trust server certificate with lftp

Question

When connecting to a server with lftp, I have the following issue:

Certificate verification: Not trusted: no issuer was found (AA:AA:AA:[...]:AA:AA)

Which indicates at least that the cert verification failed. I would like to whitelist that certificate. Obviously, disabling certificate verification is not an option due to security concerns.

Here is what I already tried:

Following that guide to retrieve certs from the server, and use them with set ssl:ca-file. Following that guide, I have three certs. I tried them all, then concatenated together, which didn't change a thing. Also tried with ssl:cert-file.
using the same method as above with openssl s_client -connect my.server.tld:21 -starttls ftp, which yields only one certificate
setting ssl:ca-file to the system's ca store
using gnutls-cli works fine with the -s option, so do the above openssl s_client commands.

The certificate seems to be signed by a valid chain of trust, as far as those commands report.

Filezilla works fine, but displays the following warning, which might be related:

Server sent unsorted certificate chain in violation of the TLS specifications

I have no control over the server as I do not host it myself, but the greeter identifies itself as Pure-FTPd.

Other clients that didn't work (lack of support for ftps, or for the specific server): ftp, ncftp, dolphin (KIO), curlftpfs, tnftp, firefox

score 1 · Accepted Answer · answered Mar 24 '20 at 03:51

1

The only solution a year later is still to turn off ssl:verify-certificate for specific certificate fingerprints.

set ssl:verify-certificate/{fingerprint1} no
set ssl:verify-certificate/{fingerprint2} no

See lftp closed issue 214 -- https://github.com/lavv17/lftp/issues/214#issuecomment-197237482

answered Mar 24 '20 at 03:51

notabot2

26
1

Thank you, this effectively whitelists the certificate, if I am not mistaken? – MayeulC Apr 07 '20 at 14:50

score 0 · Answer 2 · answered May 29 '20 at 18:01

What worked for me step by step with lftp:

get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"

I followed this step by step but still saw the error. Maybe it's indeed an expected behavior of lftp for self-signed certificates (ref answer from notabot2). — X Zhang, May 04 '22 at 02:29

score 0 · Answer 3 · edited Feb 13 '23 at 13:42

0

The solution was for me to get all certificates from the command below and add them to the cert-file.

openssl s_client -connect hg-gym.de:21 -starttls ftp -showcerts

edited Feb 13 '23 at 13:42

Mureinik

3,974
11
28
32

answered Feb 13 '23 at 13:17

donotcare

1

trust server certificate with lftp

3 Answers3

Linked