When using LFTP for secure FTP transfers, you might encounter the error:
Certificate verification: certificate common name doesn't match requested host nameThis occurs when the SSL/TLS certificate's CN (Common Name) or SAN (Subject Alternative Name) doesn't match the hostname you're connecting to. In your case, the server presents a wildcard certificate for *.zxcs.nl while you're connecting to example.nl.
The debug output shows the complete TLS handshake process:
---> AUTH TLS
<--- 234 AUTH TLS successful
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA LimitedBoth machines use ssl:verify-certificate no, but they behave differently because:
- The working machine successfully establishes the data connection despite the warning
- The failing machine gets stuck at
425 Unable to build data connection
1. Verify System Certificates
First check if your CA certificates are properly installed:
ls -l /etc/ssl/certs/
update-ca-certificates --fresh2. Alternative Certificate Verification Methods
Instead of completely disabling verification, try these options in ~/.lftp/rc or your session:
set ssl:ca-file "/path/to/custom/ca-bundle.crt"
set ssl:check-hostname no
set ftp:ssl-allow no # As last resort3. The Data Connection Issue
The 425 Unable to build data connection suggests firewall/NAT issues. Try active mode:
set ftp:passive-mode no4. Complete Working Configuration
Here's a full config that should work:
set ftp:ssl-allow yes
set ssl:verify-certificate no
set ssl:check-hostname no
set ftp:passive-mode yes
set net:max-retries 5
set net:timeout 60For deeper investigation:
openssl s_client -connect example.nl:21 -starttls ftp -showcerts
lftp -d -e "set xfer:log-file /tmp/lftp-debug.log; open example.nl"For production environments, you should:
- Get a proper certificate matching your hostname
- Or configure your client with the correct CA bundle
- Or use host-specific verification exceptions
When working with lftp on Debian systems, you might encounter a particularly stubborn SSL certificate verification error:
WARNING: Certificate verification: certificate common name doesn't match requested host name
What makes this case interesting is that:
- It occurs despite using
set ssl:verify-certificate no - Behavior differs between identical lftp versions (4.6.0-1+deb8u1)
- Only appears on specific machines while others work fine
From the debug logs, we can observe these critical points:
**** connect(control_sock): Network is unreachable
[...]
<--- 425 Unable to build data connection: Operation not permitted
The working session shows successful data transfer despite the same certificate warnings, while the failing session hits network-level issues.
1. Network-Level Verification
First check basic network connectivity:
ping example.nl
traceroute example.nl
Then verify DNS resolution specifically for lftp:
lftp -e "debug;open example.nl;quit"
2. Certificate Whitelisting Approach
Instead of completely disabling verification, add the certificate to your trusted store:
openssl s_client -connect example.nl:21 -starttls ftp -showcerts
Then add to lftp's cert database:
echo "certificate for example.nl" >> ~/.lftp/ssl_hosts
3. Alternative Connection Methods
Try forcing different connection modes:
set ftp:ssl-force true
set ftp:ssl-protect-data true
set ftp:ssl-protect-list true
Or explicitly disable SSL:
set ftp:ssl-allow no
Check for these system-level differences:
- Compare
/etc/resolv.confbetween machines - Verify IPV6 settings with
sysctl net.ipv6.conf.all.disable_ipv6 - Check firewall rules
iptables -L - Examine MTU settings
ip link show
Add these settings to ~/.lftprc:
set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
set ssl:check-hostname no
set net:max-retries 5
set net:timeout 60
For system-wide configuration, edit /etc/lftp.conf with similar settings.
After applying changes, verify with:
lftp -e "set net:max-retries 1; open example.nl; ls; quit"