lftp certificate suddenly not trusted
Solution 1:
"DST Root CA X3" expired, and lftp
implemented its own broken chain verification.
If you are the server admin you could switch to the alternate chain (with self-signed ISRG Root X1
), which should fix the problem with lftp
- but breaks older android clients.
Solution 2:
I have exactly the same issue. I think it could be a temporary issue with certificates/chains updates, but I can't find any evidence: a colleague of mine can login to the same ftps instance without any errors. As a workaround you could manually add the missing certificate. The following command:
openssl s_client -connect www.planete-sciences.org:21 -starttls ftp -showcerts
should retrieve the full certificate chain for your ftp server. Copy the ISRG Root X1 certificate (the last block enclosed by --BEGIN CERTIFICATE--
and --END CERTIFICATE--
, tags included) and past it in a new file, for example .lftp/mycert.crt
. Next add the full path of your custom certificate file in .lftp/rc
file, for example:
set ssl:ca-file "/home/paolo/.lftp/mycert.crt"
This will fix the issue. You can find other workaround like this, which suggests to disable ssl in your conf file (not recommended) or add the certificate system wide (however, I prefer to add a local workaround). Updating certificates as described here seems not working to me (maybe is a temporary issue?). If you want to disable ssl, there's also the possibility to doing this for a particular domain, see here.
Hope this helps