Using SSL Certificates with VSFTPD
EHCP Force Edition can configure VSFTPD to use a custom SSL certificate for TLS FTP transfers. It is recommended you use a Let's Encrypt certificate. To configure VSFTPD to use a custom SSL certificate, login to the panel as admin. Click on "Options" under "System Operations". Now click on "Advanced Settings". To the left of "VSFTPD Certificate Path", enter the path to your custom .pem certificate. Click on "Submit Query". If your certificate is valid, exists, and has a .pem extension, VSFTPD will now use this certificate for SSL TLS FTP connections and transfers.
Let's Encrypt VSFTPD Integration
To use a Let's Encrypt certificate, first setup your main domain in the panel. Configure the domain to use a Let's Encrypt certificate. Once the domain is using a Let's Encrypt certificate, VSFTPD can re-use this SSL certificate. However, you will need to combine the Let's Encrypt privkey.pem and fullchain.pem files into a new file called vsftpd.pem since VSFTPD expects a certain certificate format.
For example, if your main domain test.com is using a Let's Encrypt certificate, you can generate the certificate by using the below command:
cat /etc/letsencrypt/live/test.com/privkey.pem /etc/letsencrypt/live/test.com/fullchain.pem > /etc/letsencrypt/live/test.com/vsftpd.pem
Now you can set the "VSFTPD Certificate Path" advanced option in EHCP to:
Because Let's Encrypt certificates renew occasionally and change, you will want to create a cronjob that updates the certificate used by VSFTPD and restarts the VSFTPD services. So, let's do that now by running the below command.
sudo crontab -e
Below this line:
45 4 * * * /var/www/new/ehcp/scripts/certbot_renew_certs.sh
Add this line:
15 5 * * * cat /etc/letsencrypt/live/test.com/privkey.pem /etc/letsencrypt/live/test.com/fullchain.pem > /etc/letsencrypt/live/test.com/vsftpd.pem && /usr/sbin/service vsftpd restart
Save and exit.
Configuring Your FTP Client to Use TLS
You'll need to configure your FTP client to use TLS for secure FTP sessions. There are different ways to do this for different clients. I recommend CoreFTP for Windows which is free.
Below is a screenshot which shows you how to configure CoreFTP to use TLS:
Below is a screenshot which shows you how to configure FileZilla to use TLS: