Activate SSL/TLS on the SFTPGO web UI

In this post I describe how to activate SSL/TLS encryption on the SFTPGO web admin UI with CERTBOT and enable auto renewal of the certificates using a post renewal hook shell script.

Certbot is a free tool to enable TLS 1.3 AES 128 SHA 256 https using Lets encrypt certificates.

In this setup guide I mostly followed the official Certbot instruction for a snapd installation/other server and some of the instructions from here.

This is a follow up post to Setting up a SFTPGO SFTP server on a Hetzner Ubuntu 20.10 server.

Install Certbot SSL/TLS encryption on the SFTPGO web UI

Install snap with apt

sudo apt install snapd

Install snap core

sudo snap install core; sudo snap refresh core

Make sure certbot is not already installed with apt

sudo apt remove certbot

Install certbot with snap

sudo snap install --classic certbot

Make a symlink between /snap/bin/certbot and /usr/bin/certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Open port 80 in the firewall

Certbot creates a web server on port 80 when it generates the ssl/tls certificates so I open port 80 in the firewall. SFTPGO is running on port 8080.

Hetzner firewall

Image of opening port 80 in the hetzner firewall

nftables firewall

In this post I used a nftables firewall. To activate HTTP(S) you would uncomment these lines

Allow HTTP(S).  
tcp dport { http, https } accept
udp dport { http, https } accept

Run Certbot

Cerbot uses the domain name of your server. You can find it by doing a reverse domain lookup on your server ip address. You also need to give certbot an email address.

Link: mxtoolbox reverse domain lookup

sudo certbot certonly --standalone

Make the post renewal hook shell script and run it

This shell script copies the files to the sftpgo ssl directory, changes the ownership of the certificates to the sftpgo user and reloads sftpgo (sends a SIGHUP) when certbot renews the certificates. SFTPGO will keep on running when it reloads.

Open the script in nano

sudo nano /etc/letsencrypt/renewal-hooks/post/sftpgo.sh

Copy and paste the sftpgo.sh script

You need to change the 353.server.com to the name of your server.

Github link for this script.

#!/bin/sh
sudo cp /etc/letsencrypt/live/353.server.com/cert.pem /etc/sftpgo/ssl/
sudo cp /etc/letsencrypt/live/353.server.com/privkey.pem /etc/sftpgo/ssl/
sudo chown -R sftpgo:sftpgo /etc/sftpgo/ssl
sudo systemctl reload sftpgo 
Image of the script pasted in nano

Make the sftpgo.sh shell script executable

sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/sftpgo.sh 

Run the sftpgo.sh script

cd /etc/letsencrypt/renewal-hooks/post/ 
./sftpgo.sh

Enable SSL/TLS https in the SFTPGO configuration file sftpgo.json

Edit the sftpgo.json configuration file with nano

sudo nano /etc/sftpgo/sftpgo.json

Enable_https from false to true

"enable_https": true,


Change certificate_file to /etc/sftpgo/ssl/cert.pem
Change certificate_key_file to /etc/sftpgo/ssl/privkey.pem

"certificate_file": "/etc/sftpgo/ssl/cert.pem",
"certificate_key_file": "/etc/sftpgo/ssl/privkey.pem",
image of the changed json file

Restart SFTPGO

sudo systemctl restart sftpgo
sudo systemctl status sftpgo
image of sftpgo status

Type in your server address in a web browser

https://628.yourserveraddress.com:8080

The lock icon besides the address will be locked and SSL/TLS encryption is active.

sftpgo web page

lock icon

Testing the certbot auto renewal process (optional)

Check the status of snap.certbot.renew.timer

Cerbot installs a systemd timer called snap.certbot.renew.timer.

It runs twice every day to check if it is time to renew the certificates. (It will run the renewal every 90 days)

sudo systemctl status snap.certbot.renew.timer 

Run a forced renewal of the certificates

To check if everything works, you can run a forced renewal of the certificates. (Max 5 times a week).

sudo certbot renew --force-renewal

Type in your server address in a web browser

https://628.yourserver.com:8080

Check if it works.

Setting up a SFTPGO SFTP server on a Hetzner Ubuntu 20.10 server

SFTPGO can run SFTP, FTP and WEBDAV and you can easily configure virtual chrooted users via a web browser.

In this post I set up SFTPGO SFTP on Ubuntu 20.10 on a Hetzner auction server with 14 TB of SFTP storage . This tutorial also works for other Ubuntu 20.10 installations, just skip the part about installing Ubuntu 20.10 on a Hetzner server.

Activate the rescue system on the Hetzner Robot web page and install ubuntu 20.10

You will now have a root password. When you reset the server with Reset – Send CTRL-ALT-DEL to the server you can log in and run installimage

Log in to the server running the rescue system

I use terminal on mac or Ubuntu on Windows

ssh root@1.1.1.1

Run installimage

installimage

Choose to install ubuntu 20.10. Since it is not a LTS release you can easily add the SFTPGO PPA repository later.

The default settings for this 4 x 6 TB HDD server is RAID level 6 where two hard drives are redudant. 2 TB for / and almost all of the the rest for /home is the default. I changed to RAID level 5 so only one hard drive is redudant and set 1080G for / and 1080G for /home and the rest in /srv (14TB) for sftpgo to use.

