PDA

View Full Version : ioftpd as a service - how to configure an official certificate


Smirnoff
04-29-2008, 10:03 AM
Hello,

I'm running ioftpd 6.4.3.
I have an official company certificate and need to implement ioftpd as a service (as we need a FTPS only site for some customers)
From the KB (http://www.flashfxp.com/pages/en.ioftpd-kb.php) i can see how to create and install a certificate in this case but I would need to use the official one (from digicert if that matters)

Thanks for your help
Smirnoff

In case of for the lazy among us:

Q: How can I install a SSL certificate from ioFTPD running as a service ?
A: This will allow you to use SSL with an ioFTPD server installed as a service running as LOCAL SERVICE account.

First, make sure you have those two variables in your etc\ioftpd.env:

SYSTEMDRIVE=%[environment(SYSTEMDRIVE)]
SYSTEMROOT=%[environment(SYSTEMROOT)]

- Restart ioFTPD if you had to change your ioftpd.env.

- (Optional) Install ioFTPD as a service (see here). You should not use the "Log on as This account" option in the service options.

- Disable all SSL functions (simply commenting the Certificate_Name lines would do).

- Place the makecert.exe & certmgr.exe in a directory that you can access from your FTP. Both executables can be downloaded directly from Microsoft (choose the x86 link).

- Create a .bat file in the same directory, which would contain:
makecert.exe -r -n "CN=YOUR_CERT_NAME_HERE" -b 01/01/2004 -e 01/01/2006 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk YOUR_CERT_NAME_HERE -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

- Login your FTP and execute your .bat file through a SITE EXEC command:
SITE EXEC your.bat

This will create AND install the certificate. It will be automatically added to the certificate store. You won't get any .cer file.

- Re-enable SSL in ioFTPD.ini (use YOUR_CERT_NAME_HERE in your configuration) and restart ioFTPD.exe.

Yil
04-29-2008, 06:57 PM
LocalService (the default account for system services) is a very highly privileged account on the local machine only, but it's kind of weird in a number of ways and doesn't store it's certificates where all the other user accounts are stored. This is probably because at the time they might be accessed critical system services haven't been started yet.

From the Changelog (where you should look first since v6 has a lot of changes that aren't included in the KB !!!): " I know of no way to do anything related to the LocalSystem account using the default store using any GUI tool. Thus if you have installed ioFTPD as a service and are running it under the default LocalSystem account site makecert/removecert are your friends. For security purposes you probably should be using a limited rights account anyway though...

"To view installed certificates for regular users you can use the certificate snap-in for the Microsoft Management Console as this should be available on W2k+. (start->run, "MMC", File->Add/Remove Snap-In, Add, Certificates, Add, My user account, Finish, Close, OK. As a shortcut you can try from start->run prompt "certmgr.msc" which will allow you to manage the certs for the current user only with fewer steps."

So you can see I now include the "site makecert, site removecert" builtin commands, but as you point out that won't work with real certs. I suppose I should add a "site installcert" :)

Here are two possible solutions off the top of my head. If you execute "site makecert" it just calls makecert.exe in the ioftpd\system directory to generate and install the cert since MS won't release the code to do that because they want to be annoying. Replace makecert.exe with something that installs your cert and just ignores the command line args. You can probably write a .bat file and use a .bat to .exe compiler I saw somewhere to do that trivially.

The other solution, and the preferred one, is to just run your service using logon as to run as a real user and then you can just install the cert into the user's store using MMC, CertMgr, etc. For a commercial installation I strongly suggest using a limited rights account where you have configured ioFTPD to be a non-admin user with access to only a few directories. In fact, I removed the ioFTPD account from the User's group so by default it didn't have access to most of the disk :) Thus not only are you securing the box, but you're solving the SSL cert store issue at the same time!

Oh, and do set the Certificate_Name field in the config file just to be sure, but since you are likely using a HOST= line with a name in it so it this may not be required.

So, ignore the KB entry in this case :)

Smirnoff
05-05-2008, 10:36 AM
Hello,

I've been trying to setup what you call "The other solution, and the preferred one".
I defined a user 'FTPService' and run the ioFTPD service with it (I went back to that user and re-use the local system account in all the try-and-tests i've done) but no luck so far.

Once the use of the certificate is enforced, the service starts but when connecting to the site i have the infamous error message:

(17:31:31) [2] Connecting to 84.*.*.*:21
(17:31:32) [2] 220 FTPS Server ready.
(17:31:32) [2] AUTH SSL
(17:31:32) [2] 504 AUTH SSL unsupported.
(17:31:32) [2] Retrying after 180 seconds for **********

Maybe I missed a point in the way I should install the certificate when running the service with a user
account ??!?!?

