LFTP:证书通用名称与请求的主机名不匹配

tag-icon tag-icon certificate debian-jessie
LFTP:证书通用名称与请求的主机名不匹配

用于lftp从我网络上的两台计算机将文件上传到远程服务器。使用完全相同的代码,这在一台计算机上运行良好,但在另一台计算机上却不起作用。问题会话和成功会话的记录如下所示。我得到的错误是:

证书验证:证书通用名称与请求的主机名不匹配

谷歌搜索此错误会找到一个似乎对大多数人都有效的解决方案(使用:)set ssl:verify-certificate no。但正如您在下面的记录中看到的那样,这对“问题计算机”不起作用。

由于两台计算机使用相同的 DNS 和路由器上网,我只能假设这可能是由问题计算机上的不同设置引起的。除了lftp设置之外,还希望得到检查其他内容的建议。

问题计算机

原版 Debian 系统 jessie 8.7:3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

lftp正在使用的版本:

$ apt show lftp
Package: lftp
Version: 4.6.0-1+deb8u1
:
:

会话失败(主机名由“示例”替换):

$ lftp
lftp :~> debug
lftp :~> set
set dns:order "inet6 inet"
set file:charset UTF-8
set ftp:timezone ""
set net:max-retries 2
set net:timeout 30
set ssl:verify-certificate no
set xfer:log yes
set xfer:log-file /tmp/lftp.log
set xfer:max-log-size 1048576
set xfer:max-redirections 10
set xfer:verify-command /usr/share/lftp/verify-file
lftp :~> open example.nl
---- using user `[email protected]' and password from ~/.netrc
---- Resolving host address...
---- 2 addresses found: (▮▮▮▮▮▮▮▮, ▮▮▮▮▮▮▮▮)
lftp [email protected]@example.nl:~> dir
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
**** connect(control_sock): Network is unreachable
---- Closing control socket
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
<--- 220 ProFTPD 1.3.5b Server ready.
---> FEAT
<--- 211-Features:
<---  CCC
<---  PBSZ
<---  AUTH TLS
<---  MFF modify;UNIX.group;UNIX.mode;
<---  REST STREAM
<---  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<---  LANG en-US.UTF-8*
<---  UTF8
<---  EPRT
<---  EPSV
<---  MDTM
<---  SSCN
<---  TVFS
<---  MFMT
<---  SIZE
<---  PROT
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
<--- 200 Using default language en_US.UTF-8
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER [email protected]
<--- 331 Password required for [email protected]
---> PASS XXXX
<--- 230 User [email protected] logged in
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (▮▮▮▮▮▮▮▮).
---- Connecting data socket to (▮▮▮▮▮▮▮▮) port 35302
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘ example.nl’
<--- 425 Unable to build data connection: Operation not permitted
---- Closing data socket
<--- 450 LIST: Operation not permitted
**** extra server response
ls: Fatal error: max-retries exceeded
lftp [email protected]@example.nl:/>

另一台计算机

基于 Debian 的 Raspbian jessie 8.0:4.4.38+ #938 Thu Dec 15 15:17:54 GMT 2016 armv6l GNU/Linux 在这台电脑上,我拥有完全相同的版本lftp

$ apt show lftp
Package: lftp
Version: 4.6.0-1+deb8u1
:
:

但现在lftp会议没有出现任何问题:

$ lftp
lftp :~> debug
lftp :~> set
set dns:order "inet6 inet"
set file:charset UTF-8
set ftp:timezone ""
set net:max-retries 2
set net:timeout 30
set ssl:verify-certificate no
set xfer:log yes
set xfer:log-file /tmp/lftp.log
set xfer:max-log-size 1048576
set xfer:max-redirections 10
set xfer:verify-command /usr/share/lftp/verify-file
lftp :~> open example.nl
---- using user `[email protected]' and password from ~/.netrc
---- Resolving host address...
---- 2 addresses found: ▮▮▮▮▮▮▮▮, ▮▮▮▮▮▮▮▮
lftp [email protected]@example.nl:~> dir
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
**** connect(control_sock): Network is unreachable
---- Closing control socket
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
<--- 220 ProFTPD 1.3.5b Server ready.
---> FEAT
<--- 211-Features:
<---  CCC
<---  PBSZ
<---  AUTH TLS
<---  MFF modify;UNIX.group;UNIX.mode;
<---  REST STREAM
<---  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<---  LANG en-US.UTF-8*
<---  UTF8
<---  EPRT
<---  EPSV
<---  MDTM
<---  SSCN
<---  TVFS
<---  MFMT
<---  SIZE
<---  PROT
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
<--- 200 Using default language en_US.UTF-8
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER [email protected]
<--- 331 Password required for [email protected]
---> PASS XXXX
<--- 230 User [email protected] logged in
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (▮▮▮▮▮▮▮▮).
---- Connecting data socket to (▮▮▮▮▮▮▮▮) port 35035
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
---- Got EOF on data connection
---- Closing data socket
drwxr-xr-x  11 ftp      ftp          4096 Feb 11 16:56 .
drwxr-xr-x  11 ftp      ftp          4096 Feb 11 16:56 ..
drwxr-xr-x   2 ftp      ftp          4096 Dec 29 10:48 01.home
lftp [email protected]@example.nl:/>

答案1

正如评论所说,ssl:check-hostname 可以工作。可以在 lftp shell 中通过以下方式设置

set ssl:check-hostname no

答案2

我在 Amazon Linux 2 中遇到了类似的问题,下面的内容帮助了我。

附加文件“/etc/lftp.conf”并再次尝试连接。

vi /etc/lftp.conf并附加如下。

按照如下方式验证。

cat /etc/lftp.conf | grep hostname
set ssl:check-hostname no

答案3

该问题可能是由过时的 SSL 库引起的。
另外,如果它是服务器,则在其配置中ProFTPd添加一条提示。 你看过你的 ftp 服务器的日志吗?TLSOptions NoSessionReuseRequired

相关内容