Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 04-29-2008, 10:03 AM   #1
Smirnoff
Junior Member
 
Join Date: Mar 2004
Posts: 10
Question ioftpd as a service - how to configure an official certificate

Hello,

I'm running ioftpd 6.4.3.
I have an official company certificate and need to implement ioftpd as a service (as we need a FTPS only site for some customers)
From the KB (https://oss.azurewebsites.net/pages/en.ioftpd-kb.php) i can see how to create and install a certificate in this case but I would need to use the official one (from digicert if that matters)

Thanks for your help
Smirnoff

In case of for the lazy among us:

Q: How can I install a SSL certificate from ioFTPD running as a service ?
A: This will allow you to use SSL with an ioFTPD server installed as a service running as LOCAL SERVICE account.

First, make sure you have those two variables in your etc\ioftpd.env:

SYSTEMDRIVE=%[environment(SYSTEMDRIVE)]
SYSTEMROOT=%[environment(SYSTEMROOT)]

- Restart ioFTPD if you had to change your ioftpd.env.

- (Optional) Install ioFTPD as a service (see here). You should not use the "Log on as This account" option in the service options.

- Disable all SSL functions (simply commenting the Certificate_Name lines would do).

- Place the makecert.exe & certmgr.exe in a directory that you can access from your FTP. Both executables can be downloaded directly from Microsoft (choose the x86 link).

- Create a .bat file in the same directory, which would contain:
makecert.exe -r -n "CN=YOUR_CERT_NAME_HERE" -b 01/01/2004 -e 01/01/2006 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk YOUR_CERT_NAME_HERE -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

- Login your FTP and execute your .bat file through a SITE EXEC command:
SITE EXEC your.bat

This will create AND install the certificate. It will be automatically added to the certificate store. You won't get any .cer file.

- Re-enable SSL in ioFTPD.ini (use YOUR_CERT_NAME_HERE in your configuration) and restart ioFTPD.exe.
Smirnoff is offline   Reply With Quote
Old 04-29-2008, 06:57 PM   #2
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

LocalService (the default account for system services) is a very highly privileged account on the local machine only, but it's kind of weird in a number of ways and doesn't store it's certificates where all the other user accounts are stored. This is probably because at the time they might be accessed critical system services haven't been started yet.

From the Changelog (where you should look first since v6 has a lot of changes that aren't included in the KB !!!): " I know of no way to do anything related to the LocalSystem account using the default store using any GUI tool. Thus if you have installed ioFTPD as a service and are running it under the default LocalSystem account site makecert/removecert are your friends. For security purposes you probably should be using a limited rights account anyway though...

"To view installed certificates for regular users you can use the certificate snap-in for the Microsoft Management Console as this should be available on W2k+. (start->run, "MMC", File->Add/Remove Snap-In, Add, Certificates, Add, My user account, Finish, Close, OK. As a shortcut you can try from start->run prompt "certmgr.msc" which will allow you to manage the certs for the current user only with fewer steps."

So you can see I now include the "site makecert, site removecert" builtin commands, but as you point out that won't work with real certs. I suppose I should add a "site installcert"

Here are two possible solutions off the top of my head. If you execute "site makecert" it just calls makecert.exe in the ioftpd\system directory to generate and install the cert since MS won't release the code to do that because they want to be annoying. Replace makecert.exe with something that installs your cert and just ignores the command line args. You can probably write a .bat file and use a .bat to .exe compiler I saw somewhere to do that trivially.

The other solution, and the preferred one, is to just run your service using logon as to run as a real user and then you can just install the cert into the user's store using MMC, CertMgr, etc. For a commercial installation I strongly suggest using a limited rights account where you have configured ioFTPD to be a non-admin user with access to only a few directories. In fact, I removed the ioFTPD account from the User's group so by default it didn't have access to most of the disk Thus not only are you securing the box, but you're solving the SSL cert store issue at the same time!

Oh, and do set the Certificate_Name field in the config file just to be sure, but since you are likely using a HOST= line with a name in it so it this may not be required.

So, ignore the KB entry in this case
Yil is offline   Reply With Quote
Old 05-05-2008, 10:36 AM   #3
Smirnoff
Junior Member
 
Join Date: Mar 2004
Posts: 10
Default

Hello,

I've been trying to setup what you call "The other solution, and the preferred one".
I defined a user 'FTPService' and run the ioFTPD service with it (I went back to that user and re-use the local system account in all the try-and-tests i've done) but no luck so far.

Once the use of the certificate is enforced, the service starts but when connecting to the site i have the infamous error message:

(17:31:31) [2] Connecting to 84.*.*.*:21
(17:31:32) [2] 220 FTPS Server ready.
(17:31:32) [2] AUTH SSL
(17:31:32) [2] 504 AUTH SSL unsupported.
(17:31:32) [2] Retrying after 180 seconds for **********

Maybe I missed a point in the way I should install the certificate when running the service with a user
account ??!?!?

Regards
Smirnoff

PS: Great idea about removing the dedicated user from the 'users' group. i'll give it a go !!
PS2: thanks a lot for your extensive answer and the time you spend on it !!!
Smirnoff is offline   Reply With Quote
Old 07-23-2008, 01:04 PM   #4
BigBoxer
Junior Member
 
Join Date: May 2007
Posts: 16
Default

i have same error on a Windows Vista Home Premium pc.

