10

I'm trying to log into an ftps site. I've tried giving the login creds at the command line (and putting set parameters in ~/.lftprc, then opening an lftp session and typing those parameters with lftp job control statements. Regardless, I keep hitting the same roadblock:

 421 Sorry, cleartext sessions are not accepted on this server.
 Please reconnect using SSL/TLS security mechanisms.

I got furthest with the following parameters, but keep getting the error above.

How do I get lftp to use SSL/TLS security mechanism from the command line?

The objective is to script the access to this ftps site using bash (programming without using expect).

 lftp
 lftp :~> set ssl-allow false
 lftp :~> set passive-mode yes
 lftp :~> open ftp.abc.com
 lftp ftp.abc.com:~> login theuser
 Password:
 lftp theuser@ftp.abc.com:~> cd
  `cd' at 0 [Delaying before reconnect: 26]
 CTRL-C
 lftp theuser@ftp.abc.com:~> debug
 lftp theuser@ftp.abc.com:~> cd
 ---- Connecting to ftp.abc.com (XX.XXX.XX.XX) port 21
 <--- 220-Welcome to the Yahoo! Web Hosting FTP server
 <--- 220-Need help? Get all details at:
 <--- 220-http://help.yahoo.com/help/us/webhosting/gftp/
 <--- 220-
 <--- 220-No anonymous logins accepted.
 <--- 220-Yahoo!
 <--- 220-Local time is now 15:30. Server port: 21.
 <--- 220-This is a private system - No anonymous login
 <--- 220 You will be disconnected after 5 minutes of inactivity.
 ---> FEAT
 <--- 211-Extensions supported:
 <---  EPRT
 <---  IDLE
 <---  MDTM
 <---  SIZE
 <---  MFMT
 <---  REST STREAM
 <---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 <---  MLSD
 <---  XDBG
 <---  AUTH TLS
 <---  PBSZ
 <---  PROT
 <---  TVFS
 <---  ESTA
 <---  PASV
 <---  EPSV
 <---  SPSV
 <---  ESTP
 <--- 211 End.
 ---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
 <--- 200  MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
 ---> USER theuser
 <--- 421 Sorry, cleartext sessions are not accepted on this server.
 Please reconnect using SSL/TLS security mechanisms.
user2105469
  • 1,413
  • 3
  • 20
  • 37

8 Answers8

32

It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates (producing Fatal error: Certificate verification: Not trusted).

The web (and answers in this post) is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc, or ~/.config/lftp/rc):

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

sudo update-ca-certificates

If your system does not have this command, you can create one manually like this:

cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null
Clément
  • 2,358
  • 28
  • 32
ingomueller.net
  • 4,097
  • 2
  • 36
  • 33
  • Remark: for me (lftp 4.7.4, GnuTLS 3.6.1) the intermediate certificates aren't retrieved from web, so I had to download them and manually add them (after verifying!) to /usr/share/ca-certificates. – u_Ltd. Sep 07 '18 at 23:18
  • Did you check whether your distribution has a package for that? Installing the CA certificates might be as simple as `sudo apt-get install ca-certificates` (example on [Ubuntu](https://packages.ubuntu.com/trusty/ca-certificates)). – ingomueller.net Sep 11 '18 at 10:00
  • Yes, nor version 20161130 nor version 20180409 contain the required certificates. dpkg -l ca-certificates -> ii ca-certificate 20180409 all Common CA certificates – u_Ltd. Sep 12 '18 at 11:42
  • 1
    Missing certificates are: 1) COMODO RSA Extended Validation Secure Server CA and 2) COMODO RSA Domain Validation Secure Server CA – u_Ltd. Sep 12 '18 at 11:44
  • Hi, i´m trying to establish secure ftp connection from gitlab shared runner. So, i don´t really have access to "local" folders and the server does have an SSL certificate, but i don´t see a way of obtaining it. Can you help me with that? – Petar Stoyanov Feb 09 '21 at 08:44
  • @PetarStoyanov: Normally, you can install software and modify system files in Gitlab CI jobs, either in the [`before_script`](https://docs.gitlab.com/ee/ci/yaml/#before_script) section or by using a [custom image](https://docs.gitlab.com/ee/ci/yaml/#image). If you can't, I'd suggest you look at the `ssl:ca-file` and `ssl:ca-path`options of [lftp](https://lftp.yar.ru/lftp-man.html). – ingomueller.net Feb 10 '21 at 10:40
  • Some shared hosting providers didn't issue correct hostnames, so add `set ssl:check-hostname false` might help a bit. – ninhjs.dev Sep 01 '21 at 16:37
16

