I’m trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error:
mirror: Fatal error: Certificate verification: subjectAltName does not match ‘blogname.com’
I think lftp is checking the SSL and the quick setup of Pelican just forgot to include that I don’t have SSL on my FTP.
This is the code in Pelican’s Makefile:
ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"
which renders in terminal as:
lftp ftp://username@blogname.com -e "mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"
What I managed so far is, denying the SSL check by changing the Makefile to:
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"
Due to my incorrect implementation I get logged in correctly (lftp username@myblog.com:~>
) but the one line feature doesn’t work anymore and I have to enter the mirror command by hand:
mirror -R /Volumes/HD/Users/me/Test/output/ /myblog_directory
This works without an error and timeout. The question is how to do this with a one liner.
In addition I tried:
set ssl:verify-certificate/ftp.myblog.com no
-
This trick to disable certificate verification in lftp:
$ cat ~/.lftp/rc
set ssl:verify-certificate no
However, it seems there is no «rc» folder in my lftp directory — so this prompt has no chance to work.
It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates (producing Fatal error: Certificate verification: Not trusted
).
The web (and answers in this post) is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.
The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf
(or alternatively ~/.lftp/rc
, or ~/.config/lftp/rc
):
set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
ca-certificates.crt
is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates
:
sudo update-ca-certificates
If your system does not have this command, you can create one manually like this:
cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null
After accessing your ftp site of your hosting provider you get the following error: Fatal error: Certificate verification: Not trusted you can fix it by running the following command in the current section.
set ssl:verify-certificate no
If you want to make the change permanently for your user, edit .lftp/rc file and add the following line:
set ssl:verify-certificate no
If you want to make it permanent for all users edit the file /etc/lftp.conf and add the following line:
set ssl:verify-certificate no
Note:
I add this part due to a rude comment, I appreciate and respect all comments, but I must clarify:
1. I wrote this article before Let’s Encrypt was created and some sites and service providers used self-signed certificates (it is possible that today there are some), as a way to create certain security while exchange information.
2. At the time of writing this article, I needed to access an ftp server of a business partner of the company for which I work and could only access via ftps but the server certificate was self-signed and could not change that since I had not control over the server; on the other hand I shouldn’t tell to a business partner: hey I can’t access your ftp server because you’re doing in a wrong way, please fix it and then let me know, business relationships don’t work in that way.
3. From the security point of view, the risk is that you are relying on a self-signed certificate and if the source is not trusted then it can trick you to obtain sensitive information, but that does not mean that the data travels in a clear format, This is the same thing that happens when you visit a site with a self-signed certificate (for example some site of your Intranet) and the browser “tells you”: Hey you are accessing a site with a certificate that I do not know (I can’t verify it because I do not have it within my root certificates), do you want to continue? As the source is trusted, you continue without it leading to security risks, however, whenever possible you should avoid self-signed certificates and not rely on unknown/unstrusted sources.
Further readings
– man lftp
LFTP is a great FTP program that I use quite regularly. I recently had a problem connecting to a server (that I didnt control) and getting the following error due to the cert being self signed:
LFTP is a great FTP program that I use quite regularly. I recently had a problem connecting to a server (that I didnt control) and getting the following error due to the cert being self signed:
mirror: Fatal error: Certificate verification: Not trusted (E3:14:86:7A:6F:2D:09:9A:40:E8:0F:E0:CF:3F:DE:2C:11:1E:9F)
There are a couple of ways to handle this (outside asking the server owner to use letsencrypt :D).
The most limited option and probably the best to minimise the security implications is to create an exemption for the specific domain and only for one user that lftp is being run under. This acomplished by editing/creating a file ~/.lftprc
and adding the following line edited for the domain you’d like:
# Either a wildcard like this
set ssl:verify-certificate/*.m00nie.com no
# Or a specific domain like this
set ssl:verify-certificate/ftp.m00nie.com no
You can add the same enteries as above into /etc/lftp.conf
to disable caritifcate validation for all users on your server. You can also disable certificate validation completely for all certs with the line below but this isnt really advisable or what you want
# disabled all certificate validation - You probably do not want to do this!
set ssl:verify-certificate no
m00nie
Сегодня столкнулся с таким сообщением при обычной работе с lftp:
ls: Fatal error: Certificate verification: Not trusted
Устраняется она на скорую руку так:
запускаем консоль lftp:
lftp
Отключаем верификацию сертификатов:
set ssl:verify-certificate no
Подключаемся к серверу:
open [email protected]_address
Для того, что бы закрепить пройденый материал и больше к нему не возвращаться — создайте папку ~/.lftp/
mkdir ~/.lftp/
В папке создайте файл:
nano ~/.lftp/rc
Содержимое файла:
set ssl:verify-certificate no
Источник http://www.tech-notes.net/lftp-certificate-verification-error/
Запись опубликована в рубрике *Unix,*Linux. Добавьте в закладки постоянную ссылку.
After accessing your ftp site of your hosting provider you get the following error: Fatal error: Certificate verification: Not trusted you can fix it by running the following command in the current section.
set ssl:verify-certificate no
If you want to make the change permanently for your user, edit .lftp/rc file and add the following line:
set ssl:verify-certificate no
If you want to make it permanent for all users edit the file /etc/lftp.conf and add the following line:
set ssl:verify-certificate no
Note:
I add this part due to a rude comment, I appreciate and respect all comments, but I must clarify:
1. I wrote this article before Let’s Encrypt was created and some sites and service providers used self-signed certificates (it is possible that today there are some), as a way to create certain security while exchange information.
