Let's encrypt - how?

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
c2d2
504 Command not implemented
Posts: 10
Joined: 2021-07-20 17:37

Let's encrypt - how?

#1 Post by c2d2 » 2021-09-15 18:24

Hi,
I really dont understand how to setup.
On the same machine I have www (apache) with win-acme for generating keys (lets encrypt) - it works well for years.
paths:
c:\wamp64\cert - here are keys
c:\wamp64\win-acme - win-acme app
c:\wamp64\www\abcd - some domain with ssl (no problems with validation)

FTP works on abcd domain.

Please explain me how should I setup all of this...
Attachments
2.png
2.png (6.47 KiB) Viewed 7814 times
1.png
1.png (15.34 KiB) Viewed 7814 times

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: Let's encrypt - how?

#2 Post by oibaf » 2021-09-15 18:49

If you already have Let's Encrypt® configured and working for a specific domain through other means, you don't really need to care about FileZilla Server's own Let's Encrypt implementation. In the "Security" panel of the "FTP Server", in the configuration dialog, just select that you are providing a certificate yourself, and make it point to the relevant file(s). Mind you, that just like the old server did, key and certs can be all in the same file.

On the other hand, if you want to use FileZilla Server's own implementation of the Let's Encrypt® (ACME) protocol, let it be known that
  • "ACME Directory" is the URL at which Let's Encrypt publishes the endpoints needed for the communication, it's not a filesystem directory. See the RFC, section 7.1.1
  • If you elect to use an "external web server", the "well known path" is the filesystem path to which the external web server will redirect accesses from the Let's Encrypt® server, during the HTTP Challenge it will perform to create the certificate. See the RFC, sections 9.2 and 8.3
Attachments
Schermata del 2021-09-15 20-38-24.png
Schermata del 2021-09-15 20-38-24.png (80.14 KiB) Viewed 7804 times

c2d2
504 Command not implemented
Posts: 10
Joined: 2021-07-20 17:37

Re: Let's encrypt - how?

#3 Post by c2d2 » 2021-09-15 20:53

Thank you, used pointing to cert folder ;-)
I think, I tried to do it on some RC version, but something didn't work out.

Stefan1200
425 Can't open data connection
Posts: 42
Joined: 2007-09-27 07:27

Re: Let's encrypt - how?

#4 Post by Stefan1200 » 2021-09-18 11:56

Thanks for the hint, I did it wrong the first time. This works (maybe if someone reads this like me):

FileZilla Server settings / Security
Private key file = path from SSLCertificateKeyFile from Apache config
Certificate file = path from SSLCertificateFile from Apache config

After clicking on Apply, certificate details will be shown.
<removed advertisement>

bernarddt
500 Command not understood
Posts: 3
Joined: 2021-10-07 06:58
First name: Bernard
Last name: du Toit

Re: Let's encrypt - how?

#5 Post by bernarddt » 2021-10-07 07:02

I'm also new to this, but boy am I excited to see that FileZilla Server is on the first version after so many years! I've been a fan for long.

Anyways, I need help with the "Well know path" value. I basically just need to understand if this is the "root" folder, so will FileZille create the famous ".well-known" folder in it, or should I create that part as well?

For those playing along, my path is currently set to: C:\inetpub\wwwroot (which is the default IIS path for the "default" website it creates on port 80).

Thank you,
Bernard

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Let's encrypt - how?

#6 Post by botg » 2021-10-07 08:19

Anyways, I need help with the "Well know path" value. I basically just need to understand if this is the "root" folder, so will FileZille create the famous ".well-known" folder in it, or should I create that part as well?
It's needs to be the path from which the contents of /.well-known/acme-challenge/ are served. In your example that would be C:\inetpub\wwwroot\.well-known\acme-challenge\

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: Let's encrypt - how?

#7 Post by oibaf » 2021-10-07 08:19

bernarddt wrote:
2021-10-07 07:02
I'm also new to this, but boy am I excited to see that FileZilla Server is on the first version after so many years! I've been a fan for long.
Happy to know that! :)
Anyways, I need help with the "Well know path" value. I basically just need to understand if this is the "root" folder, so will FileZille create the famous ".well-known" folder in it, or should I create that part as well?
The web server MUST respond to a GET request to the path "/.well-known/acme-challenge/", however FileZilla Server cannot know whether some kind of redirection has been put in place, so it won't create that path for you.

Hence, you've got to input the full path to the directory that the web server will access when responding to a GET request to the path "/.well-known/acme-challenge/". If you want, you can have FileZilla Server create the directory you input, if not available already.
For those playing along, my path is currently set to: C:\inetpub\wwwroot (which is the default IIS path for the "default" website it creates on port 80).
Then in your case it's going to be "C:\inetpub\wwwroot\.well-known\acme-challenge"

Let us know if it works!

bernarddt
500 Command not understood
Posts: 3
Joined: 2021-10-07 06:58
First name: Bernard
Last name: du Toit

Re: Let's encrypt - how?

#8 Post by bernarddt » 2021-10-07 09:46

botg wrote:
2021-10-07 08:19
It's needs to be the path from which the contents of /.well-known/acme-challenge/ are served. In your example that would be C:\inetpub\wwwroot\.well-known\acme-challenge\
oibaf wrote:
2021-10-07 08:19
Then in your case it's going to be "C:\inetpub\wwwroot\.well-known\acme-challenge"
Thank you for both of your responses! I basically ran the "Generate" step with my previous path. And noticed that FileZilla created a challenge file in the root, so I changed this to include ".well-known". Then it still failed, but now I've updated my path to the ones you provided. It still fails.

But I've enabled Debug logging and saw that the server is not providing the response that the challenge requires in the log file.
So I created the token file myself (since FileZilla deletes it after the process fails). And opened the path locally on Chrome.
I noticed that IIS with its default settings don't seem to like the path without any extension. I get this response back:

Code: Select all

HTTP Error 404.17 - Not Found
The requested content appears to be script and will not be served by the static file handler.
This is on a Windows 2019 Server, with IIS 10.

I then followed these instructions: https://stackoverflow.com/q/27908898/999024
> Create the directories ".well-known\acme-challenge" if they don't already exist.
> Go to IIS, browse down to this folder using the TreeView on the left.
> Then select "MIME Types" on the right.
> Add an entry for "." and "text/html".

Now the challenge went through.

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Let's encrypt - how?

#9 Post by botg » 2021-10-07 09:56

Funny webserver this IIS.

Post Reply