Install Ubuntu by exiting the editor with F10 and finish the installer

Reboot the server

reboot

Log in to the server running ubuntu 20.10

ssh root@1.1.1.1

Check storage with df -h

df -h

Add a sudoer user

It is recommended to use a normal user that is part of the sudo group instead of using root.

sudo adduser newuser
usermod -aG sudo newuser

Login in with the new sudo user

When you need to do something as root use sudo. Or su.

ssh newuser@1.1.1.1

Update Ubuntu

sudo apt update
sudo apt upgrade

Disable root ssh login and change ssh port (optional)

For security reasons it is common to change the default ssh port and disable root ssh login. If you leave the default port open you can install a brute force blocker like sshguard.

sudo apt install nano
sudo nano /etc/ssh/sshd_config

comment # PermitRootLogin to disable root login.

Change the port to 2222


Restart the sshd service
sudo systemctl restart sshd.service 

Log in with the new port number

ssh newuser@1.1.1.1 -p 2222

Change the firewall on the Hetzner server admin web site to use the alternative SSH port, SFTPGO SFTP port and web admin UI port

I edited the webserver template to also accept ssh/sftp on port to 2222, 2022 and http on 8080. You can remove access to the web interface in the firewall when it is not in use.

Install SFTPGO

The easiest way to install SFTPGO is to add the SFTPGO PPA repository to ubuntu 20.10. In 20.04 LTS it is not allowed by default to add PPA repositories.

sudo apt install software-properties-common 
sudo add-apt-repository ppa:sftpgo/sftpgo
sudo apt install sftpgo
sudo systemctl status sftpgo

Open the SFTPGO web admin UI to the internet

Change the “httpd” “address”: “”127.0.0.1″ to httpd” “address”: “” in the sftpgo.json configuration file so you can access the web admin UI from the internet. You can also enable the built in brute force defender if you change “defender” to “enabled”. It is also possible to enable https SSL/TLS encryption using cerbot like I wrote about in this post.

sudo nano /etc/sftpgo/sftpgo.json

Restart sftpgo

sudo systemctl restart sftpgo

Change the default admin password

Login to the web admin interface with a web browser with the username admin and the password password. Use the IP address of the server and port 8080. Like http://1.1.1.1:8080/


Change the default admin password.

Add a SFTPGO SFTP user

The minimim settings for a user is username, password and permissions like all * or download only. If the user is called user1 the default directory is /srv/sftpgo/data/user1. The user can only upload and download to this directory. User1 is not an actual user on the system and needs a home directory that the sftpgo user has access to like /srv . You can also choose to enable max connections, disk storage quota, max bandwith and more.

You can now connect to the SFTP server with Cyberduck or similar SFTP clients. I recommend using Cyberduck because it uses segmented downloads.

Connect to the SFTPGO SFTP server

Choose SFTP and port 2022 and username and password.

Try uploading and downloading. I get 22 MB/ sec downloading on a 200 mbit connection.

You see which users are connecting and downloading when clicking on connections in the SFTPGO web admin ui.

Check CPU and memory usage on the server with htop

sudo apt install htop
htop

SFTPGO uses a litte more CPU than the Openssh SFTP server. The server seems to handle it well.

How to make encrypted DCPs in Easydcp Creator Plus and make KDMs and DKDMs in KDM generator

A DKDM is a KDM made for Easydcp creator + and similar programs that can do versioning like adding subtitles change audio and add logo reels to DCPs .

A KDM is for a cinema server/player that can only play the DCP.

When a distributor buys a DCP for versioning it is often encrypted and you can buy a DKDM that lets you do versioning on it. When the new version is ready you can encrypt it again.

It is possible to get the public encryption keys from cinemas that will screen a movie and make KDMs. I mostly send encrypted DCP to cinemas in Norway via Unique Movie transit and let them handle the logistics of generating and sending KDMs to cinemas. It is no extra cost to let them handle the KDMs.

This is how I make an encrypted DCP and a DKDM for a DCP lab or Movie Transit.

Convertering a DCP to an encrypted DCP in Easydcp Creator +

To enable encyption I click on the key on the video track and choose Enable for all tracks.

Now the lock icon is locked

To make the encrypted DCP I click on Generate DCP

Choose to make DCP digest in the Generate Package Wizard

To make a test KDM you can first make a KDM for your copy of Easydcp Creator.

Open the encrypted DCP in Easydcp creator. The keys are red and the DCP is locked.

Export the Public encryption key File – Content decryption – Export public certificate

Making a KDM/DKDM in Easydcp Generator

In KDM Generator choose the DCP-Digest that was created when the DCP was created. Choose the public certificate that you exported from Easydcp Creator and choose valid dates and then click on Generate KDM

In Easydcp Creator choose Export the Public encryption key File – Content decryption – Load Content Keys and load the KDM you generated.

Now the DCP has green lock icons and the DCP is unlocked.

When generating the DKDM for Movie Transit I use the public certificate they sent me and generate a key for them in KDM generator.