7

When connecting to a server with lftp, I have the following issue:

Certificate verification: Not trusted: no issuer was found (AA:AA:AA:[...]:AA:AA)

Which indicates at least that the cert verification failed. I would like to whitelist that certificate. Obviously, disabling certificate verification is not an option due to security concerns.

Here is what I already tried:

  • Following that guide to retrieve certs from the server, and use them with set ssl:ca-file. Following that guide, I have three certs. I tried them all, then concatenated together, which didn't change a thing. Also tried with ssl:cert-file.
  • using the same method as above with openssl s_client -connect my.server.tld:21 -starttls ftp, which yields only one certificate
  • setting ssl:ca-file to the system's ca store
  • using gnutls-cli works fine with the -s option, so do the above openssl s_client commands.

The certificate seems to be signed by a valid chain of trust, as far as those commands report.

Filezilla works fine, but displays the following warning, which might be related:

Server sent unsorted certificate chain in violation of the TLS specifications

I have no control over the server as I do not host it myself, but the greeter identifies itself as Pure-FTPd.

Other clients that didn't work (lack of support for ftps, or for the specific server): ftp, ncftp, dolphin (KIO), curlftpfs, tnftp, firefox

MayeulC
  • 235

4 Answers4

7

The only solution a year later is still to turn off ssl:verify-certificate for specific certificate fingerprints.

set ssl:verify-certificate/{fingerprint1} no
set ssl:verify-certificate/{fingerprint2} no

See lftp closed issue 214 -- https://github.com/lavv17/lftp/issues/214#issuecomment-197237482

notabot2
  • 86
2

What worked for me step by step with lftp:

  1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
  2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
  3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
  4. and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"
Philippe Gachoud
  • 737
1

The solution was for me to get all certificates from the command below and add them to the cert-file.

openssl s_client -connect hg-gym.de:21 -starttls ftp -showcerts
Mureinik
  • 4,152
donotcare
  • 11
1

I have executed with success a procedure for the use of the client lftp to upload a file to a FTP Server by FTP over TLS (FTPS) and with the check of the SSL certificate of the server. All the steps of the procedure have been tested on a Linux Mint distribution. Below it is showed the procedure in detail.

Download the certificate from the FTP Server

Download the certificate from the FTP Server by the following command:

> openssl s_client -connect x.x.x.x:21 -starttls ftp

where the parameter x.x.x.x:21 is composed by:

  • x.x.x.x is the IP address of the Server FTP;
  • 21 is the port where the FTP server is listening for a client.

The response of previous request contains many data. Among them we are only interested in the portion of the answer contained between the 2 lines BEGIN CERTIFICATE and END CERTIFICATE:

-----BEGIN CERTIFICATE-----
...here there is the.......
...certificate downloaded..
...from the server.........
-----END CERTIFICATE-------

Copy the certificate in the .crt file

I have copied all previous lines (the 2 BEGIN/END lines and all the lines delimited by those) at the end of the file /etc/ssl/certs/ca-certificates.crt already present in my Linux distribution; to be more precise I have edited the file ca-certificates.crt by an editor started by sudo command. ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Linux Mint/Ubuntu and may vary on different systems.

Change the lftp config file

I have added the line:

set ssl:check-hostname no

to the file /etc/lftp.conf (by sudo); this prevents the error:

Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘<ftp-hostname>’

Example of use of lftp with the server certificate check

With the previous steps lftp checks the SSL certificate. For example to upload a file to the server FTP by FTP over TLS I can use the command mput as shows below:

> lftp
lftp :~> source lftps_config
lftp <username>@<ftp-ipaddress>:~> mput test.txt
64 bytes transferred                    
lftp <username>@<ftp-ipaddress>

where lftps_config is the following file:

set ftp:ssl-protect-data true;
set ftp:ssl-auth TLS
open ftp://<ftp-ipaddress>:<ftp-port>
user <username> <password>
User051209
  • 137