LFTP with this new cert problem

WayneSallee · October 6, 2021, 3:07pm

Anyone got LFTP working with this new cert situation?

rg305 · October 6, 2021, 8:44pm

@WayneSallee
I haven't seen any related topics.
Does it have a config file?
[where is points to the cert files]

webprofusion · October 7, 2021, 1:43am

Make sure your config uses a full chain (e.g. fullchain.pem), not just your cert + private key otherwise clients have to guess the intermediate and usually get it wrong.

WayneSallee · October 7, 2021, 1:42pm

I also have not seen anyone say that they have had no problems using lftp with this new situation.

Certificate:
Issued by: C=US,O=Let's Encrypt,CN=R3
Checking against: C=US,O=Let's Encrypt,CN=R3
Trusted
Certificate: C=US,O=Let's Encrypt,CN=R3
Issued by: C=US,O=Internet Security Research Group,CN=ISRG Root X1
Checking against: C=US,O=Internet Security Research Group,CN=ISRG Root X1
Trusted
Certificate: C=US,O=Internet Security Research Group,CN=ISRG Root X1
Issued by: O=Digital Signature Trust Co.,CN=DST Root CA X3
ERROR: Certificate verification: Not trusted

Yes there is a config file.
Certs are in /etc/ssl/certs

LFTP worked fine before CA X3 expired.
Now that CA X3 has expired, and since it is signed by CA X3, the cert is rejected by LFTP.

Wayne Sallee
Wayne@WayneSallee.com

WayneSallee · October 7, 2021, 1:43pm

Can you expound on that?

Wayne Sallee
Wayne@WayneSallee.com

webprofusion · October 7, 2021, 1:52pm

Can you explain exactly what your setup is and what you are trying to do? What domains are involved?

There are two Let's Encrypt chains and a service can be configured to use one or the other, clients (things that talk to servers) can usually consume either chain.

Are you running a service or consuming a service that someone else hosts?

WayneSallee · October 7, 2021, 2:05pm

I have my own servers.

Wayne Sallee
Wayne@WayneSallee.com

rg305 · October 7, 2021, 3:16pm

Very few people come here to post about how they aren't having any problems with something.

Since no one else has posted any specifically LFTP relevant information...
Let's try solving this generically.
Presuming the problem started recently and you haven't made any change to warrant this error...

Which OS and version is this running?
Which version of OpenSSL is being used?
Have you updated ca-certificates ?

WayneSallee · October 7, 2021, 4:01pm

Server or client?

No changes before the problem, but obviously I have made a number of attempts at this afterwards; not going to remember exactly everything I have tried.

Wayne Sallee
Wayne@WayneSallee.com

WayneSallee · October 7, 2021, 4:09pm

Firfox 45.0.2 also does not like the certificate.

Wayne Sallee
Wayne@WayneSallee.com

rg305 · October 7, 2021, 4:58pm

I suppose both. But let's first focus on the server.

WayneSallee · October 7, 2021, 10:23pm

Debian 9.13 Yes it needs to be upgraded. I knew it was getting time to upgrade, then covid happened, then wow! where did the time go? I'll be updating to debian 10 soon.

openssl 1.1.0l-1

Yes I tried update-ca-certificates

Wayne Sallee
Wayne@WayneSallee.com

rg305 · October 7, 2021, 10:25pm

There is still the option of switching to another ACME friendly (and free) CA.

WayneSallee · October 7, 2021, 10:42pm

Can you expound on that?

Wayne Sallee
Wayne@WayneSallee.com

rg305 · October 7, 2021, 10:44pm

Sure.
Which ACME client are you using?

WayneSallee · October 7, 2021, 10:47pm

I use certbot --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

rg305 · October 7, 2021, 10:50pm

Sorry, I got

There are other ACME friendly ACME clients.
See:
ACME Client Implementations - Let's Encrypt (letsencrypt.org)

system · November 6, 2021, 10:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.