question that is -- and I've somehow managed to miss this -- so immediately, patently obvious, that no one dares ask it?

As near as I can tell -- besides the fact that it says LE integration right there -- it wants a x.509 cert, that LE provides, and so, I should be very reasonably assuming, that it can just, *hands bumping together gesture, "now kiss"* and, that'd be that, right?

Is it hidden by intent, not coincidence?  I notice Filezilla is doing this "Pro" shit and I'm guessing, besides integration of commercial services, they want money for support too.  I get it, but that's no excuse for utterly crippling your supposed-free ware.  I'm not even seeing basic documents like what the fields are on the fucking dialog.  Also, version 1.1.0 is apparently so new, nobody's even screenshotted it; I see hits with the respective dialog for version 0.9.60-something.  Which again, do nothing with the particular text fields I'm trying to figure out.

Is this just a complete fucking waste of time, do I generate a self-signed cert and just leave it?  Will that do anything with respect to my domain?  (So obviously, yes this will be ftp on my domain, and no, it won't be public/anon, don't bother probing it etc...)

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Offline tru

  • Regular Contributor
  • *
  • Posts: 90
  • Country: gb
Re: FileZilla with Let's Encrypt
« Reply #1 on: March 04, 2022, 03:37:59 pm »
I have FileZilla Server working with FTP over TLS, using a Lets Encrypt generated private key and certificate file both in .pem format.
Note, I'm no expert, just used win-acme script to output the key and certificate to .pem format and to a particular folder.
Then in FZ server admin gui Settings/FTP over TLS settings, browsed to those two files.
 
The following users thanked this post: edavid

Online Marco

  • Super Contributor
  • ***
  • Posts: 5628
  • Country: nl
Re: FileZilla with Let's Encrypt
« Reply #2 on: March 04, 2022, 04:18:05 pm »
Quote
FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).

This has to be an elaborate joke. No one could have honestly wanted to extend one of the worst major protocols in history with TLS could they? In two incompatible ways to boot.
 

Online T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 19267
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
Re: FileZilla with Let's Encrypt
« Reply #3 on: March 04, 2022, 04:30:49 pm »
I have literally zero of those options, though. ???

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Offline ejeffrey

  • Super Contributor
  • ***
  • Posts: 2843
  • Country: us
Re: FileZilla with Let's Encrypt
« Reply #4 on: March 08, 2022, 05:11:29 am »
Quote
FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).

This has to be an elaborate joke. No one could have honestly wanted to extend one of the worst major protocols in history with TLS could they? In two incompatible ways to boot.

Pretty much every pre-1995 protocol still in use has these options.  Imap, smtp, and NNTP all have it as well.  HTTP is really the odd one out with no STARTTLS or equivalent version in use.  The dedicated SSL/TLS port was easy to implement and could be done with a simple shim.  However its more annoying to have two ports and harder to convince network administrators to open additional firewall ports for niche versions of what were already niche protocols. STARTTLS allows you to run the same port for encrypted and non encrypted clients. 
 

Offline jonpaul

  • Super Contributor
  • ***
  • Posts: 1121
  • Country: fr
Re: FileZilla with Let's Encrypt
« Reply #5 on: March 21, 2022, 01:17:00 pm »
Tim, we encrypted each file before use of,FTP or email to transmit

EG,use Adobe Acrobat Pro with password

Never had an issue with Filezilla

"You have no privacy anyway..get over it!"
 Scott McNely ceo Sun Microsystems 1999

Bon courage

Jon
Jean-Paul (EE 1968, the Internet Dinosaur)
 

Online golden_labels

  • Frequent Contributor
  • **
  • Posts: 582
  • Country: pl
Re: FileZilla with Let's Encrypt
« Reply #6 on: March 22, 2022, 01:07:23 am »
jonpaul:
What will be the next advice? Routinely working on live circuits, because some random guy 50 years ago said that “we can be hit by a lightning anyway, so why care”? Even weirder, considering the painting you have set as your avatar.

