How can I avoid this lftp certificate verification error?

Question

I'm trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error:

mirror: Fatal error: Certificate verification:
subjectAltName does not match ‘blogname.com’

I think lftp is checking the SSL and the quick setup of Pelican just forgot to include that I don't have SSL on my FTP.

This is the code in Pelican's Makefile:

ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

which renders in the terminal as:

lftp ftp://username@blogname.com -e "mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"

So far, I managed, denying the SSL check by changing the Makefile to:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

Due to my incorrect implementation, I get logged in correctly (lftp username@myblog.com:~>), but the one line feature doesn't work anymore, and I have to enter the mirror command by hand:

mirror -R /Volumes/HD/Users/me/Test/output/ /myblog_directory

This works without an error and timeout. How can I do this with a one-liner?

In addition, I tried:

set ssl:verify-certificate/ftp.myblog.com no
This trick to disable certificate verification in lftp:

cat ~/.lftp/rc

Output:

set ssl:verify-certificate no

However, it seems there isn't any "rc" folder in my lftp directory, so this prompt doesn't have any chance to work.

score 63 · Accepted Answer · edited Jun 16 '17 at 20:42

From the manpage:

-c commands
Execute the given commands and exit. Commands can be separated with a semicolon (;), AND (&&) or OR (||). Remember to quote the commands argument properly in the shell. This option must be used alone without other arguments.

So you want to specify the commands as a single argument, separated by semicolons:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

You can actually omit the quit command and use -c instead of -e.

score 56 · Answer 2 · edited May 11 '25 at 12:18

56

I had a similar issue, though my lftp instance does have SSL support compiled in (Fedora RPM package).

ssl:verify-certificate false did the trick for me.

edited May 11 '25 at 12:18

Peter Mortensen

2,327

answered Nov 29 '12 at 22:07

Dr. Kenneth Noisewater

593

score 41 · Answer 3 · edited May 11 '25 at 12:24

No certificate check

echo "set ssl:verify-certificate no" >> ~/.lftp/rc

will solve the problem if you don’t want the certificate to be checked.

The secure solution with certificate is

What worked for me step by step with lftp:

get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
Into lftp configuration reference this certificate file adding to /etc/lftp.conf for system-wide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
and then do your sync or whatever with lftp. In my case, it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"

score 9 · Answer 4 · edited May 11 '25 at 12:19

9

ssl:verfy-certificate false didn't work for me. I was getting a timeout error when "making data connection".

I followed these instructions by adding set ftp:ssl-allow false to my ~/.lftprc file.

edited May 11 '25 at 12:19

Peter Mortensen

2,327

answered Feb 04 '14 at 09:08

desmillicious

91

score 8 · Answer 5 · edited May 11 '25 at 12:22

8

I was also facing a similar sort of SSL certificate verification error. Setting verify-certificate to 'no' worked for me.

Example:

lftp -c 'set ftps:initial-prot ""; set ftp:ssl-force true; set ftp:ssl-protect-data true; **set ssl:verify-certificate no;** open -u Usename,Password 208.82.204.46; put uploadfilename;'

edited May 11 '25 at 12:22

Peter Mortensen

2,327

answered Jul 22 '15 at 17:28

Pritam

81

score 5 · Answer 6 · edited Aug 26 '15 at 20:53

5

In addition I tried:

set ssl:verify-certificate/ftp.myblog.com no

This trick to disable certificate verification in lftp:

$ cat ~/.lftp/rc set ssl:verify-certificate no

Try using set ftp:ssl-allow no; it worked like a charm for me.

edited Aug 26 '15 at 20:53

Falcon Momot

25,584

answered Aug 26 '15 at 20:20

Lucas Farias

151
1
1

score 3 · Answer 7 · edited May 11 '25 at 12:20

3

I have read the man pages and found a solution. Create file

~/.lftp/rc

And add the following line there:

set ssl:check-hostname false;

edited May 11 '25 at 12:20

Peter Mortensen

2,327

answered Mar 06 '15 at 09:54

andrey--k

31
2

score 1 · Answer 8 · edited Apr 24 '20 at 17:00

1

Solved using this:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ssl:verify-certificate no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

example:

lftp ftp://username@blogname.com -e "set ssl:verify-certificate no; mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"

edited Apr 24 '20 at 17:00

Swisstone

7,063

answered Apr 24 '20 at 14:29

user571560

11

score 1 · Answer 9 · edited May 11 '25 at 12:26

1

You need the lftp command: set ftp:ssl-allow no;

You could execute the command just after selecting:

lftp www.yourdomain.com -u username,password -e "set ftp:ssl-allow no;"

Or save the command into ~/.lftprc.

edited May 11 '25 at 12:26

Peter Mortensen

2,327

answered Mar 31 '18 at 17:14

Nick Tsai

1,358

score 0 · Answer 10 · answered Nov 03 '19 at 11:53

0

lftp -u username,password host -e "set ftp:ssl-allow no"

fixed the issue for me

answered Nov 03 '19 at 11:53

ri825170

1

How can I avoid this lftp certificate verification error?

10 Answers10

No certificate check

The secure solution with certificate is