Updating certificates in Docker image

[czuk]

Hi,

We have a large number of local government clients using an old Pure-FTPD (explicit FTP over TLS) system. It needs replacing so I'm currently trying to implement SFTPGo as a drop in replacement. In line with current philosophy on using microservices, I would like it to be containerised so I've been looking at using the drakkan/sftpgo image on docker hub.

It's working fine on SFTP. I would love to move all of the clients to SFTP but realistically that won't happen anytime soon.

It's working fine on explicit FTP over TLS after I supplied it with a valid LE certificate on a bind mount. I haven't tried forcing a certificate renewal yet to see what happens, will SFTPGo pick up on a renewed certificate on the bind mount automatically or will the container need to be restarted? I'm thinking it won't as it's not explicitly mentioned in the documentation.

If it needs restarting then that introduces an external problem that needs to be managed which isn't ideal.

I can't see any other way of renewing the certificate from within the container. As I understand it, the ACME bits in SFTPGo require a publically accessible web server to pass HTTP01 challenge but there is no webserver in the docker image, other than the control panel interface which I don't think should be publically accessible.

There is mention of lego in the documentation to be used as an utility to renew certificates outside of SFTPGo but this isn't included in the image. I'm thinking that could be used to perform DNS01 challenges from within the docker image but there's also additional work required to get the SFTPGo server to pick up the new certificate in the image.

Ideally for me, SFTPGo would notice a renewed certificate and would start using it automatically.

[drakkan]

Hi,

currently you have to send a SIGHUP to the running container to use the updated certificates. Please check the support policy

[JonBendtsen]

are you already doing virus checking in your setup? If not it might be an idea to peek at my setup which I described here.

#1133

[drakkan]

Hi,

We have a large number of local government clients using an old Pure-FTPD (explicit FTP over TLS) system. It needs replacing so I'm currently trying to implement SFTPGo as a drop in replacement. In line with current philosophy on using microservices, I would like it to be containerised so I've been looking at using the drakkan/sftpgo image on docker hub.

It's working fine on SFTP. I would love to move all of the clients to SFTP but realistically that won't happen anytime soon.

It's working fine on explicit FTP over TLS after I supplied it with a valid LE certificate on a bind mount. I haven't tried forcing a certificate renewal yet to see what happens, will SFTPGo pick up on a renewed certificate on the bind mount automatically or will the container need to be restarted? I'm thinking it won't as it's not explicitly mentioned in the documentation.

If it needs restarting then that introduces an external problem that needs to be managed which isn't ideal.

I can't see any other way of renewing the certificate from within the container. As I understand it, the ACME bits in SFTPGo require a publically accessible web server to pass HTTP01 challenge but there is no webserver in the docker image, other than the control panel interface which I don't think should be publically accessible.

There is mention of lego in the documentation to be used as an utility to renew certificates outside of SFTPGo but this isn't included in the image. I'm thinking that could be used to perform DNS01 challenges from within the docker image but there's also additional work required to get the SFTPGo server to pick up the new certificate in the image.

Ideally for me, SFTPGo would notice a renewed certificate and would start using it automatically.

6119917