Just an update to close the thread: the hosting company has changed their server setup to include the intermediate CA certificates in addition to the server certificates. I can now confirm that the certificate chain is indeed visible when connecting with lftp (in debug mode), and certificate verification succeeds.
Thanks again for your help with this issue! Naël On Wed, Mar 22, 2017 at 1:03 AM, Nathanaël Naeri <nathanael.na...@gmail.com> wrote: > I've contacted the hosting company. Thank you so much for > troubleshooting this issue, and helping me understand certificate > verification better! > > Naël > > On Tue, Mar 21, 2017 at 1:37 PM, Alexander V. Lukyanov <l...@netis.ru> wrote: >> On Mon, Mar 20, 2017 at 11:49:46PM +0100, Daniel Fazekas wrote: >>> On Mar 20, 2017, at 14:55, Nathanaël Naeri <nathanael.na...@gmail.com> >>> wrote: >>> > Is that an issue that this hosting company could do something about? I >>> > can ask their sysadmins for help. >>> >>> It's a common setup mistake to make for server admins that they only add >>> the server certificate to their configuration. Normally you also need to >>> add one or more CA intermediate certs so that clients, which only normally >>> carry and trust a bundle of root certs, could successfully verify the whole >>> chain. >>> It's generally as simple as concatenating the intermediate cert(s) after >>> your server certificate, for the server admin. >>> >>> This could be the issue causing your problems, and something only they can >>> fix, short of you manually adding that missing intermediate cert on all >>> your client systems, working around their mistake. >> >> This seems to be the issue. The certificate chain of the ftp server is not >> a chain, but rather a single link. It's necessary either change the server's >> certificate to the full chain to the root CA, or add the "next link" to the >> local CA storage. _______________________________________________ lftp mailing list email@example.com http://univ.uniyar.ac.ru/mailman/listinfo/lftp