How to avoid lftp Certificate verification error?

I'm trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error:

mirror: Fatal error: Certificate verification: subjectAltName does not match ‘blogname.com’

I think lftp is checking the SSL and the quick setup of Pelican just forgot to include that I don't have SSL on my FTP.


This is the code in Pelican's Makefile:

ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

which renders in terminal as:

    lftp ftp://[email protected] -e "mirror -R /Volumes/HD/Users/me/Test/output /myblog_directory ; quit"

What I managed so far is, denying the SSL check by changing the Makefile to:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

Due to my incorrect implementation I get logged in correctly (lftp [email protected]:~>) but the one line feature doesn't work anymore and I have to enter the mirror command by hand:

mirror -R /Volumes/HD/Users/me/Test/output/ /myblog_directory

This works without an error and timeout. The question is how to do this with a one liner.


In addition I tried:

  • set ssl:verify-certificate/ftp.myblog.com no
  • This trick to disable certificate verification in lftp:

    $ cat ~/.lftp/rc set ssl:verify-certificate no

However, it seems there is no "rc" folder in my lftp directory - so this prompt has no chance to work.


From the manpage:

-c commands
Execute the given commands and exit. Commands can be separated with a semicolon (;), AND (&&) or OR (||). Remember to quote the commands argument properly in the shell. This option must be used alone without other arguments.

So you want to specify the commands as a single argument, separated by semicolons:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

You can actually omit the quit command and use -c instead of -e.


I had a similar issue, though my lftp does have ssl support compiled in (Fedora RPM). ssl:verify-certificate false did the trick for me.


no certificate check

echo "set ssl:verify-certificate no" >> ~/.lftp/rc

will solve the problem if you dont want the certificate to be checked

The secure solution with certificate is

What worked for me step by step with lftp:

  1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
  2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
  3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
  4. and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"

ssl:verfy-certificate false didn't work for me, I was getting a timeout error when "making data connection".

I followed these instruction by adding set ftp:ssl-allow false to my ~/.lftprc file.