How To Configure Vsftpd With SSL/TLS On CentOS 7

A few weeks before, We have shown you how to install and configure a basic FTP server on CentOS 7. Today, In this brief tutorial let use how to configure the Vsftpd with SSL/TLS.

I assume you already installed and configured the Vsftpd server. If you didn’t, please follow the below link to install and configure a basic Vsftpd server.

Configuring Vsftpd With SSL/TLS

After installing vsftpd on CentOS 7 server, let us create a directory to store SSL certificates.

mkdir /etc/ssl/private

Then, create the certificate and key files using the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

You’ll be asked to enter the series of questions such as Country, State Code, Email address, Organization name etc. Enter the details one by one. Here is my sample output:

 Generating a 1024 bit RSA private key
 ......++++++
 .............++++++
 writing new private key to '/etc/ssl/private/vsftpd.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:IN
 State or Province Name (full name) []:TN
 Locality Name (eg, city) [Default City]:Erode
 Organization Name (eg, company) [Default Company Ltd]:Unixmen
 Organizational Unit Name (eg, section) []:Technical
 Common Name (eg, your name or your server's hostname) []:server1.unixmen.local
 Email Address []:[email protected]

In the common name field, you can either use hostname or IP address of your vsftpd server.

Edit vsftpd configuration file /etc/vsftpd/vsftpd.conf,

vi /etc/vsftpd/vsftpd.conf

Add the following lines at the end:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Save and close the file. Restart vsftpd service.

systemctl restart vsftpd

Check FTP Server

Open Filezilla from your client system. Go to File -> Site Manager.

In the Site Manager window, select New Site.

Site Manager_003

Name your new site, or leave it as it is. In my case I name it as My local FTP. Enter the FTP server IP address, and select “Require explicit FTP over TLS” from the Encryption drop down box. In the Logon Type drop downbox, select Ask for password option, and enter your FTP user name. Finally click on the Connect button.

Site Manager_004

You’ll be asked to enter the ftp user password in the next screen.

Enter password_007

Now, you”ll be asked to accept the certificate that is being used to make sure the server can be trusted. In the Certificate window, you may see the list of values which is entered during the certificate generation process. Click Ok to accept the certificate and establish the connection.

Unknown certificate_008

That’s it. Now you’ll be able to access your FTP server.

My local Site - ftpes:--sk@192.168.1.150 - FileZilla_009

Note: if you keep getting the error “The data connection could not be established: EHOSTUNREACH – No route to host” after enabling SSL/TLS, disable iptables and try again.

That’s all for now. Cheers!

  • Malik Mazhar

    Hi, Thanks for the tutorial, i did follow and it works great, but i want to keep my firewalld active as its public facing server … when i disabled firewalld it works but when enable directory listing stuck … tried modprobe ip_conntrack_ftp but it doesnt work with ssl .. i have self generated certs.. help please