A concise walkthrough for setting up Pure‑FTPD with a self‑signed certificate on Debian‑based machines, aimed at giving you a secure and cost‑free FTP service. It covers installing the lightweight pure‑ftpd package set, creating isolated FTP accounts with pure‑pw, and generating an RSA key pair using OpenSSL before dropping it into /​etc/pure‑ftpd/certs. The guide then configures the server to use SSL/TLS optionally or exclusively, directs logs to syslog for easier debugging, and hardens security by disabling anonymous access through a single configuration file line. Finally, it explains how to restart Pure‑FTPD, test connections from another host, and highlights common mistakes such as mis‑typed paths that can break the TLS handshake.

Pure‑FTPD on Ubuntu/Debian: Setting Up a Self‑Signed Certificate (and Why It Works)

If you’ve ever had to hand‑install an FTP server on a fresh Debian box and wanted something that looks fancy but doesn’t cost you a dime, Pure‑FTPD with a self‑signed certificate is the answer. Below is a straight‑to‑the‑point walkthrough of installing, configuring, and securing it, plus a quick note about what happens if you skip any step.

1. Install Pure‑FTPD and Its Extras

sudo apt update && sudo apt install pure-ftpd-basic pure-pw

pure‑pw lets you create FTP users without touching the system’s user database, which is handy for isolated file shares. The basic package includes all the core binaries; no bloat.

2. Create a Dedicated FTP User

sudo pureuseradd -u ftpuser ftpuser

Replace ftpuser with whatever you want. This keeps FTP traffic separate from your regular shell users—no surprises when someone drops a file in /home/ftpuser.

3. Generate a Self‑Signed SSL Certificate

mkdir -p /etc/pure-ftpd/certs
openssl req -x509 -nodes -days 365 \
    -newkey rsa:2048 \
    -keyout /etc/pure-ftpd/certs/ftps.key \
    -out /etc/pure-ftpd/certs/ftps.crt

When prompted, set a subject that makes sense (e.g., CN=ftp.example.com). It’s fine if the hostname is just localhost; the client will still trust it once you add it to its trusted list.

4. Point Pure‑FTPD at the Certificate

Edit /etc/pure-ftpd/conf/SSL:

echo "2" | sudo tee /etc/pure-ftpd/conf/SSL

The “2” tells Pure‑FTPD to use SSL/TLS, but not to enforce it on every connection. That’s useful if you want regular FTP for legacy clients while still offering FTPS.

Next, tell Pure‑FTPD where the key and cert live:

echo "/etc/pure-ftpd/certs/ftps.key" | sudo tee /etc/pure-ftpd/conf/SSLKeyFile
echo "/etc/pure-ftpd/certs/ftps.crt" | sudo tee /etc/pure-ftpd/conf/SSLCertFile

5. Harden the Configuration

Open /etc/pure-ftpd/conf/Syslog and add:

echo "2" | sudo tee /etc/pure-ftpd/conf/Syslog

This makes Pure‑FTPD log to syslog, which is easier for later troubleshooting.

To disable anonymous FTP (a common misstep that leaves your server exposed), set:

sudo touch /etc/pure-ftpd/conf/NoAnonymous
echo "1" | sudo tee /etc/pure-ftpd/conf/NoAnonymous

6. Restart and Verify

sudo systemctl restart pure-ftpd
sudo systemctl status pure-ftpd

A quick test from another machine:

ftp -p ftp.example.com
# or for FTPS
lftp -e "set ssl:verify-certificate no; set net:max-retries 1; set net:timeout 5; open ftps://ftp.example.com" -u ftpuser,password

If the connection fails, check /var/log/syslog—Pure‑FTPD writes every error there. In my own server, an old typo in /etc/pure-ftpd/conf/SSLKeyFile caused a “Permission denied” that kept all clients from connecting.

7. Optional: Force FTPS Only

If you want to lock down the server so that plain‑text FTP is impossible:

echo "1" | sudo tee /etc/pure-ftpd/conf/TLSOnly

Now any client must speak TLS or be rejected outright.

Real‑world tweak: I once had a colleague forget to set NoAnonymous. The server was up and running, but anyone could log in without credentials. We patched the config, restarted, and that one small line made all the difference.

That’s it—Pure‑FTPD on Ubuntu/Debian with a self‑signed cert, no fluff, no extra packages. If you run into trouble, double‑check those file paths; Pure‑FTPD is picky about where it expects its keys.