Regards
Smirnoff

PS: Great idea about removing the dedicated user from the 'users' group. i'll give it a go !!
PS2: thanks a lot for your extensive answer and the time you spend on it !!!

BigBoxer
07-23-2008, 01:04 PM
i have same error on a Windows Vista Home Premium pc.

When i give a site makecert it create certificate with same certificate name as the one specified in the config, as soon as i reboot it tell me error
this is when i created the cert
07-21-2008 10:24:46 SSL: "Successfully generated new cert: ftptest" "User=ioFTPD".
07-21-2008 10:24:46 SSL: "Found certificate" "name=ftptest" "Service=FTP_Service" "(Certificate_name)"

this is day after reboot
07-22-2008 19:14:37 Unable to generate outbound credentials. (cert=ftptest)
07-22-2008 19:14:37 SSL: "Unable to locate certificate" "name=ftptest" "Service=FTP_Service" "(Certificate_name)"

dont know what to do

Yil
07-23-2008, 02:21 PM
Reboot to make sure this reproducible. If it is, are you running it as a service? Vista may require a different dependency list for the service in some sort of race condition on startup. I've not seen that problem, but it's the first thing I'd look into if it's a service...

Search through the Changelog to find the section where I explain how to use MMC to view the certificates on the computer, and delete the old cert, reboot, and make a new one and see what happens... In theory you can use "site removecert name" as well to delete the old cert as well. MS cert management sucks bigtime and I've seen all sorts of weird problems.

BigBoxer
07-23-2008, 09:16 PM
Yes it's a service.
I tryed to run service with my own account name credentials.
Also used MMC to install certificate in my user cert store and then tried to put it in ioftpd service cert store and then also local computer cert store with no results, either in personal certificate and Trusted CA Root blah blah blah.

gonna try some reboot

BigBoxer
07-23-2008, 09:48 PM
mmm found some other information.

I reinstalled ioftpd clean and is ok. Then i go for a site makecert and it creates the cert.
When i restart the service this is the log:

07-23-2008 22:36:03 SSL: "Successfully generated new cert: ioFTPD" "User=ioFTPD".
07-23-2008 22:36:03 SSL: "Found default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:36:49 LOGOUT: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "*@127.0.0.1"
07-23-2008 22:36:49 STOP: "PID=5976"
07-23-2008 22:36:49 SSL: "Found default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:36:49 START: "PID=4776" "CmdLine="
07-23-2008 22:37:08 LOGIN: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "lorelay@127.0.0.1"
07-23-2008 22:37:11 LOGOUT: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "lorelay@127.0.0.1"
07-23-2008 22:38:04 STOP: "PID=4776"
07-23-2008 22:39:30 SSL: "Found default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:39:30 START: "PID=936" "CmdLine="
07-23-2008 22:42:18 LOGIN: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "*@127.0.0.1"
07-23-2008 22:42:28 LOGOUT: "FTP_Service" "ioFTPD" "ioftpd" "Master Account" "*@127.0.0.1"
07-23-2008 22:42:34 STOP: "PID=936"

As soon as I remove the ; from
# limit encryption to a particular type: SSL2, SSL3, TLS
# leave this undefined to support any of them
Encryption_Protocol = SSL3

and i restart i get

in Error.log
07-23-2008 22:42:35 Unable to generate outbound credentials. (cert=ioFTPD)

in ioftpd.log
07-23-2008 22:42:35 SSL: "Unable to locate default certificate" "name=ioFTPD" "Service=FTP_Service"
07-23-2008 22:42:35 START: "PID=2888" "CmdLine="

Yil
07-24-2008, 03:20 PM
Glad you located the problem. I'm not sure why it's generating an error. The funny thing is it looks like it was able to create the inbound credentials first without an error but only had trouble with the outbound. Seems pretty odd to me...

On the other hand. TLS is the official standardization of SSL3 with a few tweaks added. There probably isn't a good reason to limit the protocol to just SSL3...

BigBoxer
07-25-2008, 09:42 AM
you are right.
for some reason i was thinking that i had to remove the ; from that line to make SSL work but then i realized that was not and really it doesn't care to me :) it's working perfectly with that line commented out.

apachei
10-30-2009, 04:29 PM
Just installed it on a Win7 x64, and for the certificate to work I hade to do a site makecert after having started the ioFTPD as a service. Perhaps the cert make by site makecert is somehow connected to the user account that ioftpd is running as?

Yil
10-30-2009, 05:18 PM
apachei: That's correct. Certificates are tied to the user who installed it. Services, by default, run under a special account though you can check a tab to make it run as a user which is useful for mounting network shares. So you'll need to install a cert for each account that runs the daemon.

apachei
11-04-2009, 03:37 PM
Yil: Excellent. Thanks for the explanation. Had me worried a bit when I didn't get it to work.