T3sl4co1l:
I skipped that topic entirely earlier, due to the smell FileZilla attained and that I would need to verify and build the server myself. Not knowing the piece of software, what you described looks unfamiliar to me too: in other words, the description is really not providing any information about the actual issue you are experiencing. Other than “it doesn’t work” and mentioning “some random bullshit error”, the content of which you didn’t share with us.

So, trying to help from a more general perspective, let’s first make sure we’re talking about the same thing. On the server side, TLS has two components: server’s private key, which is secret, and a certificate, which is public and sent to clients. The role of a Certification Authority (CA) is to issue you that certificate. ACME is a relatively recent, open and standardized protocol to automatize that, supported by some CAs. ISRG, the organisation behind the Let’s Encrypt brand, is one of them.

The process is as follows:
ACME handles the 3rd point. The rest is up to you and software you use.

Now: I do not know what “ACME support” in FileZilla means. I will skip that part completely. Even if they do handle generation of the key pair and then ACME, personally I would avoid using that implementation due to my concerns about implementation quality. Instead, you may use another ACME implementation and then install the relevant files. If FileZilla Server supports TLS, it must accept them — it’s a part of the technology, not a thing they can make decisions about.

A commonly used ACME client is certbot, a reference implementation maintained by Electronic Frontiers Foundation. The advantages are: it will generate the keypair for you, it will make and send CSRs, and handle validation. The output are multiple files in “config/live/DOMAIN_NAME”, among them the key and the certificate. Judging by the screenshots I found on the internet, FileZilla Server allows selecting those files in Options, in “SSL/TLS settings” branch.  That will be the “Private Key File” and “Certificate File” inputs. The private key is “privkey.pem”. The certificate is normally “fullchain.pem”, which contains both your certificate and all certificates in its chain. Some servers (perhaps FileZilla too) may expect your certificate only (“cert.pem”), though this is rare.

Now, at this point I can’t help you with certbot: for that I would need to know your operating system. On many Linux distros it will be quite easy, though I will be of little assistance if it comes to Windows (in particular with Python and other dependencies installation).
Dihydrogen monoxide was responsible for Fukushima, Chernobyl and TMI disasters
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Offline Whales

  • Super Contributor
  • ***
  • Posts: 1421
  • Country: au
    • Halestrom
Re: FileZilla with Let's Encrypt
« Reply #7 on: March 22, 2022, 02:26:51 am »
Sidenote: sftp is nice (not to be confused with ftps).  It's technically not of FTP pedigree, but it acts just like it and the filezilla client supports it.

(Behind the scenes it's over ssh.  Instead of creating an FTP server you create an SSH server.)

Not always the best solution.  It looks a bit fiddly if you only want people to have read-only access, albeit I usually run a http/https server for that.  Not sure if you absolutely need lets-encrypt style certs or not (ssh doesn't support cert chains like browsers do, it has its own system).
« Last Edit: March 22, 2022, 02:30:10 am by Whales »
 

Online golden_labels

  • Frequent Contributor
  • **
  • Posts: 582
  • Country: pl
Re: FileZilla with Let's Encrypt
« Reply #8 on: March 22, 2022, 03:46:36 am »
Both SSH and TLS support certificates with or without CA chains. In terms of cryptographic features both technologies are conceptually the same. If SSL was known back in the day,(1) we might not even have SSH now.

The perception of them being different probably arises from the most visible deployment, not technical limitations. TLS is used with services facing the general public, requiring public CAs and the chain of trust, where authentication of the server is the primary concern. SSH is used with services addressed to narrow groups or single clients, where authentication of the client is the main goal and there is either no requirement for the chain of trust or the organisation has their own internal CA.


(1) Publicly available versions of SSH and SSL were created at the same time. So there was no chance for SSH to simply re-use SSL.
Dihydrogen monoxide was responsible for Fukushima, Chernobyl and TMI disasters
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Online T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 19267
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
Re: FileZilla with Let's Encrypt
« Reply #9 on: March 22, 2022, 10:34:30 am »
This is what it looks like:
https://www.seventransistorlabs.com/Images/Filezillasettings.jpg
three blank boxes.  No "..." button to select a file.  No suggested path or extension.  Just blank boxes.

