Setting up SSL certificates from certificate authority

[mombooks]

I've got sftpgo running on port 80, I'd like to switch over to 443 and HTTPS

I can't use the acme method this way as lets encrypt won't work with nginx running on port 81

I've bought an SSL certificate, but when I set port to 443, enable_https to true and provide the paths to the key generated by openssl with the csr and the the .crt from Sectigo it doesn't work and service sftpgo status returns

Process: 135323 ExecStart=/usr/bin/sftpgo serve (code=exited, status=1/FAILURE)

I tried pasting the contents of the ca bundle below the certificate in the .crt file and restarting sftpgo but I get the same thing.

Sorry to be nooby but could you please let me know where I've gone wrong?

I'm running on Ubuntu 22.04

[drakkan]

Hello,

thanks for supporting the project, much appreciated.

SFTPGo expects PEM encoded certificates and keys. This is the same format used in Apache, NGINX etc..

This Sectigo doc may help.
Using the naming convention in the above doc, you have to provide the path to ssl-bundle.crt as certificate_file and the path to domainname.key as certificate_key_file.

Also note that the built-in acme protocol does not require a web server, this is only one of the possible ways of using it. SFTPGo can also resolve the HTTP-01 acme challenge itself, it will listen on port 80 for as long as it takes to get/renew certificates. Port 80 must not be used by any other process.

[mombooks]

Hi, thanks for helping out!

I'd prefer to go the acme route, so it auto renews, but the instructions specify a web root publicly served by a web server in /var/www
https://github.com/drakkan/sftpgo/blob/main/docs/howto/lets-encrypt-certificate.md

How do I complete this using SFTPGo on port 80? Is it just a matter of using a different web root? I just tried using /usr/share/sftpgo/templates/webclient but no luck

[drakkan]

You don't need a web root. Ensure no other process is running on port 80 (also SFTPGo itself, stop it if you have configured it on port 80).

Configure sftpgo as described in the howto but leave the webroot setting empty and execute the described steps:

sudo -E su - sftpgo -m -s /bin/bash -c 'sftpgo acme run -c /etc/sftpgo'

configure SFTPGo. This should work

[mombooks]

Thanks, that much seems to work and I end up with the new cert files in /var/lib/sftpgo/certs but at that point it's still serving HTTP, so I went to the config file and used the paths to those new cert files, enabled HTTPS and changed port to 443 but I get the same service status error as I started with using the Sectigo files.

"httpd": {
"bindings": [
{
"port": 443,
"address": "",
"enable_web_admin": true,
"enable_web_client": true,
"enable_rest_api": true,
"enabled_login_methods": 0,
"enable_https": true,
"certificate_file": "/var/lib/sftpgo/certs/ftp.domainname.com.crt",
"certificate_key_file": "/var/lib/sftpgo/certs/ftp.domainname.com.key",

[drakkan]

Thanks, that much seems to work and I end up with the new cert files in /var/lib/sftpgo/certs but at that point it's still serving HTTP, so I went to the config file and used the paths to those new cert files, enabled HTTPS and changed port to 443 but I get the same service status error as I started with using the Sectigo files.

"httpd": { "bindings": [ { "port": 443, "address": "", "enable_web_admin": true, "enable_web_client": true, "enable_rest_api": true, "enabled_login_methods": 0, "enable_https": true, "certificate_file": "/var/lib/sftpgo/certs/ftp.domainname.com.crt", "certificate_key_file": "/var/lib/sftpgo/certs/ftp.domainname.com.key",

please post the SFTPGo logs so we can understand the issue

[drakkan]

Thanks, that much seems to work and I end up with the new cert files in /var/lib/sftpgo/certs but at that point it's still serving HTTP, so I went to the config file and used the paths to those new cert files, enabled HTTPS and changed port to 443 but I get the same service status error as I started with using the Sectigo files.
"httpd": { "bindings": [ { "port": 443, "address": "", "enable_web_admin": true, "enable_web_client": true, "enable_rest_api": true, "enabled_login_methods": 0, "enable_https": true, "certificate_file": "/var/lib/sftpgo/certs/ftp.domainname.com.crt", "certificate_key_file": "/var/lib/sftpgo/certs/ftp.domainname.com.key",

please post the SFTPGo logs so we can understand the issue

you can see the logs using the journalctl command. If you want to have a separate log file execute this command

echo "SFTPGO_LOG_FILE_PATH=/srv/sftpgo/logs/sftpgo.log" >> /etc/sftpgo/sftpgo.env

[mombooks]

Thank you, embarrassingly rebooting seems to have fixed the issue, I attempted the config several times before and I'm sure it wasn't a typo so I'm not sure what was going wrong, maybe it had cached a bad certificate somewhere but a restart seems to have fixed it! Thanks for the great software and quick assistance.

[drakkan]

Thank you, embarrassingly rebooting seems to have fixed the issue, I attempted the config several times before and I'm sure it wasn't a typo so I'm not sure what was going wrong, maybe it had cached a bad certificate somewhere but a restart seems to have fixed it! Thanks for the great software and quick assistance.

It's weird, however I'm glad it worked for you. Thanks for supporting the project