2. At the time of writing this article, I needed to access an ftp server of a business partner of the company for which I work and could only access via ftps but the server certificate was self-signed and could not change that since I had not control over the server; on the other hand I shouldn’t tell to a business partner: hey I can’t access your ftp server because you’re doing in a wrong way, please fix it and then let me know, business relationships don’t work in that way.
3. From the security point of view, the risk is that you are relying on a self-signed certificate and if the source is not trusted then it can trick you to obtain sensitive information, but that does not mean that the data travels in a clear format, This is the same thing that happens when you visit a site with a self-signed certificate (for example some site of your Intranet) and the browser “tells you”: Hey you are accessing a site with a certificate that I do not know (I can’t verify it because I do not have it within my root certificates), do you want to continue? As the source is trusted, you continue without it leading to security risks, however, whenever possible you should avoid self-signed certificates and not rely on unknown/unstrusted sources.
Further readings
– man lftp
How can I save a certificate for use with lftp?
The certificate in question is not accepted by lftp when downloaded from the server. I tried
openssl s_client -connect {HOSTNAME}:21 -showcerts
from How to save a remote server SSL certificate locally as a file but this returns
CONNECTED(00000003)
3074045628:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
no peer certificate available
I am connecting with
lftp -p 21 -u {USER} {HOSTNAME}
and receive
ls: Fatal error: Certificate verification: Not trusted
asked Oct 26, 2013 at 6:57
I think the problem here is that the FTP server uses plain FTP but supports explicit SSL/TLS. So to follow the protocol, the client must connect to the FTP server and invoke encryption through the AUTH command. (AUTH command is sent in plain text)
So to answer your question, I don’t think it is possible to show the certificate. Unless you can somehow send the AUTH command to the FTP server.
Edit: To display certs do the following:
openssl s_client -connect x.x.x.x:21 -starttls ftp
answered May 28, 2014 at 18:28
marcwhomarcwho
2853 silver badges7 bronze badges
1
It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates. Maybe this is the underlying cause for your problem.
The web is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.
The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf
(or alternatively ~/.lftp/rc
):
set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
ca-certificates.crt
is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates
:
sudo update-ca-certificates
If your system does not have this command, you can create one manually like this:
cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null
answered May 21, 2017 at 10:19
Warning: other answers here destroy connection security
All those answers that invite to disable certificate verification definitely weaken security as they make the connection vulnerable to man-in-the-middle attacks.
Answer that preserve security here
This question trust server certificate with lftp mentions this comment FTP SSL/TLS certificate handling #214 on lftp github site which looks much better.
Short version
set ssl:verify-certificate/FI:NG:ER:PR:IN:T:HE:RE no
Full, tested, working, version
For interactive sessions
Password will be asked interactively:
lftp -e "set ssl:verify-certificate/4E:6F:74:20:72:65:61:6C:20:66:69:6E:67:65:72:70:72:69:6E:74 no ; open user@machine.domaine.name"
For unattended sessions
- put password in a
~/.netrc
file - notice that syntax is
open myspecificuser@machine.domaine.name
inside commands, and notlftp myspecificuser@machine.domaine.name
-c
instead of-e
will execute full command then exit lftp, alternatively add; quit
.
lftp -c "set ssl:verify-certificate/4E:6F:74:20:72:65:61:6C:20:66:69:6E:67:65:72:70:72:69:6E:74 no ; open myspecificuser@machine.domaine.name ; cd /some/path/on/server ; mirror "
Content of ~/.netrc
:
machine machine.domaine.name login myspecificuser password my-specific-password-not-this-one-of-course
answered May 2, 2020 at 6:12
1
Are you sure that this endpoint is correctly secured using SSL? From the error message you show it seems like the server doesn’t provide ssl? Also the port 21 is mostly used for plainftp not FTPs or SFTP.
This is what I get when I run the command against a plain FTP server
openssl s_client -connect xxx.yyy.zzz.www:21 -showcerts
CONNECTED(00000003)
140165093090976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
The lftp error can be due to a misconfiguration of lftp where you require ssl. You can try the following:
set ftp:ssl-force false
Anyway you can also try a connection using
set ssl:verify-certificate no
Although this is only acceptable for testing and with test accounts (in order not to leak credentials)
answered Dec 18, 2013 at 10:00
In my case the problem was caused by the server only supporting depreciating versions of TLS that are not supported by modern distributions.
Test if you can connect with openssl:
$ openssl s_client -starttls ftp -connect <hostname>:21
CONNECTED(00000003)
140140192228416:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1940:
---
<remaining text snipped>
This error is explained here: https://stackoverflow.com/a/53065682/1878199, tl;dr; debian now requires at least TLS 1.2.
You can check what your server supports by using nmap:
$ nmap --script ssl-enum-ciphers -p 21 <hostname>
PORT STATE SERVICE
21/tcp open ftp
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
(See also https://security.stackexchange.com/a/70737)
So my server only accepts TLSv1.0. The correct solution would be to update the server, of course!
Possible solutions on client side:
- Use SSL
$ lftp -e "set ftp:ssl-auth SSL" <hostname>
- Disable SSL for this connection
lftp -e "set ftp:ssl-allow no" <hostname>
- You can also try to enable obsoleted protocols on your client by editing
/etc/ssl/openssl.cnf
as described in the first link above. Not recommended.
answered Apr 26, 2019 at 5:34
Loading