When i give a site makecert it create certificate with same certificate name as the one specified in the config, as soon as i reboot it tell me error
this is when i created the cert
07-21-2008 10:24:46 SSL: "Successfully generated new cert: ftptest" "User=ioFTPD".
07-21-2008 10:24:46 SSL: "Found certificate" "name=ftptest" "Service=FTP_Service" "(Certificate_name)"

this is day after reboot
07-22-2008 19:14:37 Unable to generate outbound credentials. (cert=ftptest)
07-22-2008 19:14:37 SSL: "Unable to locate certificate" "name=ftptest" "Service=FTP_Service" "(Certificate_name)"

dont know what to do
BigBoxer is offline   Reply With Quote
Old 07-23-2008, 02:21 PM   #5
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

Reboot to make sure this reproducible. If it is, are you running it as a service? Vista may require a different dependency list for the service in some sort of race condition on startup. I've not seen that problem, but it's the first thing I'd look into if it's a service...

Search through the Changelog to find the section where I explain how to use MMC to view the certificates on the computer, and delete the old cert, reboot, and make a new one and see what happens... In theory you can use "site removecert name" as well to delete the old cert as well. MS cert management sucks bigtime and I've seen all sorts of weird problems.
Yil is offline   Reply With Quote
Old 07-23-2008, 09:16 PM   #6
BigBoxer
Junior Member
 
Join Date: May 2007
Posts: 16
Default

Yes it's a service.
I tryed to run service with my own account name credentials.
Also used MMC to install certificate in my user cert store and then tried to put it in ioftpd service cert store and then also local computer cert store with no results, either in personal certificate and Trusted CA Root blah blah blah.

gonna try some reboot
BigBoxer is offline   Reply With Quote
Old 07-23-2008, 09:48 PM   #7
BigBoxer
Junior Member
 
Join Date: May 2007
Posts: 16
Default

mmm found some other information.

I reinstalled ioftpd clean and is ok. Then i go for a site makecert and it creates the cert.
When i restart the service this is the log:

07-23-2008 22:36:03 SSL: "Successfully generated new cert: ioFTPD" "User=ioFTPD".
07-23-2008 22:36:03 SSL: "Found default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:36:49 LOGOUT: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "*@127.0.0.1"
07-23-2008 22:36:49 STOP: "PID=5976"
07-23-2008 22:36:49 SSL: "Found default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:36:49 START: "PID=4776" "CmdLine="
07-23-2008 22:37:08 LOGIN: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "lorelay@127.0.0.1"
07-23-2008 22:37:11 LOGOUT: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "lorelay@127.0.0.1"
07-23-2008 22:38:04 STOP: "PID=4776"
07-23-2008 22:39:30 SSL: "Found default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:39:30 START: "PID=936" "CmdLine="
07-23-2008 22:42:18 LOGIN: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "*@127.0.0.1"
07-23-2008 22:42:28 LOGOUT: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "*@127.0.0.1"
07-23-2008 22:42:34 STOP: "PID=936"

As soon as I remove the ; from
# limit encryption to a particular type: SSL2, SSL3, TLS
# leave this undefined to support any of them
Encryption_Protocol = SSL3

and i restart i get

in Error.log
07-23-2008 22:42:35 Unable to generate outbound credentials. (cert=ioFTPD)

in ioftpd.log
07-23-2008 22:42:35 SSL: "Unable to locate default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:42:35 START: "PID=2888" "CmdLine="
BigBoxer is offline   Reply With Quote
Old 07-24-2008, 03:20 PM   #8
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

Glad you located the problem. I'm not sure why it's generating an error. The funny thing is it looks like it was able to create the inbound credentials first without an error but only had trouble with the outbound. Seems pretty odd to me...

On the other hand. TLS is the official standardization of SSL3 with a few tweaks added. There probably isn't a good reason to limit the protocol to just SSL3...
Yil is offline   Reply With Quote
Old 07-25-2008, 09:42 AM   #9
BigBoxer
Junior Member
 
Join Date: May 2007
Posts: 16
Default

you are right.
for some reason i was thinking that i had to remove the ; from that line to make SSL work but then i realized that was not and really it doesn't care to me it's working perfectly with that line commented out.
BigBoxer is offline   Reply With Quote
Old 10-30-2009, 04:29 PM   #10
apachei
Junior Member
 
Join Date: Oct 2009
Posts: 2
Default

Just installed it on a Win7 x64, and for the certificate to work I hade to do a site makecert after having started the ioFTPD as a service. Perhaps the cert make by site makecert is somehow connected to the user account that ioftpd is running as?
apachei is offline   Reply With Quote
Old 10-30-2009, 05:18 PM   #11
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

apachei: That's correct. Certificates are tied to the user who installed it. Services, by default, run under a special account though you can check a tab to make it run as a user which is useful for mounting network shares. So you'll need to install a cert for each account that runs the daemon.
Yil is offline   Reply With Quote
Old 11-04-2009, 03:37 PM   #12
apachei
Junior Member
 
Join Date: Oct 2009
Posts: 2
Default

Yil: Excellent. Thanks for the explanation. Had me worried a bit when I didn't get it to work.
apachei is offline   Reply With Quote
Reply

Tags
certificate, ftp, ftps, ioftpd, service

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 12:56 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)