When connecting to a server with lftp, I have the following issue:
Certificate verification: Not trusted: no issuer was found (AA:AA:AA:[...]:AA:AA)
Which indicates at least that the cert verification failed. I would like to whitelist that certificate.
Obviously, disabling certificate verification is not an option due to security concerns.
Here is what I already tried:
- Following that guide to retrieve certs from the server, and use them with
set ssl:ca-file
. Following that guide, I have three certs. I tried them all, then concatenated together, which didn't change a thing. Also tried withssl:cert-file
. - using the same method as above with
openssl s_client -connect my.server.tld:21 -starttls ftp
, which yields only one certificate - setting
ssl:ca-file
to the system's ca store - using gnutls-cli works fine with the -s option, so do the above
openssl s_client
commands.
The certificate seems to be signed by a valid chain of trust, as far as those commands report.
Filezilla works fine, but displays the following warning, which might be related:
Server sent unsorted certificate chain in violation of the TLS specifications
I have no control over the server as I do not host it myself, but the greeter identifies itself as Pure-FTPd.
Other clients that didn't work (lack of support for ftps, or for the specific server): ftp
, ncftp
, dolphin (KIO)
, curlftpfs
, tnftp
, firefox
Best Answer
The only solution a year later is still to turn off ssl:verify-certificate for specific certificate fingerprints.
See lftp closed issue 214 -- https://github.com/lavv17/lftp/issues/214#issuecomment-197237482