Strange ftp problem

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange ftp problem

Rodney
Quite some time ago, someone recommended Cyberduck as an ftp client, and I’ve been using it successfully ever since. However, after a recent upgrade I got this error when trying to access a site I access often, ""Operation not permitted (connect failed). The connection attempt was rejected. The server may be down, or your network may not be properly configured.”

I contacted the vendor, and got a very quick reply as has always been the case on the rare occasions when I’ve had a problem. This seems to be a problem with the latest Cyberduck release, "We can reproduce this issue – thanks for notifying us about this severe issue. It looks like the codesigning security entitlements are not properly applied by the Mac App Store download. We are in contact with Apple Developer Support to get a resolution as soon as possible.”

However, I’m not totally convinced that the problem is just with Cyberduck. The site I’m trying to access is password protected, and uses a non-standard port. I can connect to it just fine using Chrome “ftp://site.domain.whatever”. I get prompted for the username and password, and all’s well. However, I can’t access it using either Finder or Safari. When I use Safari, after the login prompt Safari changes the URL to, "ftp://site.domain.whatever/home/username”, which is wrong. I’m not sure what problem Finder has.

I suspect that Cyberduck might be just a GUI on top of Apple’s ftp code, which is a reasonable thing to do. Why reinvent the wheel, especially if the wheel is supported by Apple? Unfortunately, a bunch of stuff changed with High Sierra; Apple removed command line ftp, telnet, and other traditional Unix apps. They also changed the default PATH environment variable, according to something I turned up with Google. Maybe this broke some stuff...

Has anyone else had ftp problems recently?





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Claes Isacson
Hi Rodney,

Yes,
As of today, after getting the same error, I have come to the sad conclusion that it was time to dump “Cyberduck" in favour of “ForkLift”.

So far I’m impressed with it.

Regards
// Claes in Sweden

> On 26 Feb 2018, at 16:19, Rodney <[hidden email]> wrote:
>
> Quite some time ago, someone recommended Cyberduck as an ftp client, and I’ve been using it successfully ever since. However, after a recent upgrade I got this error when trying to access a site I access often, ""Operation not permitted (connect failed). The connection attempt was rejected. The server may be down, or your network may not be properly configured.”
>
> I contacted the vendor, and got a very quick reply as has always been the case on the rare occasions when I’ve had a problem. This seems to be a problem with the latest Cyberduck release, "We can reproduce this issue – thanks for notifying us about this severe issue. It looks like the codesigning security entitlements are not properly applied by the Mac App Store download. We are in contact with Apple Developer Support to get a resolution as soon as possible.”
>
> However, I’m not totally convinced that the problem is just with Cyberduck. The site I’m trying to access is password protected, and uses a non-standard port. I can connect to it just fine using Chrome “ftp://site.domain.whatever”. I get prompted for the username and password, and all’s well. However, I can’t access it using either Finder or Safari. When I use Safari, after the login prompt Safari changes the URL to, "ftp://site.domain.whatever/home/username”, which is wrong. I’m not sure what problem Finder has.
>
> I suspect that Cyberduck might be just a GUI on top of Apple’s ftp code, which is a reasonable thing to do. Why reinvent the wheel, especially if the wheel is supported by Apple? Unfortunately, a bunch of stuff changed with High Sierra; Apple removed command line ftp, telnet, and other traditional Unix apps. They also changed the default PATH environment variable, according to something I turned up with Google. Maybe this broke some stuff...
>
> Has anyone else had ftp problems recently?
>
>
>
>
>
> ____________TidBITS Talk Participation Guidelines____________
> Post only when you have something substantive to contribute.
> Be polite and constructive, and comment on posts, not people.
> Quote sparingly, if at all. We all read the previous message.
> Start threads with a new message to [hidden email].
> Read archives at: http://tidbits.com/pipermail/tidbits-talk/
> Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
> ____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Rodney

On Feb 26, 2018, at 16:24, Claes Isacson <[hidden email]> wrote:

As of today, after getting the same error, I have come to the sad conclusion that it was time to dump “Cyberduck" in favour of “ForkLift”.

A friend recommended Filezilla. He uses Windows, but there is a Mac version, and it is free. I’m a bit nervous about it because I don’t know how they make their money...




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Nathan Raymond
On Mon, Feb 26, 2018 at 10:29 AM, Rodney <[hidden email]> wrote:
A friend recommended Filezilla. He uses Windows, but there is a Mac version, and it is free. I’m a bit nervous about it because I don’t know how they make their money...

