How to secure ProFTPD with a free Let’s Encrypt SSL Certificate on Debian 12

Securing ProFTPD with a free Let's Encrypt SSL certificate on Debian 12 is required to ensure your FTP communications are encrypted and secure.

In this guide, I'll show you how to enable SSL/TLS for ProFTPD and get a free SSL Certificate for ProFTPD from Let's Encrypt.

Step 1: Install Certbot

Certbot is a popular tool for obtaining Let's Encrypt SSL certificates. Start by installing it:

sudo apt update
sudo apt install certbot

Tip: Certbot automates the process of obtaining and renewing SSL certificates, making it easier to keep your server secure.

Step 2: Obtain an SSL Certificate

You'll need to obtain an SSL certificate for your domain. Make sure your domain is pointing to the server's IP address and then run:

sudo certbot certonly --standalone -d yourdomain.com

Replace yourdomain.com with your actual domain name. Certbot will handle the request and, if successful, will save your SSL certificates in /etc/letsencrypt/live/yourdomain.com/.

How it works: Certbot uses a standalone web server to verify the domain. Make sure no other service is running on port 80 before executing the command.

Step 3: Configure ProFTPD to Use the Let's Encrypt Certificate

Now that you have the SSL certificate, you need to configure ProFTPD to use it. Open or create the TLS configuration file:

sudo nano /etc/proftpd/tls.conf

Add the following configuration to the file:

<IfModule mod_tls.c>
  TLSEngine                   on
  TLSLog                      /var/log/proftpd/tls.log
  TLSProtocol                 TLSv1.2 TLSv1.3
  TLSRSACertificateFile       /etc/letsencrypt/live/yourdomain.com/fullchain.pem
  TLSRSACertificateKeyFile    /etc/letsencrypt/live/yourdomain.com/privkey.pem
  TLSOptions                  NoCertRequest
  TLSVerifyClient             off
  TLSRequired                 on
</IfModule>

Replace yourdomain.com with your actual domain name.

Ensure that the mod_tls.c module is enabled in ProFTPD. If it’s not, you can enable it by adding LoadModule mod_tls.c in your ProFTPD configuration file.

Step 4: Edit the Main ProFTPD Configuration

Next, include the TLS configuration in your main ProFTPD configuration file:

sudo nano /etc/proftpd/proftpd.conf

Add the following line:

Include /etc/proftpd/tls.conf

This line ensures that ProFTPD loads the TLS configuration during startup.

Step 5: Adjust File Permissions

Ensure that the ProFTPD service has the necessary permissions to access the Let's Encrypt certificates:

sudo chown -R proftpd:proftpd /etc/letsencrypt/live/yourdomain.com/
sudo chmod -R 640 /etc/letsencrypt/live/yourdomain.com/

Note: Be cautious with permissions; the certificates should be readable by the ProFTPD service but protected from unauthorized access.

Step 6: Restart ProFTPD

Restart the ProFTPD service to apply the changes:

sudo systemctl restart proftpd

Check the status of ProFTPD with sudo systemctl status proftpd to ensure it's running without errors.

Step 7: Test the FTP Server

You can now test the FTP server to ensure that it’s using the SSL certificate. Use an FTP client like FileZilla and connect to your server using FTPS (FTP over SSL/TLS). Ensure that the connection is secured by checking the certificate details in the client.

Step 8: Set Up Automatic Renewal for the Certificate

Let's Encrypt certificates expire every 90 days, so you'll need to ensure automatic renewal is set up. Certbot handles this for you, but you should double-check by running:

sudo certbot renew --dry-run

This command simulates the renewal process and ensures everything is set up correctly.

Certbot typically adds a cron job or systemd timer for automatic renewal. If the dry-run is successful, your certificates should renew automatically without intervention.

Conclusion

By following these steps, you have successfully secured your ProFTPD server with a free SSL certificate from Let's Encrypt on Debian 12. This setup will encrypt your FTP traffic, making it much more secure, especially when transferring sensitive data. Remember to keep your software up to date and monitor your certificates to ensure continuous security.