Start a new topic

Integrate with Let's Encrypt

When generating SSL certs the user could have the option of clicking a create cert button which launches a script to run Let's Encrypt (open source free CA). 


https://letsencrypt.org/howitworks/






2 people like this idea

I proxy all HTTPS requests to CrushFTP via nginx. Nginx listens on the usual port 443 for HTTPS and directs all requests to the virtual host sub-domain, downloads.mydomain.something, to CrushFTP listening on 127.0.0.0 port 10443. The Let's Encrypt SSL certificate is installed in the usual manner for nginx.

That is a great workaround and I will probably do something similar.


I was just thinking how nice it would be if CrushFTP could carry out the SSL cert process for me.

A workaround implies that I'm giving something up. I think this is a superior solution to having CrushFTP listening directly on an external interface. To have CrushFTP listen for HTTPS requests, I either have to have it bind to port 443, which means that nothing else, like a web server, can bind to that port, or CrushFTP has to listen on a non-standard port. I don't like either option. The first option means that I'll have to dedicate a server just for ftp, which is a waste of resources. The second option leads to user confusion. Non-technical users don't do well with entering port numbers after the hostname. By proxying HTTPS requests via nginx, I have a clean implementation.


I don't see how CrushFTP "carrying out the SSL cert process" for you offers any advantage. SSL certificate creation and installation is really orthogonal to CrushFTP installation and configuration.

Hi Clifford,

I, like many, am in the situation where I need a dedicated File server. Having CrushFTP listen on HTTPS is the desired scenario in my case.

Let's Encrypt offers free CA SSL certs (Crush automatically generates a self signed cert). The downside is that the Let's Encrypt certs have a 1 year lifetime and require renewal. If I need to renew the cert I need to do it manually or switch to a solution similar to the one you did. If the cert is sitting in a web accessible location, it can auto-renew.

All I was suggesting with this feature request is that the web server being used by Crush (I haven't taken the time to look into which server they are using) allow for auto-renewals or have the ability from the admin to run the renewal script and allow Let's Encrypt access to the appropriate directory. It would make things extremely simple.

Just an idea

 

And by the way Clifford, if you want to share the NGINX config you use, that would be great as well.

 

Fully support Paul's request. Let's Encrypt support is very essential feature.

 


1 person likes this

It look like it can probably be accomplished using the HTTP GET and POST functionality built into Crush. Unfortunately, I don't know enough about those requests to configure it.

Login to post a comment