6

I'm configuring vsfptd on debian 7.3, I'm trying to use ssl. I generate the certficates using this command: 

openssl req -x509 -nodes -days 1925 -newkey rsa:2048 -keyout /etc/vsftpd/private/vsftpd2.key -out /etc/vsftpd/certificado/vsfptd3.pem

And my vsftpd.conf is this:

listen=YES

anonymous_enable=YES

local_enable=YES

write_enable=YES

#anon_upload_enable=YES

anon_mkdir_write_enable=YES

dirmessage_enable=YES

use_localtime=YES

xferlog_enable=YES

connect_from_port_20=NO

#chown_uploads=YES
#chown_username=whoever
#
chroot_local_user=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp-ssl
rsa_cert_file=/etc/vsftpd/certificado/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/private/vsftpd2.key
anon_root=/srv/ftp/anonimo
chown_upload_mode=757
anon_upload_enable=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
listen_port=990
ssl_ciphers=HIGH
require_ssl_reuse=NO

But every time I try to start vsftpd I get this error message:

500 OOPS: SSL: cannot load RSA private key

I've checked the permissions are well configured, I don`t know what to do to fix this. Any help, please?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
user2568422
  • 61
  • 1
  • 1
  • 2

3 Answers3

3

I had a similar problem today on a NetScaler (BSD-based networking appliance with an older version of openssl than I created the key on), although not with vsftpd, and I can say that mysql also suffers from it.

Your private key format is perhaps in a different format than expected. Try the following:

mv /etc/vsftpd/private/vsftpd2.key{,.old}
openssl rsa -in /etc/vsftpd/private/vsftpd2.key.old -out /etc/vsftpd/private/vsftpd2.key
diff /etc/vsftpd/private/vsftpd2.key{.old,}

You may find that the first and last lines are noticably different (eg. BEGIN RSA PRIVATE KEY may change to something like BEGIN RSA KEY or similar).

Other similar things to check (for other pieces of software)

  • Do you have native line-endings in your private key file?
  • Do you perhaps need to remove the trailing newline?

Another common fault (quite applicable to you perhaps) is that vsftpd may change user after starting; some software will read the key after this happens (eg. mysql), while others will read it before (eg. httpd). Strace can be very informative here if you want to really dig into it.

Cameron Kerr
  • 3,919
  • 18
  • 24
3

It seems I have found the root of the issue

I have run strace with your config

stat("/etc/vsftpd/vsftpd.conf", {st_mode=S_IFREG|0600, st_size=791, ...}) = 0
getuid()                                = 0
getuid()                                = 0
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=3, events=POLLIN}], 1, 10)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\225\f\312\271\276\215\201=\200\237A\337u7\237\201\2001GC\352\371\363\334GT\36/\37\f\33\257"..., 48) = 48
close(3)                                = 0
getuid()                                = 0
open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
fcntl(0, F_GETFL)                       = 0x8402 (flags O_RDWR|O_APPEND|O_LARGEFILE)
fcntl(0, F_SETFL, O_RDWR|O_APPEND|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: )              = 10
write(0, "SSL: cannot load RSA certificate", 32SSL: cannot load RSA certificate) = 32
write(0, "\r\n", 2
)                     = 2
exit_group(1)                           = ?
+++ exited with 1 +++

As you can see vsftpd can't found ssl certificate - /etc/vsftpd/certificado/vsftpd.pem. 

open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)

It's because when the certificate was generated you have used a different name

-out /etc/vsftpd/certificado/vsfptd3.pem

Correct file name for certificate (rsa_cert_file) in your vsftpd.conf

500 OOPS: SSL: cannot load RSA private key

Also check path and name to you private key

P.S. you can always debug vsftpd with strace utility

# strace /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
ALex_hha
  • 7,025
  • 1
  • 23
  • 39
  • Thanks much because you have helped me prove there's a bug in the latest software. MY problem, today, isn't the same as yours, but your tip of using strace helped prove that the key file(s) are being read, just not accepted, for who knows what reason... – Richard T Aug 01 '20 at 03:52
1

In my case I changed the command from this:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem

TO:

openssl req -x509 -nodes -days 720 -newkey rsa:2048 -keyout /etc/vsftpd.key -out /etc/vsftpd.pem

I get the tip on: https://askubuntu.com/questions/412070/vsftpd-will-not-start-with-ssl-enabled

Then worked!!!

user581735
  • 11
  • 1
  • Unfortunately it didn't work for me but I appreciate the suggestion. I didn't give you an up-vote because I don't want to encourage others to also try what didn't work. Simply leaving this comment here may help others, as we'll try whatever when we have nothing working! – Richard T Aug 01 '20 at 04:22