lftp certificate suddenly not trusted

Solution 1:

"DST Root CA X3" expired, and lftp implemented its own broken chain verification.

If you are the server admin you could switch to the alternate chain (with self-signed ISRG Root X1), which should fix the problem with lftp - but breaks older android clients.

Solution 2:

I have exactly the same issue. I think it could be a temporary issue with certificates/chains updates, but I can't find any evidence: a colleague of mine can login to the same ftps instance without any errors. As a workaround you could manually add the missing certificate. The following command:

    openssl s_client -connect www.planete-sciences.org:21 -starttls ftp -showcerts

should retrieve the full certificate chain for your ftp server. Copy the ISRG Root X1 certificate (the last block enclosed by --BEGIN CERTIFICATE-- and --END CERTIFICATE--, tags included) and past it in a new file, for example .lftp/mycert.crt. Next add the full path of your custom certificate file in .lftp/rc file, for example:

    set ssl:ca-file "/home/paolo/.lftp/mycert.crt"

This will fix the issue. You can find other workaround like this, which suggests to disable ssl in your conf file (not recommended) or add the certificate system wide (however, I prefer to add a local workaround). Updating certificates as described here seems not working to me (maybe is a temporary issue?). If you want to disable ssl, there's also the possibility to doing this for a particular domain, see here.

Hope this helps