Фатальная ошибка certificate verification not trusted

I’m trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error:

mirror: Fatal error: Certificate verification: subjectAltName does not match ‘blogname.com’

I think lftp is checking the SSL and the quick setup of Pelican just forgot to include that I don’t have SSL on my FTP.


This is the code in Pelican’s Makefile:

ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

which renders in terminal as:

    lftp ftp://username@blogname.com -e "mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"

What I managed so far is, denying the SSL check by changing the Makefile to:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

Due to my incorrect implementation I get logged in correctly (lftp username@myblog.com:~>) but the one line feature doesn’t work anymore and I have to enter the mirror command by hand:

mirror -R /Volumes/HD/Users/me/Test/output/ /myblog_directory

This works without an error and timeout. The question is how to do this with a one liner.


In addition I tried:

  • set ssl:verify-certificate/ftp.myblog.com no
  • This trick to disable certificate verification in lftp:

    $ cat ~/.lftp/rc
    set ssl:verify-certificate no

However, it seems there is no «rc» folder in my lftp directory — so this prompt has no chance to work.

It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates (producing Fatal error: Certificate verification: Not trusted).

The web (and answers in this post) is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc, or ~/.config/lftp/rc):

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

sudo update-ca-certificates

If your system does not have this command, you can create one manually like this:

cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null

lftp: ftp clientAfter accessing your ftp site of your hosting provider you get the following error: Fatal error: Certificate verification: Not trusted you can fix it by running the following command in the current section.

set ssl:verify-certificate no

If you want to make the change permanently for your user, edit .lftp/rc file and add the following line:

set ssl:verify-certificate no

If you want to make it permanent for all users edit the file /etc/lftp.conf and add the following line:

set ssl:verify-certificate no
Note:

I add this part due to a rude comment, I appreciate and respect all comments, but I must clarify:

1. I wrote this article before Let’s Encrypt was created and some sites and service providers used self-signed certificates (it is possible that today there are some), as a way to create certain security while exchange information.

2. At the time of writing this article, I needed to access an ftp server of a business partner of the company for which I work and could only access via ftps but the server certificate was self-signed and could not change that since I had not control over the server; on the other hand I shouldn’t tell to a business partner: hey I can’t access your ftp server because you’re doing in a wrong way, please fix it and then let me know, business relationships don’t work in that way.

3. From the security point of view, the risk is that you are relying on a self-signed certificate and if the source is not trusted then it can trick you to obtain sensitive information, but that does not mean that the data travels in a clear format, This is the same thing that happens when you visit a site with a self-signed certificate (for example some site of your Intranet) and the browser “tells you”: Hey you are accessing a site with a certificate that I do not know (I can’t verify it because I do not have it within my root certificates), do you want to continue? As the source is trusted, you continue without it leading to security risks, however, whenever possible you should avoid self-signed certificates and not rely on unknown/unstrusted sources.

Further readings

– man lftp

LFTP is a great FTP program that I use quite regularly. I recently had a problem connecting to a server (that I didnt control) and getting the following error due to the cert being self signed:

Specifically disable certificate verification in lftp

LFTP is a great FTP program that I use quite regularly. I recently had a problem connecting to a server (that I didnt control) and getting the following error due to the cert being self signed:

mirror: Fatal error: Certificate verification: Not trusted (E3:14:86:7A:6F:2D:09:9A:40:E8:0F:E0:CF:3F:DE:2C:11:1E:9F)

There are a couple of ways to handle this (outside asking the server owner to use letsencrypt :D).

The most limited option and probably the best to minimise the security implications is to create an exemption for the specific domain and only for one user that lftp is being run under. This acomplished by editing/creating a file ~/.lftprc and adding the following line edited for the domain you’d like:

# Either a wildcard like this
set ssl:verify-certificate/*.m00nie.com no
# Or a specific domain like this
set ssl:verify-certificate/ftp.m00nie.com no

You can add the same enteries as above into /etc/lftp.conf to disable caritifcate validation for all users on your server. You can also disable certificate validation completely for all certs with the line below but this isnt really advisable or what you want

# disabled all certificate validation - You probably do not want to do this!
set ssl:verify-certificate no

m00nie

Сегодня столкнулся с таким сообщением при обычной работе с lftp:

ls: Fatal error: Certificate verification: Not trusted

Устраняется она на скорую руку так:
запускаем консоль lftp:

lftp

Отключаем верификацию сертификатов:

set ssl:verify-certificate no

Подключаемся к серверу:

open [email protected]_address

Для того, что бы закрепить пройденый материал и больше к нему не возвращаться — создайте папку ~/.lftp/

mkdir ~/.lftp/

В папке создайте файл:

nano ~/.lftp/rc

Содержимое файла:

set ssl:verify-certificate no

Источник http://www.tech-notes.net/lftp-certificate-verification-error/

Запись опубликована в рубрике *Unix,*Linux. Добавьте в закладки постоянную ссылку.

Español English

lftp: ftp clientAfter accessing your ftp site of your hosting provider you get the following error: Fatal error: Certificate verification: Not trusted you can fix it by running the following command in the current section.

set ssl:verify-certificate no

If you want to make the change permanently for your user, edit .lftp/rc file and add the following line:

set ssl:verify-certificate no

If you want to make it permanent for all users edit the file /etc/lftp.conf and add the following line:

set ssl:verify-certificate no
Note:

I add this part due to a rude comment, I appreciate and respect all comments, but I must clarify:

1. I wrote this article before Let’s Encrypt was created and some sites and service providers used self-signed certificates (it is possible that today there are some), as a way to create certain security while exchange information.