lftp :~> set ssl-allow false

You've explicitly set ssl-allow to false. But this must be true if lftp should attempt to use SSL.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks. That got me passed the SSL/TLS error, and onto the next message: `Certificate verification: Not trusted`. So I used `set ssl:verify-certificate false` but then I get `cd: Login failed: 530 Login authentication failed`, and I know the logon creds are correct (all works well with Filezilla). `lftp` on the command line is a workout...I'll start a new question if needed. – user2105469 May 28 '14 at 12:32
  • Are you sure, that you use FTPS (SSL with FTP) with FileZilla and not SFTP (file transfer over SSH)? They are both supported and get often confused because of their similar name. – Steffen Ullrich May 28 '14 at 12:49
  • According to the agency that setup this site, it's FTPS. Connection with FileZilla will only work if set as FTP & `Require explicit FTP over TLS`. It won't work using the SFTP setting. Seem they're hosting that site on yahoo webhosting. We did ask for an SFTP location, we had `expect` scripts ready to go. – user2105469 May 28 '14 at 13:01
5

You might also need to 

set ssl:verify-certificate no
mbeltagy
  • 183
  • 2
  • 5
  • 7
    This is **unsecure**! For details and a better solution, see [my answer](http://stackoverflow.com/a/44095714/651937). – ingomueller.net May 21 '17 at 10:24
  • 3
    At least, you could do `set ssl:verify-certificate/myserver.com no` where you replace `myserver.com` by the actual name of the server you're trying to connect to. – Clément Sep 09 '17 at 03:26
5

My answer provides access for a single user on your system rather than a system-wide certificate.

lftp uses Transport Layer Security (TLS). So it’s essential to first grab the certificate from the FTP server.

openssl s_client -connect <ftp-hostname>:21 -starttls ftp

I include the entire certificate chain in a new file called cert.crt in my local ~/.lftp folder. At the very least, you're looking to include all the text of the certificate itself: -----BEGIN CERTIFICATE----- <...> -----END CERTIFICATE-----.

  • I create a file called rc in the local ~/.lftp folder and add the lines
    • set ssl:ca-file “cert.crt”
    • set ssl:check-hostname no (this prevents Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘<ftp-hostname>’ when running a command like ls remotely)
Schmudde
  • 1,078
  • 1
  • 11
  • 19
  • 1
    Thank you! I was wondering how to add an exclusion for the specific cert and this was it. – Mo2 May 11 '21 at 09:05
2

Setting ftp:ssl-allow true didn't work for me.

By typing set:

lftp :~> set

I noticed this:

set ftp:ssl-allow true
set ftp:ssl-allow/XXX.XXX.XXX.XXX no

with XXX.XXX.XXX.XXX being the server, I was logging into.

So the final set of commands I needed was:

lftp :~> set ftp:ssl-allow true
lftp :~> set ftp:ssl-allow/XXX.XXX.XXX.XXX true
lftp :~> set ssl:verify-certificate no
Nik
  • 2,902
  • 2
  • 16
  • 11
  • I realize this thread is old, but doesn't adding the final line negate the security added by the first two lines? I am confused. – GrouchyGaijin Apr 16 '18 at 03:01
  • @GrouchyGaijin - you might be right about the security. However, I wasn't concerned about that; my only priority was to make the damn connection work. And this worked :-) – Nik Apr 17 '18 at 05:50
  • 1
    I feel your pain brother. – GrouchyGaijin Apr 17 '18 at 09:00
  • Actually, you loose the protection against man-in-the-middle attacks and similar, but you still get protection against random people listening. It takes a bit more interest to do a man in the middle than a simple tcpdump. – Samuel Åslund May 09 '18 at 07:30
1

lftp version must be >= 4.6.3 (Debian user)

salsalito
  • 11
  • 1
1

What worked for me step by step with lftp:

  1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
  2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
  3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
  4. and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"
Pipo
  • 4,653
  • 38
  • 47
0

This worked for me for a FTPS server connection (with port 990, but not necessary to specify) using lftp

code: lftp ftps://USER:PASSWORD@server.com -c "set ssl:verify-certificate false;"

then: do stuff

more info at: how-to-avoid-lftp-certificate-verification-error

JNey
  • 119
  • 1
  • 4