Bug 2182418 - lftp : Connection to site fails with certificate verification error
Summary: lftp : Connection to site fails with certificate verification error
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: lftp
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Michal Ruprich
QA Contact: Ondrej Mejzlik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-28 15:14 UTC by Ravindra Patil
Modified: 2023-07-26 11:41 UTC (History)
4 users (show)

Fixed In Version: lftp-4.8.4-3.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-153501 0 None None None 2023-03-30 06:25:08 UTC

Description Ravindra Patil 2023-03-28 15:14:48 UTC
Description of problem:

lftp not working with re-newed certificates

- The certificates were expired for site. 

- We got new Certificates and replaced the files used by Apache (Web Server). 

- The CA Chain is not changed. Only certificate re-newed

- The certificates work everywhere for same site(e.g. various webbrowsers, curl, openssl connect, gnutls-cli) except for lftp.

-  lftp connection works fine on disabling the ssl verification.


Version-Release number of selected component (if applicable):
lftp-4.8.4-2.el8.x86_64.rpm

How reproducible:

- Renew ceritificates and try connect to site through lftp with SSL enabled 

Steps to Reproduce:
1.  Obtain re-newed certificate
2.  Move them to respective locations as per apache configuration
3.  Try connecting over lftp with SSL enabled

# lftp site-name.example.com 

Actual results:

Connection fails with error "Fatal error: Certificate verification: Not trusted: no issuer was found (C4:3F:D4:BD:3C:BA:B7:8C:45:B1:6B:87:3B:C0:7B:A4:CF:32:99:A2)

Expected results:
Secure connection should be established, as it does for other tools like curl, openssl connect etc. 

Additional info:
Possibly hiting https://github.com/lavv17/lftp/issues/641 
Fixed by https://github.com/lavv17/lftp/pull/642.

Similar issue seen on fedora
https://bugzilla.redhat.com/show_bug.cgi?id=1477048


Note You need to log in before you can comment on or make changes to this bug.