我目前在 ProFTPD 中安装 StartSSL 证书时遇到了一些麻烦。
这些是我拥有的文件:
cert.pem - certificate file
cert.key - corresponding key file
sub.class2.server.ca.pem - intermediate certificate
ca.pem - root certificate
在 Apache 中,我有以下运行良好的配置:
SSLCertificateFile cert.pem
SSLCertificateKeyFile cert.key
SSLCertificateChainFile sub.class2.server.ca.pem
SSLCACertificateFile ca.pem
我该如何为给定的证书配置 ProFTPD?无论我尝试什么,我都会收到错误,提示证书链不完整或最后一个证书(根证书)是自签名的。我尝试将 cert.pem 单独放在 TLSRSACertificateFile 中,将链 + 根证书放在 TLSCACertificateFile 中,我尝试将根放在 TLSCACertificateFile 中,将链放在 TLSCertificateChainFile 中,我尝试将根放在 TLSCACertificateFile 中,将证书 + 链放在 TLSRSACertificateFile 中,但都不起作用。
任何帮助,将不胜感激。
答案1
这来自于ProFTPD 在线文档:
<IfModule mod_dso.c>
# If mod_tls was built as a shared/DSO module, load it
LoadModule mod_tls.c
</IfModule>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
# Support both SSLv3 and TLSv1
TLSProtocol SSLv3 TLSv1
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/ftpd/server.cert.pem
TLSRSACertificateKeyFile /etc/ftpd/server.key.pem
# CA the server trusts
TLSCACertificateFile /etc/ftpd/root.cert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none
</IfModule>
检查与 TLS/SSL 相关的所有可能指令这里。