Using lftp
to upload files to a remote server from two computers on my network. Using the exact same code this works fine on one and doesn't work on the other.
Transcripts of a problem session and a successful session are shown below.
The error that I get is:
Certificate verification: certificate common name doesn't match requested host name
Googling this error finds a solution that seems to work for most people (using: set ssl:verify-certificate no
). But as you can see in the transcripts below this doesn't work for the "problem computer".
Because both computers use the same DNS and router to get on the internet I can only assume that this may be caused by a different setting on the problem computer. Would love to get suggestions for stuff to check other than lftp
settings.
The problem computer
Stock Debian system jessie 8.7: 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux
lftp
version being used:
$ apt show lftp
Package: lftp
Version: 4.6.0-1+deb8u1
:
:
Failing session (hostname replaced by "example"):
$ lftp
lftp :~> debug
lftp :~> set
set dns:order "inet6 inet"
set file:charset UTF-8
set ftp:timezone ""
set net:max-retries 2
set net:timeout 30
set ssl:verify-certificate no
set xfer:log yes
set xfer:log-file /tmp/lftp.log
set xfer:max-log-size 1048576
set xfer:max-redirections 10
set xfer:verify-command /usr/share/lftp/verify-file
lftp :~> open example.nl
---- using user `[email protected]' and password from ~/.netrc
---- Resolving host address...
---- 2 addresses found: (▮▮▮▮▮▮▮▮, ▮▮▮▮▮▮▮▮)
lftp [email protected]@example.nl:~> dir
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
**** connect(control_sock): Network is unreachable
---- Closing control socket
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
<--- 220 ProFTPD 1.3.5b Server ready.
---> FEAT
<--- 211-Features:
<--- CCC
<--- PBSZ
<--- AUTH TLS
<--- MFF modify;UNIX.group;UNIX.mode;
<--- REST STREAM
<--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<--- LANG en-US.UTF-8*
<--- UTF8
<--- EPRT
<--- EPSV
<--- MDTM
<--- SSCN
<--- TVFS
<--- MFMT
<--- SIZE
<--- PROT
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
<--- 200 Using default language en_US.UTF-8
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER [email protected]
<--- 331 Password required for [email protected]
---> PASS XXXX
<--- 230 User [email protected] logged in
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (▮▮▮▮▮▮▮▮).
---- Connecting data socket to (▮▮▮▮▮▮▮▮) port 35302
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘ example.nl’
<--- 425 Unable to build data connection: Operation not permitted
---- Closing data socket
<--- 450 LIST: Operation not permitted
**** extra server response
ls: Fatal error: max-retries exceeded
lftp [email protected]@example.nl:/>
The other computer
Debian-based Raspbian jessie 8.0 : 4.4.38+ #938 Thu Dec 15 15:17:54 GMT 2016 armv6l GNU/Linux
On this computer I have the exact same version of lftp
:
$ apt show lftp
Package: lftp
Version: 4.6.0-1+deb8u1
:
:
But now the lftp
session gives no problems:
$ lftp
lftp :~> debug
lftp :~> set
set dns:order "inet6 inet"
set file:charset UTF-8
set ftp:timezone ""
set net:max-retries 2
set net:timeout 30
set ssl:verify-certificate no
set xfer:log yes
set xfer:log-file /tmp/lftp.log
set xfer:max-log-size 1048576
set xfer:max-redirections 10
set xfer:verify-command /usr/share/lftp/verify-file
lftp :~> open example.nl
---- using user `[email protected]' and password from ~/.netrc
---- Resolving host address...
---- 2 addresses found: ▮▮▮▮▮▮▮▮, ▮▮▮▮▮▮▮▮
lftp [email protected]@example.nl:~> dir
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
**** connect(control_sock): Network is unreachable
---- Closing control socket
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
<--- 220 ProFTPD 1.3.5b Server ready.
---> FEAT
<--- 211-Features:
<--- CCC
<--- PBSZ
<--- AUTH TLS
<--- MFF modify;UNIX.group;UNIX.mode;
<--- REST STREAM
<--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<--- LANG en-US.UTF-8*
<--- UTF8
<--- EPRT
<--- EPSV
<--- MDTM
<--- SSCN
<--- TVFS
<--- MFMT
<--- SIZE
<--- PROT
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
<--- 200 Using default language en_US.UTF-8
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER [email protected]
<--- 331 Password required for [email protected]
---> PASS XXXX
<--- 230 User [email protected] logged in
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (▮▮▮▮▮▮▮▮).
---- Connecting data socket to (▮▮▮▮▮▮▮▮) port 35035
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
---- Got EOF on data connection
---- Closing data socket
drwxr-xr-x 11 ftp ftp 4096 Feb 11 16:56 .
drwxr-xr-x 11 ftp ftp 4096 Feb 11 16:56 ..
drwxr-xr-x 2 ftp ftp 4096 Dec 29 10:48 01.home
lftp [email protected]@example.nl:/>
As the comments said, ssl:check-hostname will work. It can be set in lftp shell by
I was facing a similar problem in Amazon Linux 2 below helped me.
Append the file "/etc/lftp.conf" and try connecting again.
vi /etc/lftp.conf
and append as below.validate it as below.
The problem might be caused by outdated SSL libraries.
Also, if it is a
ProFTPd
server, there is a hint to addTLSOptions NoSessionReuseRequired
in its config.Have you seen you ftp server's logs?