71

I'm trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error:

mirror: Fatal error: Certificate verification: subjectAltName does not match ‘blogname.com’

I think lftp is checking the SSL and the quick setup of Pelican just forgot to include that I don't have SSL on my FTP.


This is the code in Pelican's Makefile:

ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

which renders in terminal as:

    lftp ftp://username@blogname.com -e "mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"

What I managed so far is, denying the SSL check by changing the Makefile to:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

Due to my incorrect implementation I get logged in correctly (lftp username@myblog.com:~>) but the one line feature doesn't work anymore and I have to enter the mirror command by hand:

mirror -R /Volumes/HD/Users/me/Test/output/ /myblog_directory

This works without an error and timeout. The question is how to do this with a one liner.


In addition I tried:

  • set ssl:verify-certificate/ftp.myblog.com no
  • This trick to disable certificate verification in lftp:

    $ cat ~/.lftp/rc set ssl:verify-certificate no

However, it seems there is no "rc" folder in my lftp directory - so this prompt has no chance to work.

patrick
  • 812
  • 1
  • 6
  • 6

10 Answers10

55

From the manpage:

-c commands
Execute the given commands and exit. Commands can be separated with a semicolon (;), AND (&&) or OR (||). Remember to quote the commands argument properly in the shell. This option must be used alone without other arguments.

So you want to specify the commands as a single argument, separated by semicolons:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

You can actually omit the quit command and use -c instead of -e.

Nathan Smith
  • 121
  • 1
  • 1
  • 8
mgorven
  • 30,036
  • 7
  • 76
  • 121
  • That's great. Thanks a ton. I had hoped that someone who's more experienced than me would spot my failure instantly ( - I also tried your -c suggestion leaving out the quit, but this didn't work for me. I'm happy anyway). – patrick Jul 27 '12 at 21:14
51

I had a similar issue, though my lftp does have ssl support compiled in (Fedora RPM). ssl:verify-certificate false did the trick for me.

  • 22
    Based on this, putting `set ssl:verify-certificate false` in my `~/.lftprc` solved the problem for me. – Nicolas Raoul Jul 23 '15 at 07:17
  • 7
    …though that defeats the point of using SSL your lftp now happily accepts whatever certificate it gets presented, making you vulnerable to M2M attacks. – spectras Feb 08 '17 at 16:00
  • 1
    If certificates are not validated properly, a likely cause is that lftp does not find the CA certificates of your system. See [this answer](http://stackoverflow.com/a/44095714/651937) for a fix. – ingomueller.net May 21 '17 at 10:26
33

no certificate check

echo "set ssl:verify-certificate no" >> ~/.lftp/rc

will solve the problem if you dont want the certificate to be checked

The secure solution with certificate is

What worked for me step by step with lftp:

  1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
  2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
  3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
  4. and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"
Philippe Gachoud
  • 1,517
  • 15
  • 20
  • 3
    This still disables verification of SSL certificates and this makes man-in-the-middle attacks possible. For a better fix, see [this answer](http://stackoverflow.com/a/44095714/651937). – ingomueller.net May 21 '17 at 10:27
  • 4
    better just execute `set ssl:verify-certificate no` in lftp shell to disable temporary for current session than disabling always. Still +1 for the solution. – akostadinov Jul 04 '17 at 10:12
  • 1
    @ingomueller.net I present the 2 alternatives, the first yes, the other not – Philippe Gachoud Aug 27 '20 at 00:34
  • Please not that if your certificate is expired adding it to the ca-certificates has no effect. We we're using a self-signed cert and it took me a moment to realize that the reason we couldn't connect was because of the expiration. – Splatbang Nov 26 '21 at 13:42
9

ssl:verfy-certificate false didn't work for me, I was getting a timeout error when "making data connection".

I followed these instruction by adding set ftp:ssl-allow false to my ~/.lftprc file.

desmillicious
  • 91
  • 1
  • 2
7

I was also facing similar sort of ssl certificate verification error. Setting verify-certificate to 'no' worked for me.

Example:

lftp -c 'set ftps:initial-prot ""; set ftp:ssl-force true; set ftp:ssl-protect-data true; set ssl:verify-certificate no; open -u Usename,Password 208.82.204.46; put uploadfilename;'

Pritam
  • 71
  • 1
  • 1
5

In addition I tried:

  • set ssl:verify-certificate/ftp.myblog.com no
  • This trick to disable certificate verification in lftp:

$ cat ~/.lftp/rc set ssl:verify-certificate no

Try using set ftp:ssl-allow no; it worked like a charm for me.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Lucas Farias
  • 151
  • 1
  • 1
  • 1
    This is the most appropriate choice. The global setting is a bad choice as it is reasonable to use certificate verification when possible and by setting the global option it will never try to verify the certificate. You can use a script file `lftp -f – kmcguire May 10 '16 at 03:30
  • `set ssl:verify-certificate no` is better I think because the transaction remains secured. `set ftp:ssl-allow no` will communicate plaintext – michalzuber Aug 08 '17 at 11:39
3

I have read man pages and found solution. Create file

~/.lftp/rc

and add there next line:

set ssl:check-hostname false;
andrey--k
  • 31
  • 1
1

Need the lftp command: set ftp:ssl-allow no;

You could execute the command just after selecting:

lftp www.yourdomain.com -u username,password -e "set ftp:ssl-allow no;"

or save the command into ~/.lftprc.

Nick Tsai
  • 1,268
  • 1
  • 8
  • 7
  • this only definitive disable TLS negotiation, you will connect with raw mode without any encryption. Of course this will be done, if user on the host allows unencrypted connection. – Znik Sep 16 '22 at 08:07
0

Solved using this:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ssl:verify-certificate no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

example:

lftp ftp://username@blogname.com -e "set ssl:verify-certificate no; mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"
Swisstone
  • 6,357
  • 7
  • 21
  • 32
0
lftp -u username,password host -e "set ftp:ssl-allow no" 

fixed the issue for me