Page 1 of 1
Let's encrypt - how?
Posted: 2021-09-15 18:24
by c2d2
Hi,
I really dont understand how to setup.
On the same machine I have www (apache) with win-acme for generating keys (lets encrypt) - it works well for years.
paths:
c:\wamp64\cert - here are keys
c:\wamp64\win-acme - win-acme app
c:\wamp64\www\abcd - some domain with ssl (no problems with validation)
FTP works on abcd domain.
Please explain me how should I setup all of this...
Re: Let's encrypt - how?
Posted: 2021-09-15 18:49
by oibaf
If you already have Let's Encrypt® configured and working for a specific domain through other means, you don't really need to care about FileZilla Server's own Let's Encrypt implementation. In the "Security" panel of the "FTP Server", in the configuration dialog, just select that you are providing a certificate yourself, and make it point to the relevant file(s). Mind you, that just like the old server did, key and certs can be all in the same file.
On the other hand, if you want to use FileZilla Server's own implementation of the Let's Encrypt® (ACME) protocol, let it be known that
- "ACME Directory" is the URL at which Let's Encrypt publishes the endpoints needed for the communication, it's not a filesystem directory. See the RFC, section 7.1.1
- If you elect to use an "external web server", the "well known path" is the filesystem path to which the external web server will redirect accesses from the Let's Encrypt® server, during the HTTP Challenge it will perform to create the certificate. See the RFC, sections 9.2 and 8.3
Re: Let's encrypt - how?
Posted: 2021-09-15 20:53
by c2d2
Thank you, used pointing to cert folder
I think, I tried to do it on some RC version, but something didn't work out.
Re: Let's encrypt - how?
Posted: 2021-09-18 11:56
by Stefan1200
Thanks for the hint, I did it wrong the first time. This works (maybe if someone reads this like me):
FileZilla Server settings / Security
Private key file = path from SSLCertificateKeyFile from Apache config
Certificate file = path from SSLCertificateFile from Apache config
After clicking on Apply, certificate details will be shown.
Re: Let's encrypt - how?
Posted: 2021-10-07 07:02
by bernarddt
I'm also new to this, but boy am I excited to see that FileZilla Server is on the first version after so many years! I've been a fan for long.
Anyways, I need help with the "Well know path" value. I basically just need to understand if this is the "root" folder, so will FileZille create the famous ".well-known" folder in it, or should I create that part as well?
For those playing along, my path is currently set to: C:\inetpub\wwwroot (which is the default IIS path for the "default" website it creates on port 80).
Thank you,
Bernard
Re: Let's encrypt - how?
Posted: 2021-10-07 08:19
by botg
Anyways, I need help with the "Well know path" value. I basically just need to understand if this is the "root" folder, so will FileZille create the famous ".well-known" folder in it, or should I create that part as well?
It's needs to be the path from which the contents of /.well-known/acme-challenge/ are served. In your example that would be C:\inetpub\wwwroot\.well-known\acme-challenge\
Re: Let's encrypt - how?
Posted: 2021-10-07 08:19
by oibaf
bernarddt wrote: ↑2021-10-07 07:02
I'm also new to this, but boy am I excited to see that FileZilla Server is on the first version after so many years! I've been a fan for long.
Happy to know that!
Anyways, I need help with the "Well know path" value. I basically just need to understand if this is the "root" folder, so will FileZille create the famous ".well-known" folder in it, or should I create that part as well?
The web server MUST respond to a GET request to the path "/.well-known/acme-challenge/", however FileZilla Server cannot know whether some kind of redirection has been put in place, so it won't create that path for you.
Hence, you've got to input the
full path to the directory that the web server will access when responding to a GET request to the path "/.well-known/acme-challenge/". If you want, you can have FileZilla Server create the directory you input, if not available already.
For those playing along, my path is currently set to: C:\inetpub\wwwroot (which is the default IIS path for the "default" website it creates on port 80).
Then in your case it's going to be "C:\inetpub\wwwroot\.well-known\acme-challenge"
Let us know if it works!
Re: Let's encrypt - how?
Posted: 2021-10-07 09:46
by bernarddt
botg wrote: ↑2021-10-07 08:19
It's needs to be the path from which the contents of /.well-known/acme-challenge/ are served. In your example that would be C:\inetpub\wwwroot\.well-known\acme-challenge\
oibaf wrote: ↑2021-10-07 08:19
Then in your case it's going to be "C:\inetpub\wwwroot\.well-known\acme-challenge"
Thank you for both of your responses! I basically ran the "Generate" step with my previous path. And noticed that FileZilla created a challenge file in the root, so I changed this to include ".well-known". Then it still failed, but now I've updated my path to the ones you provided. It still fails.
But I've enabled Debug logging and saw that the server is not providing the response that the challenge requires in the log file.
So I created the token file myself (since FileZilla deletes it after the process fails). And opened the path locally on Chrome.
I noticed that IIS with its default settings don't seem to like the path without any extension. I get this response back:
Code: Select all
HTTP Error 404.17 - Not Found
The requested content appears to be script and will not be served by the static file handler.
This is on a Windows 2019 Server, with IIS 10.
I then followed these instructions:
https://stackoverflow.com/q/27908898/999024
> Create the directories ".well-known\acme-challenge" if they don't already exist.
> Go to IIS, browse down to this folder using the TreeView on the left.
> Then select "MIME Types" on the right.
> Add an entry for "." and "text/html".
Now the challenge went through.
Re: Let's encrypt - how?
Posted: 2021-10-07 09:56
by botg
Funny webserver this IIS.