Save certificate to use with lftp

How can I save a certificate for use with lftp?

The certificate in question is not accepted by lftp when downloaded from the server. I tried

openssl s_client -connect {HOSTNAME}:21 -showcerts

from How to save a remote server SSL certificate locally as a file but this returns

CONNECTED(00000003) 3074045628:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:

no peer certificate available

I am connecting with

lftp -p 21 -u {USER} {HOSTNAME}

and receive

ls: Fatal error: Certificate verification: Not trusted


I think the problem here is that the FTP server uses plain FTP but supports explicit SSL/TLS. So to follow the protocol, the client must connect to the FTP server and invoke encryption through the AUTH command. (AUTH command is sent in plain text)

So to answer your question, I don't think it is possible to show the certificate. Unless you can somehow send the AUTH command to the FTP server.

Edit: To display certs do the following:

openssl s_client -connect x.x.x.x:21 -starttls ftp


It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates. Maybe this is the underlying cause for your problem.

The web is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc):

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

sudo update-ca-certificates

If your system does not have this command, you can create one manually like this:

cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null

Warning: other answers here destroy connection security

All those answers that invite to disable certificate verification definitely weaken security as they make the connection vulnerable to man-in-the-middle attacks.

Answer that preserve security here

This question trust server certificate with lftp mentions this comment FTP SSL/TLS certificate handling #214 on lftp github site which looks much better.

Short version

set ssl:verify-certificate/FI:NG:ER:PR:IN:T:HE:RE no

Full, tested, working, version

For interactive sessions

Password will be asked interactively:

lftp -e "set ssl:verify-certificate/4E:6F:74:20:72:65:61:6C:20:66:69:6E:67:65:72:70:72:69:6E:74 no ; open [email protected]"

For unattended sessions

  • put password in a ~/.netrc file
  • notice that syntax is open [email protected] inside commands, and not lftp [email protected]
  • -c instead of -e will execute full command then exit lftp, alternatively add ; quit.

lftp -c "set ssl:verify-certificate/4E:6F:74:20:72:65:61:6C:20:66:69:6E:67:65:72:70:72:69:6E:74 no ; open [email protected] ; cd /some/path/on/server ; mirror "

Content of ~/.netrc:

machine machine.domaine.name login myspecificuser password my-specific-password-not-this-one-of-course


Are you sure that this endpoint is correctly secured using SSL? From the error message you show it seems like the server doesn't provide ssl? Also the port 21 is mostly used for plainftp not FTPs or SFTP.

This is what I get when I run the command against a plain FTP server

openssl s_client -connect xxx.yyy.zzz.www:21 -showcerts
CONNECTED(00000003)
140165093090976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The lftp error can be due to a misconfiguration of lftp where you require ssl. You can try the following:

set ftp:ssl-force false

Anyway you can also try a connection using

set ssl:verify-certificate no

Although this is only acceptable for testing and with test accounts (in order not to leak credentials)