My understanding is that Filezilla makes money from adware that is bundled with the default "installer" download. If you look at that page, they say: "This installer may include bundled offers. Check below for more options." If you follow the link to all downloads, you'll see a "FileZilla_3.31.0_macosx-x86.app.tar.bz2" download which doesn't have an installer/bundled adware.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Curtis Wilcox
In reply to this post by Claes Isacson
Instead of switching clients, why not switch protocols, from the insecure FTP to the secure SFTP?

I think Cyberduck does still support FTP on High Sierra, they regularly release updates with detailed changelogs, they would have said something. If you're using it from the Mac App Store, then I think the code-signing issue is the likely culprit.


I believe in addition to High Sierra removing the command line ftp client (and FTP server), it also removed FTP support in the Finder. To get support back in the Finder, the Cyberduck people have a separate product, Mountain Duck, that mounts a wide array of server protocols, including FTP.





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Rodney

> On Feb 26, 2018, at 18:39, Curtis Wilcox <[hidden email]> wrote:
>
> Instead of switching clients, why not switch protocols, from the insecure FTP to the secure SFTP?

It’s not my site. It’s not my choice…

> I think Cyberduck does still support FTP on High Sierra, they regularly release updates with detailed changelogs, they would have said something. If you're using it from the Mac App Store, then I think the code-signing issue is the likely culprit.

Yep. They support it in theory. Their latest update broke.

> I believe in addition to High Sierra removing the command line ftp client (and FTP server), it also removed FTP support in the Finder.

They apparently made it harder to use, but they didn’t remove it from either the Finder or Safari.

> To get support back in the Finder, the Cyberduck people have a separate product, Mountain Duck, that mounts a wide array of server protocols, including FTP.

All I want is a simple ftp client. I don’t care about anything else. If Cyberduck can’t fix the problem in a day or so, I’ll move on.


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Al Varnell
On Feb 26, 2018, at 10:39 AM, Rodney <[hidden email]> wrote:
> On Feb 26, 2018, at 18:39, Curtis Wilcox <[hidden email]> wrote:
>> Instead of switching clients, why not switch protocols, from the insecure FTP to the secure SFTP?
>
> It’s not my site. It’s not my choice…

Then encourage the owner to spring for a security certificate since FTP's unsecured password vulnerability is now widely being exploited in order to install malware / botware on unprotected web sites. Moving to a secure means of FTP and https is seriously lagging.


Sent from my iPad

-Al-


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Rodney

> On Feb 27, 2018, at 04:42, Al Varnell <[hidden email]> wrote:
>
> Then encourage the owner to spring for a security certificate ...

Or I find an FTP client that works. I feel quite certain that my friend is going to prefer option two for his personal NAS.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Al Varnell
On Mon, Feb 26, 2018 at 08:24 PM, Rodney wrote:
On Feb 27, 2018, at 04:42, Al Varnell wrote:

Then encourage the owner to spring for a security certificate ...

Or I find an FTP client that works. I feel quite certain that my friend is going to prefer option two for his personal NAS.

Sorry if I wasn't clear. I certainly didn't intend to offer that as an option, just a very strong warning. Apple has deprecated ftp and telnet as a first step, due to a very real threat that has been building for the last few years and you should expect this to be just the beginning of a campaign to eliminate them from the Internet eco structure. Hundreds of thousands of web sites are currently compromised, according to credible security research firms. Any work around involving legacy apps that still work is both dangerous and simply delaying the inevitable. 

And yes, I have been notifying everybody that still uses this method to distribute software that I will be terminating my association if they don't adopt a secure distribution method. It's actually not that hard to do. One can easily adopt FTP-SSL (Explicit AUTH TLS) or SFTP (SSH File Transfer Protocol) or under certain circumstances WebDAV (HTTPS).

-Al-
-- 
Al Varnell
Mountain View, CA







____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Rodney

On Feb 27, 2018, at 07:25, Al Varnell <[hidden email]> wrote:

Sorry if I wasn't clear. I certainly didn't intend to offer that as an option, just a very strong warning.

Al, I do appreciate your concern, but I was already aware of the issues. I do get out occasionally.

However, I simply don’t care. By the time ftp is dead, I’ll either also be dead or I’ll be in an assisted living center somewhere. If things happen quicker than I expect, or if I live longer than expected, then my friend will upgrade his NAS without prompting from me since he also needs to access it remotely when traveling. This is, of course, assuming that my friend isn’t also dead or in assisted living…

My only concern is that I don’t want to spend much money on a fancy client since I use ftp so seldom, but I don’t want “ad supported” software either.

I’m beginning to think that Cyberduck is truly dead. They released 6.4.2 yesterday, and it has the same problem (for me) as 6.4.1...😞




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

@lbutlr
In reply to this post by Rodney
On Feb 26, 2018, at 07:19, Rodney <[hidden email]> wrote:

Has anyone else had ftp problems recently?

