Join Log in
Score:1
avatar Ubuntu

lftp certificate suddenly not trusted

cn flag
Maïeul

Since one week ago, lftp does not validate one of the root certificates on my system

Certificate: CN=www.planete-sciences.org    
 Issued by:        C=US,O=Let's Encrypt,CN=R3
 Checking against: C=US,O=Let's Encrypt,CN=R3
  Trusted
Certificate: C=US,O=Let's Encrypt,CN=R3
 Issued by:        C=US,O=Internet Security Research Group,CN=ISRG Root X1
 Checking against: C=US,O=Internet Security Research Group,CN=ISRG Root X1
  Trusted
Certificate: C=US,O=Internet Security Research Group,CN=ISRG Root X1
 Issued by: O=Digital Signature Trust Co.,CN=DST Root CA X3
ERROR: Certificate verification: Not trusted (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF)
**** Certificate verification: Not trusted (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF)
---- Fermeture du socket de contrôle
ls: Erreur fatale: Certificate verification: Not trusted (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF)

Both filezilla and firefox trust these certificates.

What could be the problem and how can I fix it?

779
0 + 0
ftp
ssl
us flag
ragingSloth
does anyone have a solution for the client side or know of an alternative client that isn't EOL?
0
Reply
Score:1
avatar Ubuntu
in flag
Stefan

"DST Root CA X3" expired, and lftp implemented its own broken chain verification.

If you are the server admin you could switch to the alternate chain (with self-signed ISRG Root X1), which should fix the problem with lftp - but breaks older android clients.

0 + 0
cn flag
u_Ltd.
Yes, DST Root CCA X3 actually expired, but lftp fails verification for cross signed variant of ISRG Root X1 which is an root certificate for itself
0
Reply
Score:1
avatar Ubuntu
gf flag
Paolo Cozzi

I have exactly the same issue. I think it could be a temporary issue with certificates/chains updates, but I can't find any evidence: a colleague of mine can login to the same ftps instance without any errors. As a workaround you could manually add the missing certificate. The following command:

    openssl s_client -connect www.planete-sciences.org:21 -starttls ftp -showcerts

should retrieve the full certificate chain for your ftp server. Copy the ISRG Root X1 certificate (the last block enclosed by --BEGIN CERTIFICATE-- and --END CERTIFICATE--, tags included) and past it in a new file, for example .lftp/mycert.crt. Next add the full path of your custom certificate file in .lftp/rc file, for example:

    set ssl:ca-file "/home/paolo/.lftp/mycert.crt"

This will fix the issue. You can find other workaround like this, which suggests to disable ssl in your conf file (not recommended) or add the certificate system wide (however, I prefer to add a local workaround). Updating certificates as described here seems not working to me (maybe is a temporary issue?). If you want to disable ssl, there's also the possibility to doing this for a particular domain, see here.

Hope this helps

0 + 0
cn flag
u_Ltd.
It is even easier to obtain the certificate: Just download this: https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem to Downloads directory. Then use set ssl:ca-file "~/Downloads/isrg-root-x1-cross-signed.pem"
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.