Allow for self-hosting on server, in container, with own certificate to allow mbsync to function

[ygaeon]

As per #315, it was identified that it was possible to export the TLS certificate so that it can be used with tools such as mbsync (https://isync.sourceforge.io/). However, I'm self-hosting protonmail-bridge in an container and thus, the self-signed cert provided doesn't work as it complains Error, certificate owner does not match hostname <server>. (The self-signed cert expects localhost).

I've loosely based my own buildah script on https://github.com/shenxn/protonmail-bridge-docker/ and everything works fine with Thunderbird etc. (if I turn off "Connection security" such as "STARTTLS", which is far from optimal).

Expected Behavior

Allow me to add my own certificate as in v2 so that I can run protonmail-bridge on my server as I did before.

Current Behavior

I have to downgrade security (no STARTTLS).

Possible Solution

Allow me to add my own certificate. In v2 these were exposed in .config/protonmail/bridge.

Steps to Reproduce

It's well described in the intro.. :)

Version Information

protonmail-bridge 3.2.0

Context (Environment)

Server Debian Bullseye Podman 3.0.1 Buildah 1.19.6

Detailed Description

Detailed in intro.. :)

Possible Implementation

As in "Possible Solution" above.. :)

[LBeernaertProton]

Hey @ygaeon. You can start bridge in cli mode and use the import-tls-cert command to import your own tls certifactes. You only need to do this once.

[ygaeon]

Oh, OK thanks. Will try this route... How would I go about to automatically refresh this certificate when manual cli commands are required? (In previous v2 I could refresh the certificate and restart the service for it to pick it up.)

[LBeernaertProton]

We store the paths to the certificates, not the certificates themselves. Once your certificates update, you just need to restart bridge for the changes to take effect.