Like, not even a hint about where I might put the file(s) if it's expecting them locally, or if the path can be relative (in which case: to what?) or must be absolute.

To be clear, I'm using the self-signed cert.  It's stupid and shitty, but all I need is a few clients, and having them waive a self-signed is fine.  I'm not going to change it at this point, even if I solve the OP problem.


Don't know if the docs have been updated by now, but at the time all I could find was screenshots walking through the prior versions' dialogs.  Which looked...sensible?  Like, they actually broke this dialog?  Idunno man.

Like, this is endemic.  Endemic to everything free software.  The new version isn't better, it's just different, and often, broken.  Every time I go and update something, and think I'm smart for choosing the latest latest version, it's gotta be 20% of the time this happens, maybe more, it just breaks: it's a new interface or API or whatever, data is lost because it's all in new locations (and the updater/installer doesn't check the earlier version's structures, or check early enough versions thereof, because it's probably been changed multiple times over the years?).  Man, it feels like a fuckin' conspiracy, and I'm not in on it.  I'm serious, on the order of 20%, there's no possible way it's on accident every time.  Are there style guides that say you have to break your project every so often?

And that's if the software works at all.  Like, just the last two days, for something unrelated, I wholly spent faffing with Cygwin packages and a dev build to try and make the thing from sources, and it just totally shit the bed.  Dependency hell never went away, it's -- as near as I can tell -- crafted intentionally.  A manifestly avoidable situation, just if the resources used by this project were better organized.  But that's not how they're distributed.  You have to ask the package manager, you have to guess what the package is named, and still get the wrong files.  Granted, Cygwin was a roundabout choice for what was ultimately a Windows build, but it's also in the project instructions.  I had every expectation that it was supported, and would work.  (As it turns out, the solution is probably a slipped line in a cmake script.  But I don't cmake, I don't make, I don't know what the hell these things are doing.  I know C.  I recognize the errors, it's pulled the wrong file.  I can deal with that.  I can't deal with all this logistics BS.)

Like... free software would be great, if they just made it slightly better... they could even charge money for it!  Oh wait... :palm:

And FZ, I think at least are trying that, their support line is prominently posted.  Fine.  I get the hustle.  But it ain't everyone trying to do that hustle.  And still, everything is this likely to be broken.  I don't get it.

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 5628
  • Country: nl
Re: FileZilla with Let's Encrypt
« Reply #10 on: March 22, 2022, 10:59:23 am »
The free documentation might be wrong regardless ... but they do say :

Quote
After you have created the certificate enter its name and folder path location into the "Private key file" field or browse to it.

So full root referenced path.
 

Offline jonpaul

  • Super Contributor
  • ***
  • Posts: 1121
  • Country: fr
Re: FileZilla with Let's Encrypt
« Reply #11 on: March 23, 2022, 08:20:37 am »
Golden Labels...many thanks for the note....

1/ PrivacyAny Agency (NSA, CIA, others) in USA gov or FSB, Chinese, Iran can and will harvest your emails, contacts  logins and messages by chance or by purpose.
Email, FTP and Web  should be assumeed compromised, more like  postcard than a registered letter....

2/ Quote Scott McNealy line  is a general joke....THat he made it in 1999  illustrates how old the issue of privacy and backdoor is.

3/ Painting..  My love of France and its history dates  to my first visit at Paris  March 1970.  My avatar is  painting is titled
 "La Liberté guidant le peuple"  by Eugène Delacroix,  commemorating France's  July Revolution of 1830, with the symbol of France, Marianne.

Aux Armes Citoyens!

VIVE LA FRANCE!

Bon Soiree,

Jon



Jean-Paul (EE 1968, the Internet Dinosaur)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf