@Alexander: Sure, SERVER=pool222, and other numbers would probably work I suppose. I originally assumed it was irrelevant since CN=*.seedbox.fr but apparently it's not without importance.
The error happens when I run the first "ls" command (lftp 4.7.7 w/ GnuTLS 3.5.10): $ ./lftp lftp :~> debug lftp :~> set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp :~> open -p 21 -u USER,PASS pool222.seedbox.fr ---- Resolving host address... ---- 1 address found: 51.254.45.220 lftp u...@pool222.seedbox.fr:~> ls ---- Connecting to pool222.seedbox.fr (51.254.45.220) port 21 <--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- <--- [other 220 info] ---> FEAT <--- [feat reply] ---> AUTH TLS <--- 234 AUTH TLS OK. ---> OPTS UTF8 ON Certificate: C=FR,postalCode=77310,ST=Seine-et-Marne,L=PRINGY,street=IMPASSE DU BREAU,O=SDBX FRANCE,OU=0002 529997199,CN=*.seedbox.fr Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Organization Validation Secure Server CA ERROR: Certificate verification: Not trusted (FA:D3:C7:E9:E8:42:54:BD:4D:AC:15:48:5B:17:65:E4:D0:F9:CF:63) **** Certificate verification: Not trusted (FA:D3:C7:E9:E8:42:54:BD:4D:AC:15:48:5B:17:65:E4:D0:F9:CF:63) ---- Closing control socket ls: Fatal error: Certificate verification: Not trusted (FA:D3:C7:E9:E8:42:54:BD:4D:AC:15:48:5B:17:65:E4:D0:F9:CF:63) @Daniel: I thought clients followed certificate chains themselves, by downloading the intermediate CA certificates from the URI in the "Authority Information Access" field? If that's not what happens, I understand having only the server certificate on the server is not enough indeed. In this case, the intermediate CA certificates would be missing from the FTP host but present on the HTTP host? This would explain why verification fails for the first one but succeeds for the second one. I'm going to contact the hosting company's sysadmins, thanks. On Mon, Mar 20, 2017 at 11:49 PM, Daniel Fazekas <fds...@gmail.com> wrote: > On Mar 20, 2017, at 14:55, Nathanaël Naeri <nathanael.na...@gmail.com> wrote: >> Is that an issue that this hosting company could do something about? I >> can ask their sysadmins for help. > > It's a common setup mistake to make for server admins that they only add the > server certificate to their configuration. Normally you also need to add one > or more CA intermediate certs so that clients, which only normally carry and > trust a bundle of root certs, could successfully verify the whole chain. > It's generally as simple as concatenating the intermediate cert(s) after your > server certificate, for the server admin. > > This could be the issue causing your problems, and something only they can > fix, short of you manually adding that missing intermediate cert on all your > client systems, working around their mistake. > _______________________________________________ > lftp mailing list > lftp@uniyar.ac.ru > http://univ.uniyar.ac.ru/mailman/listinfo/lftp _______________________________________________ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp