When using LFTP for FTP transfers in automated workflows (like Pelican blog deployments), you might encounter the frustrating certificate verification error:
mirror: Fatal error: Certificate verification:
subjectAltName does not match 'blogname.com'
This occurs because LFTP tries to verify SSL certificates even for plain FTP connections, and the hostname in the certificate doesn't match what you're connecting to.
The common solution of adding set ftp:ssl-allow no breaks the one-line command execution pattern:
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no" "mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"
This makes LFTP drop into interactive mode instead of executing the full command sequence.
Option 1: Proper Command Sequencing
Use semicolons to chain commands correctly:
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR); quit"
Option 2: Host-Specific Certificate Verification Disable
Create or modify ~/.lftp/rc with:
set ssl:verify-certificate/ftp.yourdomain.com no
This disables verification only for your specific host while keeping it enabled for others.
Option 3: Temporary Configuration in Command
For one-time commands, use:
lftp -e "set ftp:ssl-allow off; set ssl:verify-certificate no; open ftp://$(FTP_USER)@$(FTP_HOST); mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR); quit"
For Pelican blogs, modify your Makefile like this:
ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; set ssl:verify-certificate no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR); quit"
After implementing any of these solutions, test with:
make ftp_upload
The transfer should complete without certificate errors while maintaining full automation.
While disabling certificate verification solves the immediate problem, consider:
- Setting up proper SSL certificates for your FTP server
- Using SFTP instead of FTP when possible
- Restricting the certificate verification disable to only your specific domain
When deploying Pelican blogs via lftp, many developers encounter the frustrating certificate verification error:
mirror: Fatal error: Certificate verification:
subjectAltName does not match 'blogname.com'This occurs because lftp's default behavior enforces strict SSL certificate validation, which clashes with non-SSL FTP setups or self-signed certificates.
The cleanest way to handle this while maintaining a single-command workflow is:
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR); quit"Key differences from your attempt:
- Semicolon separates commands instead of separate quotes
- All commands execute sequentially in one -e argument
For those who prefer persistent settings:
Option 1: Create ~/.lftp/rc
mkdir -p ~/.lftp
echo "set ssl:verify-certificate no" >> ~/.lftp/rcOption 2: Host-specific verification
echo "set ssl:verify-certificate/ftp.myblog.com no" >> ~/.lftp/rcThe correct Makefile syntax should look like:
ftp_upload: $(OUTPUTDIR)/index.html
lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR); quit"Common pitfalls to avoid:
- Missing semicolons between commands
- Extra spaces before the command (Makefiles require tabs)
- Quoting issues when variables contain special characters
While disabling certificate verification works, consider these more secure alternatives:
# For self-signed certificates:
set ssl:ca-file "/path/to/your/cert.pem"
# For Let's Encrypt certificates:
set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"