search

marklar423 / KoboCloud-rclone

A set of scripts to synchronize a kobo reader with popular cloud services. This fork uses rclone instead of curl.
Other
10 stars 3 forks source link

Proton Drive - "tls: failed to verify certificate: x509: certificate signed by unknown authority" #5

Open dsommers opened 3 days ago

dsommers commented 3 days ago

When trying to configure KoboCloud-rclone with a Proton Drive account, I get these errors in the get.log:

2024-10-14_10:07:26 waiting for internet connection
NickelDBus found
rclone found
Getting protonacc:Kobo
/mnt/onboard/.add/kobocloud/bin/rclone copy --no-check-certificate -v --config /mnt/onboard/.add/kobocloud/rclone.conf "protonacc:Kobo" "/mnt/onboard/.add/kobocloud/Library/protonacc/"
2024/10/14 10:08:18.596539 ERROR RESTY Get "https://mail.proton.me/api/core/v4/users": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 1
2024/10/14 10:08:18.856601 ERROR RESTY Get "https://mail.proton.me/api/core/v4/users": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 2
2024/10/14 10:08:19.249781 ERROR RESTY Get "https://mail.proton.me/api/core/v4/users": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 3
2024/10/14 10:08:19.656684 ERROR RESTY Get "https://mail.proton.me/api/core/v4/users": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 4
2024/10/14 10:08:19.889081 ERROR RESTY Post "https://mail.proton.me/api/auth/v4/info": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 1
2024/10/14 10:08:20.189048 ERROR RESTY Post "https://mail.proton.me/api/auth/v4/info": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 2
2024/10/14 10:08:20.554426 ERROR RESTY Post "https://mail.proton.me/api/auth/v4/info": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 3
2024/10/14 10:08:20.960521 ERROR RESTY Post "https://mail.proton.me/api/auth/v4/info": tls: failed to verify certificate: x509: certificate signed by unknown authority, Attempt 4
2024/10/14 10:08:20 Failed to create file system for "protonacc:Kobo": couldn't initialize a new proton drive instance: Post "https://mail.proton.me/api/auth/v4/info": tls: failed to verify certificate: x509: certificate signed by unknown authority
pfmDoneProcessing
2024-10-14_10:08:31 done
24-10-14_10:08:30 done

This smells like an out-of-date ca-bundle file. Using rclone with the exact same config on my laptop works fine:

$ rclone lsd protonacc:Kobo
          -1 2024-10-13 21:58:59        -1 Notes
          -1 2024-10-13 21:59:12        -1 books
dsommers commented 3 days ago

When connecting from my laptop to mail.proton.me (using openssl s_client -connect mail.proton.me:443) I get these certificate details:

$ openssl s_client -connect mail.proton.me:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = proton.me
verify return:1
---
Certificate chain
 0 s:CN = proton.me
   i:C = US, O = Let's Encrypt, CN = R10
 1 s:C = US, O = Let's Encrypt, CN = R10
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGEzCCBPugAwIBAgISBDpMh31izrjcU/gnVsx+29V+MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwOTAxMTMxNzAzWhcNMjQxMTMwMTMxNzAyWjAUMRIwEAYDVQQD
Ewlwcm90b24ubWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGe0sx
gvrOE2HBkkImnSZqoF4h1Rw9JM+Phpj9yeWY+dbYmSH+2+TIhk13xl38IlnbiJlE
XvYImN4DQDNPyzhCxlpqRQe5FZvzY1z+NMT4/d0q4w4xfpw3T+Z4p3biQxDjdEUO
Y1EtWR/EfnBM5jHQ+2uKjdN889q9dps3GLPw+jkBINHPOr+IonCjAUV0v2x3CFEe
rqLhcuNdUKcGVb5/9wbWw9qGkXDuALTgXjgvzzp8JkotyJosi12pI5RJkXuLWlsN
fu+FlFJIbjo3t2jhK9Mg1RxG5Gj8fppsOV2cCZBl0nFZ4ng/31wXB9XGcs2SmLns
Ni5ZSTdzAsjNJSA8qXU+TGPPWMy4VHvAdk+B7sNuoCGFFr+mk5UUZegK3Rw+81ZH
9oTglrWBnAgS3yo0jUPzM3inB8G+vwOqqn8qGgQl60lQP9V/ar5IpxDoH2CebYgR
chljTbMdRBCZpeKJwKcXzuvFwabTeHxhT1Q9kQtZ2s8MM7crlGqRpAQEMQd6yClc
8I/lzsU1d3dMcTzP4zrxniFHsF4Uguz5qRf6hUda5QZDoXS//7gG6ammYt5FJvVE
DTPDqH2Tqj8EUi4ardxhGC/OLOOdc7sMuO3ywUZ2vE7QG+IX+con56xZSqMNpFfl
Xak3avR+//OTfNyFadbcDvLWRM0bRIo9RrKG7QIDAQABo4ICPjCCAjowDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBREn8KKKaSIzKX7YeaJ0b5xWWS+gTAfBgNVHSMEGDAW
gBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUH
MAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9y
MTAuaS5sZW5jci5vcmcvMEYGA1UdEQQ/MD2CByoucHIudG6CCyoucHJvdG9uLm1l
ghMqLnN0b3JhZ2UucHJvdG9uLm1lggVwci50boIJcHJvdG9uLm1lMBMGA1UdIAQM
MAowCAYGZ4EMAQIBMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAPxdLT9ciR1iU
HWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGRrfDucgAABAMARjBEAiBCFXRxKj+z
hgOvT75BiFAoOp4/JytQYLXsMnFl2z18XwIgM/cmdiDyE8woO8e5Ttw/p8kpEZms
k0mRO/XigbMTPJEAdgDf4VbrqgWvtZwPhnGNqMAyTq5W2W6n9aVqAdHBO75SXAAA
AZGt8O9TAAAEAwBHMEUCIQCRZmCTvqXaH1qDSBhAqwbR8BumtNMrwIUbxcJyrwL1
vwIgf/zR9dm+mbcOWfWw2KLUehVeUGvFMxZu8dy/7+rUoJUwDQYJKoZIhvcNAQEL
BQADggEBABDiGMSj7SEriTGXd6mlLF3aJrnP9Ne6GuO8bTNZqC9aYAqUzguy2DZo
vZF5yk7hrlNn3D0Dsc3PumdLWq4N080BENgo/p1VJpcrbVvL+ghH5JWnmK18ssqm
wTG4FrJGqS0huyKBUXUT0OIBtrKrFxejkzx8YQUZ0oHdZ9tIwaqtTAblDm/8Wo1p
Ikv/ao29KlTSNMlHvY30rKxkYE1tOYnadAo/R7uJ10OXp2vYiSB5N3z4B4UwpaTx
C1ki2/MREOwwgm6A3DuDkSDli6CPJ3EIf43VFk+BZcYN7rlYDycX03HkTmWBuanf
HPOOusgkS56PuRpnjr8ltOSpeLxks28=
-----END CERTIFICATE-----
subject=CN = proton.me

issuer=C = US, O = Let's Encrypt, CN = R10

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---

When feeding that certificate to openssl x509 -noout -issuer -subject -dates:

issuer=C = US, O = Let's Encrypt, CN = R10
subject=CN = proton.me
notBefore=Sep  1 13:17:03 2024 GMT
notAfter=Nov 30 13:17:02 2024 GMT

That looks pretty normal for a Lets Encrypt signed server certificate.

dsommers commented 3 days ago

(sorry, clicked the wrong button)

dsommers commented 1 day ago

I've done some more debugging, trying to replace the ca-bundle.crt file with an updated one, trying to modify the rclone calling to use the --ca-cert option (this might require a single certificate, not a bundle) ... but to no avail. By calling rclone with -vvvv, I see the arguments are being passed correctly, so it's not something silly there.