No, but I use a CLI ftp client for the one ftp site that I have used in the last few years (but this was in the last month or three).

However, if the issue is with how Apple changed entitlements, then it makes sense it would apply to Finder and Safari. I'm not sure what this could mean, but I suspect it means they tightened security and that caused the site you are connecting to to no longer work properly.

Hmm. OK, actually the site I am connecting to is SFTP…

If you're conversant with the command-line try brew install ncftp, otherwise maybe try FileZilla and see if that works?

That will at least give you more information.

-- 
My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Alia Michaels
In reply to this post by Rodney
RE: https
Oh, really? The last time I checked in about using https, I read that it
required a fixed IP address to get a certificate. Is that no longer true?

(I have a small, static site that uses shared hosting. So, as far as I
can tell, I can't get a certificate without a fixed IP address. I'm not
willing to pay a *lot* more money just to protect my site from possible
attack. If, by chance, my site gets compromised in some manner, I'd just
upload the archived HTML pages.)

For the OP, regarding Mac FTP clients:
I've used Filezilla for the Mac ever since I gave up on Fetch (many,
many years ago). Haven't had a problem. My copy is old enough that I
haven't had to deal with any adware, so YMMV when downloading the
current version. (BTW: I also use the Windows version in my Windows VM
on my Mac.)

Regards,
Alia

On Mon, Feb 26, 2018 at 08:24 PM, Rodney wrote:
>> On Feb 27, 2018, at 04:42, Al Varnell wrote:
>>
>> Then encourage the owner to spring for a security certificate ...
> Or I find an FTP client that works. I feel quite certain that my friend is going to prefer option two for his personal NAS.
Sorry if I wasn't clear. I certainly didn't intend to offer that as an option, just a very strong warning. Apple has deprecated ftp and telnet as a first step, due to a very real threat that has been building for the last few years and you should expect this to be just the beginning of a campaign to eliminate them from the Internet eco structure. Hundreds of thousands of web sites are currently compromised, according to credible security research firms. Any work around involving legacy apps that still work is both dangerous and simply delaying the inevitable.

And yes, I have been notifying everybody that still uses this method to distribute software that I will be terminating my association if they don't adopt a secure distribution method. It's actually not that hard to do. One can easily adopt FTP-SSL (Explicit AUTH TLS) or SFTP (SSH File Transfer Protocol) or under certain circumstances WebDAV (HTTPS).




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Rodney
In reply to this post by @lbutlr

> On Feb 27, 2018, at 16:34, LuKreme <[hidden email]> wrote:
>
> I'm not sure what this could mean, but I suspect it means they tightened security and that caused the site you are connecting to to no longer work properly.

It isn’t just the site I’m connecting to that doesn’t work properly. It is the Cyberduck client. When I reported the problem, the vendor was already aware of it. He released an upgrade yesterday that was supposed to fix the problem but didn't.

He sent me a link that let me download the previous version from the web site instead of from the App Store, and that version works.

> If you're conversant with the command-line try brew install ncftp, otherwise maybe try FileZilla and see if that works?

Thanks. I did a command-line install of the gnu tools, including ftp and telnet, but hopefully I won’t need them.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Randy B. Singer
In reply to this post by Rodney

On Feb 26, 2018, at 10:39 AM, Rodney wrote:

> All I want is a simple ftp client. I don’t care about anything else. If Cyberduck can’t fix the problem in a day or so, I’ll move on.

Check out:

RBrowser (free)
http://www.rbrowser.com/

This venerable app has been around for many years and is easy to use.


___________________________________________
Randy B. Singer
Co-author of The Macintosh Bible (4th, 5th, and 6th editions)

Macintosh OS X Routine Maintenance
http://www.macattorney.com/ts.html
___________________________________________






____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Curtis Wilcox
In reply to this post by Alia Michaels
On Feb 27, 2018, at 6:38 PM, gastropod <[hidden email]> wrote:
>
> On Tue, Feb 27, 2018, at 10:56 AM, Alia Michaels wrote:
>> RE: https
>> Oh, really? The last time I checked in about using https, I read that it
>> required a fixed IP address to get a certificate. Is that no longer true?
>
> Certificates haven't been locked to IPs for a very long time.  


It does require the browser to support Server Name Indication (SNI). So if you're using IE on Windows XP or some smartphones from 2011 or earlier, you won't be able to browse to a site using a certificate not specific to that domain name and ip (IE actually supported SNI before Chrome, but only on Windows Vista). Old browsers on old OSs will fail on some encrypted sites for other reasons anyway, like not supporting the minimum TLS version or ciphers.

Just to bring it closer to the original topic, using SFTP does not require using certificates. Pretty much everywhere, SFTP comes with SSH, the secure replacement for telnet.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Claes Isacson
It seems they now have fixed whatever bug was breaking Cyberduck. The latest update fixed it for me at least.

