Configure VSFTPD to use SSL/TLS Certificates on Ubuntu 17.04 | 17.10

This post shows students and new users how to configure VSFTPD to use SSL/TLS certificates on Ubuntu 17.04 | 17.10. We recently showed you how to install and use VSFTPD, however, the connection to the server wasn’t secure.

Someone with the right tool could intercept data between the server and client read it. With SSL/TLS, even if the data is intercepted, it may they may still be unable to read the content, and that’s because of the extra security.

If you read our tutorial last week on installing VSFTPD on Ubuntu and you want to enable SSL/TLS, continue with the steps below. It should be quick and easy, however, you must already have a working VSFTPD server running on Ubuntu before continuing below.

Before continuing below, please make sure you’ve read our previous tutorial and have installed and configured VSFTPD to function on Ubuntu. The tutorial below should be the first thing you read before going any further.

Setup VSFTPD on Ubuntu 17.04 / 17.10

After applying the above post, continue below to add SSL/TLS to the server.

 

Step 1: Create a Self-signed SSL/TLS certificate

To protect the VSFTPD server and transfer data over SSL/TLS, you must obtain a SSL/TLS certificate. You can get a trusted certificate from a certificate authority or create a self-signed one.

The self-signed certificate may only be used internally. You can use it externally, but your customers won’t feel safe when connecting to your servers using self-signed certificates.

To create a self-signed certificate valid for one year, run the commands below.

sudo bash
cd /etc/ssl/private
openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpdServerkey.pem -out vsftpdCertificate.pem -days 365

After running the commands above, you should be prompted to incorporate other details into the certificate. Use the Guide below to answer the questions.

writing new private key to 'vsftpdServerkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Lab
Organizational Unit Name (eg, section) []:Lab
Common Name (e.g. server FQDN or YOUR name) []:vsftpdserver.com
Email Address []:

After that, a new server private key (vsftpdServer.key) and server certificates (vsftpdCertificate)  should be created and stored in the /etc/ssl/private directory.

Step 2: Configuring VSFTPD to use SSL/TLS

Now that you’ve generated the server private key and certificate, go and configure VSFTPD to use the SSL/TLS certificate you generated. To do that, run the commands below to open VSFTPD default configuration page.

sudo nano /etc/vsftpd.conf

Then make the highlighted changes below so that the server can could communicate over SSL/TLS.

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpdCertificate.pem
rsa_private_key_file=/etc/ssl/private/vsftpdServerkey.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Save your changes and restart the server.

Step 3: Restart VSFTPD Server

After adding the highlighted lines to the file, save it. Then run the commands below to restart VSFTPD server.

sudo systemctl restart vsftpd

Now grab your favorite FTP client (FileZilla) and connect using the settings below.

vsftpd ssl connection

Accept the certificate as trusted and you should able to logon.

vsftpd ubuntu ssl

You should now be transferring files securely via SSL/TLS.

vsftpd ssl tle ubuntu setup

Enjoy!

You may also like the post below:

Setup Pure-FTPd on Ubuntu 17.04 / 17.10

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.