2. At the time of writing this article, I needed to access an ftp server of a business partner of the company for which I work and could only access via ftps but the server certificate was self-signed and could not change that since I had not control over the server; on the other hand I shouldn’t tell to a business partner: hey I can’t access your ftp server because you’re doing in a wrong way, please fix it and then let me know, business relationships don’t work in that way.

3. From the security point of view, the risk is that you are relying on a self-signed certificate and if the source is not trusted then it can trick you to obtain sensitive information, but that does not mean that the data travels in a clear format, This is the same thing that happens when you visit a site with a self-signed certificate (for example some site of your Intranet) and the browser “tells you”: Hey you are accessing a site with a certificate that I do not know (I can’t verify it because I do not have it within my root certificates), do you want to continue? As the source is trusted, you continue without it leading to security risks, however, whenever possible you should avoid self-signed certificates and not rely on unknown/unstrusted sources.

Further readings

– man lftp

How can I save a certificate for use with lftp?

The certificate in question is not accepted by lftp when downloaded from the server. I tried

openssl s_client -connect {HOSTNAME}:21 -showcerts

from How to save a remote server SSL certificate locally as a file but this returns

CONNECTED(00000003)
3074045628:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:

no peer certificate available

I am connecting with

lftp -p 21 -u {USER} {HOSTNAME}

and receive

ls: Fatal error: Certificate verification: Not trusted

Community's user avatar

asked Oct 26, 2013 at 6:57

Greg C's user avatar

I think the problem here is that the FTP server uses plain FTP but supports explicit SSL/TLS. So to follow the protocol, the client must connect to the FTP server and invoke encryption through the AUTH command. (AUTH command is sent in plain text)

So to answer your question, I don’t think it is possible to show the certificate. Unless you can somehow send the AUTH command to the FTP server.

Edit: To display certs do the following:

openssl s_client -connect x.x.x.x:21 -starttls ftp

answered May 28, 2014 at 18:28

marcwho's user avatar

marcwhomarcwho

2853 silver badges7 bronze badges

1

It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates. Maybe this is the underlying cause for your problem.

The web is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc):

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

sudo update-ca-certificates

If your system does not have this command, you can create one manually like this:

cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null

answered May 21, 2017 at 10:19

ingomueller.net's user avatar

Warning: other answers here destroy connection security

All those answers that invite to disable certificate verification definitely weaken security as they make the connection vulnerable to man-in-the-middle attacks.

Answer that preserve security here

This question trust server certificate with lftp mentions this comment FTP SSL/TLS certificate handling #214 on lftp github site which looks much better.

Short version

set ssl:verify-certificate/FI:NG:ER:PR:IN:T:HE:RE no

Full, tested, working, version

For interactive sessions

Password will be asked interactively:

lftp -e "set ssl:verify-certificate/4E:6F:74:20:72:65:61:6C:20:66:69:6E:67:65:72:70:72:69:6E:74 no ; open user@machine.domaine.name"

For unattended sessions

  • put password in a ~/.netrc file
  • notice that syntax is open myspecificuser@machine.domaine.name inside commands, and not lftp myspecificuser@machine.domaine.name
  • -c instead of -e will execute full command then exit lftp, alternatively add ; quit.

lftp -c "set ssl:verify-certificate/4E:6F:74:20:72:65:61:6C:20:66:69:6E:67:65:72:70:72:69:6E:74 no ; open myspecificuser@machine.domaine.name ; cd /some/path/on/server ; mirror "

Content of ~/.netrc:

machine machine.domaine.name login myspecificuser password my-specific-password-not-this-one-of-course

answered May 2, 2020 at 6:12

Stéphane Gourichon's user avatar

1

Are you sure that this endpoint is correctly secured using SSL? From the error message you show it seems like the server doesn’t provide ssl? Also the port 21 is mostly used for plainftp not FTPs or SFTP.

This is what I get when I run the command against a plain FTP server

openssl s_client -connect xxx.yyy.zzz.www:21 -showcerts
CONNECTED(00000003)
140165093090976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The lftp error can be due to a misconfiguration of lftp where you require ssl. You can try the following:

set ftp:ssl-force false

Anyway you can also try a connection using

set ssl:verify-certificate no

Although this is only acceptable for testing and with test accounts (in order not to leak credentials)

answered Dec 18, 2013 at 10:00

user35800's user avatar

In my case the problem was caused by the server only supporting depreciating versions of TLS that are not supported by modern distributions.

Test if you can connect with openssl:

$ openssl s_client  -starttls ftp -connect <hostname>:21

CONNECTED(00000003)
140140192228416:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1940:
---
<remaining text snipped>

This error is explained here: https://stackoverflow.com/a/53065682/1878199, tl;dr; debian now requires at least TLS 1.2.

You can check what your server supports by using nmap:

$ nmap --script ssl-enum-ciphers -p 21 <hostname>

PORT   STATE SERVICE
21/tcp open  ftp
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

(See also https://security.stackexchange.com/a/70737)

So my server only accepts TLSv1.0. The correct solution would be to update the server, of course!

Possible solutions on client side:

  1. Use SSL $ lftp -e "set ftp:ssl-auth SSL" <hostname>
  2. Disable SSL for this connection lftp -e "set ftp:ssl-allow no" <hostname>
  3. You can also try to enable obsoleted protocols on your client by editing /etc/ssl/openssl.cnf as described in the first link above. Not recommended.

answered Apr 26, 2019 at 5:34

ootwch's user avatar

Sys-Admin Forum

Loading

  • Фар край 6 ошибка d3d12 dll
  • Фатальная ошибка autocad 2013
  • Фар край 5 фикс ошибки 000001
  • Фатальная ошибка 5 при подключении к rdp
  • Фар край 5 ошибка запуска unrecognized game client