Rock on!
// Claes from Sweden


> On 28 Feb 2018, at 06:59, Curtis Wilcox <[hidden email]> wrote:
>
> On Feb 27, 2018, at 6:38 PM, gastropod <[hidden email]> wrote:
>>
>> On Tue, Feb 27, 2018, at 10:56 AM, Alia Michaels wrote:
>>> RE: https
>>> Oh, really? The last time I checked in about using https, I read that it
>>> required a fixed IP address to get a certificate. Is that no longer true?
>>
>> Certificates haven't been locked to IPs for a very long time.  
>
>
> It does require the browser to support Server Name Indication (SNI). So if you're using IE on Windows XP or some smartphones from 2011 or earlier, you won't be able to browse to a site using a certificate not specific to that domain name and ip (IE actually supported SNI before Chrome, but only on Windows Vista). Old browsers on old OSs will fail on some encrypted sites for other reasons anyway, like not supporting the minimum TLS version or ciphers.
>
> Just to bring it closer to the original topic, using SFTP does not require using certificates. Pretty much everywhere, SFTP comes with SSH, the secure replacement for telnet.
>
>
>
>
> ____________TidBITS Talk Participation Guidelines____________
> Post only when you have something substantive to contribute.
> Be polite and constructive, and comment on posts, not people.
> Quote sparingly, if at all. We all read the previous message.
> Start threads with a new message to [hidden email].
> Read archives at: http://tidbits.com/pipermail/tidbits-talk/
> Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
> ____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Rodney

On Feb 28, 2018, at 10:32, Claes Isacson <[hidden email]> wrote:

It seems they now have fixed whatever bug was breaking Cyberduck. The latest update fixed it for me at least.

I installed version 6.4.2 from the App Store yesterday, but it didn’t fix the problem for me. The vendor said that they were aware that the update didn’t fix the problem, and suggested that I install 6.4.1 from their web site. That did fix the problem.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

@lbutlr
In reply to this post by Alia Michaels
On Feb 27, 2018, at 15:38, gastropod <[hidden email]> wrote:
> I've been rebuilding my mailing list server, and installing the Let's Encrypt certificates has been a delight compared to the old days.

I set aside a Saturday to setup certs and https: only access to the hosted websites on my server. I started at 9am.

I was done by 9:30am.

--
This is my signature. There are many like it, but this one is mine.





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

Doug Hogg
Any tips? I have some websites to handle.

:-)

Doug Hogg

Sent from my iPhone

> On Feb 28, 2018, at 11:53 AM, @lbutlr <[hidden email]> wrote:
>
>> On Feb 27, 2018, at 15:38, gastropod <[hidden email]> wrote:
>> I've been rebuilding my mailing list server, and installing the Let's Encrypt certificates has been a delight compared to the old days.
>
> I set aside a Saturday to setup certs and https: only access to the hosted websites on my server. I started at 9am.
>
> I was done by 9:30am.
>
> --
> This is my signature. There are many like it, but this one is mine.
>
>
>
>
>
> ____________TidBITS Talk Participation Guidelines____________
> Post only when you have something substantive to contribute.
> Be polite and constructive, and comment on posts, not people.
> Quote sparingly, if at all. We all read the previous message.
> Start threads with a new message to [hidden email].
> Read archives at: http://tidbits.com/pipermail/tidbits-talk/
> Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
> ____Mailing List Manners: http://tidbits.com/series/1141 ____



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Strange ftp problem

@lbutlr
On Feb 28, 2018, at 12:48, Doug Hogg <[hidden email]> wrote:
> Any tips? I have some websites to handle.

I used dehydrated (a bash script that interfaces with LetsEncrypt). Setup was straightforward, I created a folder in my www root named .well-known, linked dehydrated/.well-known to it, and then in each website I created a link to the same folder.

Ran dehydrated and it created all the certs.

Then, I created the virtual host for *:443 for each domain including the dociment root and any other domain specific info (log files, etc), mostly cribbed from the existing :80 and included the following:

   SSLEngine on
   SSLCertificateFile /usr/local/etc/dehydrated/certs/example.com/cert.pem
   SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/example.com/privkey.pem
   SSLCertificateChainFile /usr/local/etc/dehydrated/certs/example.com/chain.pem
   SSLProtocol ALL -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

And then replaced the *:80 virtualhost with:

<virtualhost *:80>
   ServerName www.example.com
   Serveralias example.com
   Redirect / https://www.example.com/
</virtualhost>

Sorry about the formatting, I’m on my iPad and I cant easily fix it.

This config gives me a grade of A from SSLlabs.

The redirect means that only https connections are available.

--
My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____