Posted on Leave a comment

Activate SSL/TLS on the SFTPGO web UI

In this post, I describe how to activate SSL/TLS encryption on the SFTPGO web admin UI with CERTBOT and enable auto-renewal of the certificates using a post-renewal hook shell script.

Certbot is a free tool to enable TLS 1.3 AES 128 SHA 256 HTTPS using Lets encrypt certificates.

In this setup guide, I mostly followed the official Certbot instruction for a snapd installation/other server and some of the instructions from here.

This is a follow-up post to Setting up a SFTPGO SFTP server on a Hetzner Ubuntu 20.10 server.

Install Certbot SSL/TLS encryption on the SFTPGO web UI

Install snap with apt

sudo apt install snapd

Install snap core

sudo snap install core; sudo snap refresh core

Make sure certbot is not already installed with apt

sudo apt remove certbot

Install certbot with snap

sudo snap install --classic certbot

Make a symlink between /snap/bin/certbot and /usr/bin/certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Open port 80 in the firewall

Certbot creates a web server on port 80 when it generates the SSL/TLS certificates so I open port 80 in the firewall. SFTPGO is running on port 8080.

Hetzner firewall

Image of opening port 80 in the hetzner firewall

nftables firewall

To activate HTTP(S) on the nftables firewall I used in this post, you would uncomment these lines:

Allow HTTP(S).  
tcp dport { http, https } accept
udp dport { http, https } accept

Run Certbot

Certbot uses the domain name of your server. You can find it by doing a reverse domain lookup on your server IP address. You also need to give certbot an email address.

Link: mxtoolbox reverse domain lookup

sudo certbot certonly --standalone

Make the post renewal hook shell script and run it

This shell script copies the files to the sftpgo ssl directory, changes the ownership of the certificates to the sftpgo user and reloads sftpgo (sends a SIGHUP) when certbot renews the certificates. SFTPGO will keep on running when it reloads.

Open the script in nano

sudo nano /etc/letsencrypt/renewal-hooks/post/

Copy and paste the script

You need to change the to the name of your server.

Github link for this script.

sudo cp /etc/letsencrypt/live/ /etc/sftpgo/ssl/
sudo cp /etc/letsencrypt/live/ /etc/sftpgo/ssl/
sudo chown -R sftpgo:sftpgo /etc/sftpgo/ssl
sudo systemctl reload sftpgo 
Image of the script pasted in nano

Make the shell script executable

sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/ 

Run the script

cd /etc/letsencrypt/renewal-hooks/post/ 

Enable SSL/TLS https in the SFTPGO configuration file sftpgo.json

Edit the sftpgo.json configuration file with nano

sudo nano /etc/sftpgo/sftpgo.json

Enable_https from false to true

"enable_https": true,

Change certificate_file to /etc/sftpgo/ssl/cert.pem
Change certificate_key_file to /etc/sftpgo/ssl/privkey.pem

"certificate_file": "/etc/sftpgo/ssl/cert.pem",
"certificate_key_file": "/etc/sftpgo/ssl/privkey.pem",
image of the changed json file

Restart SFTPGO

sudo systemctl restart sftpgo
sudo systemctl status sftpgo
image of sftpgo status

Type in your server address in a web browser

The lock icon besides the address will be locked and SSL/TLS encryption is active.

sftpgo web page

lock icon

Testing the certbot auto renewal process (optional)

Check the status of snap.certbot.renew.timer

Cerbot installs a systemd timer called snap.certbot.renew.timer.

It runs twice every day to check if it is time to renew the certificates. (It will run the renewal every 90 days)

sudo systemctl status snap.certbot.renew.timer 

Run a forced renewal of the certificates

To check if everything works, you can run a forced renewal of the certificates. (Max 5 times a week).

sudo certbot renew --force-renewal

Type in your server address in a web browser

Check if it works.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.