83

I'm trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error:

mirror: Fatal error: Certificate verification:
subjectAltName does not match ‘blogname.com’

I think lftp is checking the SSL and the quick setup of Pelican just forgot to include that I don't have SSL on my FTP.

This is the code in Pelican's Makefile:

ftp_upload: $(OUTPUTDIR)/index.html lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

which renders in the terminal as:

lftp ftp://[email protected] -e "mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"

So far, I managed, denying the SSL check by changing the Makefile to:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

Due to my incorrect implementation, I get logged in correctly (lftp [email protected]:~>), but the one line feature doesn't work anymore, and I have to enter the mirror command by hand:

mirror -R /Volumes/HD/Users/me/Test/output/ /myblog_directory

This works without an error and timeout. How can I do this with a one-liner?

In addition, I tried:

  • set ssl:verify-certificate/ftp.myblog.com no
  • This trick to disable certificate verification in lftp:
cat ~/.lftp/rc

Output:

set ssl:verify-certificate no

However, it seems there isn't any "rc" folder in my lftp directory, so this prompt doesn't have any chance to work.

Improve this question
2

10 Answers 10

Reset to default
64

From the manpage:

-c commands
Execute the given commands and exit. Commands can be separated with a semicolon (;), AND (&&) or OR (||). Remember to quote the commands argument properly in the shell. This option must be used alone without other arguments.

So you want to specify the commands as a single argument, separated by semicolons:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

You can actually omit the quit command and use -c instead of -e.

Improve this answer
1
  • That's great. Thanks a ton. I had hoped that someone who's more experienced than me would spot my failure instantly ( - I also tried your -c suggestion leaving out the quit, but this didn't work for me. I'm happy anyway). Commented Jul 27, 2012 at 21:14
56

I had a similar issue, though my lftp instance does have SSL support compiled in (Fedora RPM package).

ssl:verify-certificate false did the trick for me.

Improve this answer
3
  • 30
    Based on this, putting set ssl:verify-certificate false in my ~/.lftprc solved the problem for me. Commented Jul 23, 2015 at 7:17
  • 8
    …though that defeats the point of using SSL your lftp now happily accepts whatever certificate it gets presented, making you vulnerable to M2M attacks. Commented Feb 8, 2017 at 16:00
  • 1
    If certificates are not validated properly, a likely cause is that lftp does not find the CA certificates of your system. See this answer for a fix. Commented May 21, 2017 at 10:26
42

No certificate check

echo "set ssl:verify-certificate no" >> ~/.lftp/rc

will solve the problem if you don’t want the certificate to be checked.

The secure solution with certificate is

What worked for me step by step with lftp:

  1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
  2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
  3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for system-wide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
  4. and then do your sync or whatever with lftp. In my case, it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"
Improve this answer
6
  • 4
    This still disables verification of SSL certificates and this makes man-in-the-middle attacks possible. For a better fix, see this answer. Commented May 21, 2017 at 10:27
  • 7
    better just execute set ssl:verify-certificate no in lftp shell to disable temporary for current session than disabling always. Still +1 for the solution. Commented Jul 4, 2017 at 10:12
  • 1
    @ingomueller.net I present the 2 alternatives, the first yes, the other not Commented Aug 27, 2020 at 0:34
  • 1
    Please not that if your certificate is expired adding it to the ca-certificates has no effect. We we're using a self-signed cert and it took me a moment to realize that the reason we couldn't connect was because of the expiration. Commented Nov 26, 2021 at 13:42
  • It's echo "set ssl:verify-certificate no" >> ~/.lftprc. Commented Aug 19, 2023 at 15:58
9

ssl:verfy-certificate false didn't work for me. I was getting a timeout error when "making data connection".

I followed these instructions by adding set ftp:ssl-allow false to my ~/.lftprc file.

Improve this answer
1
  • 4
    Did you spell it right when you ran the command? ssl:verify-certificate false Commented Oct 31, 2014 at 10:34
8

I was also facing a similar sort of SSL certificate verification error. Setting verify-certificate to 'no' worked for me.

Example:

lftp -c 'set ftps:initial-prot ""; set ftp:ssl-force true; set ftp:ssl-protect-data true; **set ssl:verify-certificate no;** open -u Usename,Password 208.82.204.46; put uploadfilename;'
Improve this answer
1
  • This should be the "correct" answer, IMO, as it is the only one that doesn't involve modifying the configuration file with a setting that could do more harm than good and which should be used with care in very specific situations. Thanks for taking the time sharing this, Pritam. Commented Feb 6, 2023 at 15:07
5

In addition I tried:

  • set ssl:verify-certificate/ftp.myblog.com no
  • This trick to disable certificate verification in lftp:

$ cat ~/.lftp/rc set ssl:verify-certificate no

Try using set ftp:ssl-allow no; it worked like a charm for me.

Improve this answer
2
  • 1
    This is the most appropriate choice. The global setting is a bad choice as it is reasonable to use certificate verification when possible and by setting the global option it will never try to verify the certificate. You can use a script file lftp -f <script> and place this command before the open command. Commented May 10, 2016 at 3:30
  • set ssl:verify-certificate no is better I think because the transaction remains secured. set ftp:ssl-allow no will communicate plaintext Commented Aug 8, 2017 at 11:39
3

I have read the man pages and found a solution. Create file

~/.lftp/rc

And add the following line there:

set ssl:check-hostname false;
Improve this answer
1

Solved using this:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ssl:verify-certificate no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

example:

lftp ftp://[email protected] -e "set ssl:verify-certificate no; mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"
Improve this answer
1

You need the lftp command: set ftp:ssl-allow no;

You could execute the command just after selecting:

lftp www.yourdomain.com -u username,password -e "set ftp:ssl-allow no;"

Or save the command into ~/.lftprc.

Improve this answer
1
  • this only definitive disable TLS negotiation, you will connect with raw mode without any encryption. Of course this will be done, if user on the host allows unencrypted connection. Commented Sep 16, 2022 at 8:07
0 
lftp -u username,password host -e "set ftp:ssl-allow no"

fixed the issue for me

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.