Sure, SERVER=pool222, and other numbers would probably work I suppose.
I originally assumed it was irrelevant since CN=*.seedbox.fr but
apparently it's not without importance.

The error happens when I run the first "ls" command (lftp 4.7.7 w/
GnuTLS 3.5.10):

$ ./lftp
lftp :~> debug
lftp :~> set ssl:ca-file /etc/ssl/certs/ca-certificates.crt
lftp :~> open -p 21 -u USER,PASS pool222.seedbox.fr
---- Resolving host address...
---- 1 address found:
lftp u...@pool222.seedbox.fr:~> ls
---- Connecting to pool222.seedbox.fr ( port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- [other 220 info]
---> FEAT
<--- [feat reply]
<--- 234 AUTH TLS OK.
Certificate: C=FR,postalCode=77310,ST=Seine-et-Marne,L=PRINGY,street=IMPASSE
DU BREAU,O=SDBX FRANCE,OU=0002 529997199,CN=*.seedbox.fr
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=COMODO RSA Organization Validation Secure Server CA
ERROR: Certificate verification: Not trusted
**** Certificate verification: Not trusted
---- Closing control socket
ls: Fatal error: Certificate verification: Not trusted


I thought clients followed certificate chains themselves, by
downloading the intermediate CA certificates from the URI in the
"Authority Information Access" field? If that's not what happens, I
understand having only the server certificate on the server is not
enough indeed.

In this case, the intermediate CA certificates would be missing from
the FTP host but present on the HTTP host? This would explain why
verification fails for the first one but succeeds for the second one.

I'm going to contact the hosting company's sysadmins, thanks.

On Mon, Mar 20, 2017 at 11:49 PM, Daniel Fazekas <fds...@gmail.com> wrote:
> On Mar 20, 2017, at 14:55, Nathanaël Naeri <nathanael.na...@gmail.com> wrote:
>> Is that an issue that this hosting company could do something about? I
>> can ask their sysadmins for help.
> It's a common setup mistake to make for server admins that they only add the 
> server certificate to their configuration. Normally you also need to add one 
> or more CA intermediate certs so that clients, which only normally carry and 
> trust a bundle of root certs, could successfully verify the whole chain.
> It's generally as simple as concatenating the intermediate cert(s) after your 
> server certificate, for the server admin.
> This could be the issue causing your problems, and something only they can 
> fix, short of you manually adding that  missing intermediate cert on all your 
> client systems, working around their mistake.
> _______________________________________________
> lftp mailing list
> lftp@uniyar.ac.ru
> http://univ.uniyar.ac.ru/mailman/listinfo/lftp
lftp mailing list

Reply via email to