Open dsommers opened 3 days ago
When connecting from my laptop to mail.proton.me
(using openssl s_client -connect mail.proton.me:443
) I get these certificate details:
$ openssl s_client -connect mail.proton.me:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = proton.me
verify return:1
---
Certificate chain
0 s:CN = proton.me
i:C = US, O = Let's Encrypt, CN = R10
1 s:C = US, O = Let's Encrypt, CN = R10
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGEzCCBPugAwIBAgISBDpMh31izrjcU/gnVsx+29V+MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwOTAxMTMxNzAzWhcNMjQxMTMwMTMxNzAyWjAUMRIwEAYDVQQD
Ewlwcm90b24ubWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGe0sx
gvrOE2HBkkImnSZqoF4h1Rw9JM+Phpj9yeWY+dbYmSH+2+TIhk13xl38IlnbiJlE
XvYImN4DQDNPyzhCxlpqRQe5FZvzY1z+NMT4/d0q4w4xfpw3T+Z4p3biQxDjdEUO
Y1EtWR/EfnBM5jHQ+2uKjdN889q9dps3GLPw+jkBINHPOr+IonCjAUV0v2x3CFEe
rqLhcuNdUKcGVb5/9wbWw9qGkXDuALTgXjgvzzp8JkotyJosi12pI5RJkXuLWlsN
fu+FlFJIbjo3t2jhK9Mg1RxG5Gj8fppsOV2cCZBl0nFZ4ng/31wXB9XGcs2SmLns
Ni5ZSTdzAsjNJSA8qXU+TGPPWMy4VHvAdk+B7sNuoCGFFr+mk5UUZegK3Rw+81ZH
9oTglrWBnAgS3yo0jUPzM3inB8G+vwOqqn8qGgQl60lQP9V/ar5IpxDoH2CebYgR
chljTbMdRBCZpeKJwKcXzuvFwabTeHxhT1Q9kQtZ2s8MM7crlGqRpAQEMQd6yClc
8I/lzsU1d3dMcTzP4zrxniFHsF4Uguz5qRf6hUda5QZDoXS//7gG6ammYt5FJvVE
DTPDqH2Tqj8EUi4ardxhGC/OLOOdc7sMuO3ywUZ2vE7QG+IX+con56xZSqMNpFfl
Xak3avR+//OTfNyFadbcDvLWRM0bRIo9RrKG7QIDAQABo4ICPjCCAjowDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBREn8KKKaSIzKX7YeaJ0b5xWWS+gTAfBgNVHSMEGDAW
gBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUH
MAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9y
MTAuaS5sZW5jci5vcmcvMEYGA1UdEQQ/MD2CByoucHIudG6CCyoucHJvdG9uLm1l
ghMqLnN0b3JhZ2UucHJvdG9uLm1lggVwci50boIJcHJvdG9uLm1lMBMGA1UdIAQM
MAowCAYGZ4EMAQIBMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAPxdLT9ciR1iU
HWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGRrfDucgAABAMARjBEAiBCFXRxKj+z
hgOvT75BiFAoOp4/JytQYLXsMnFl2z18XwIgM/cmdiDyE8woO8e5Ttw/p8kpEZms
k0mRO/XigbMTPJEAdgDf4VbrqgWvtZwPhnGNqMAyTq5W2W6n9aVqAdHBO75SXAAA
AZGt8O9TAAAEAwBHMEUCIQCRZmCTvqXaH1qDSBhAqwbR8BumtNMrwIUbxcJyrwL1
vwIgf/zR9dm+mbcOWfWw2KLUehVeUGvFMxZu8dy/7+rUoJUwDQYJKoZIhvcNAQEL
BQADggEBABDiGMSj7SEriTGXd6mlLF3aJrnP9Ne6GuO8bTNZqC9aYAqUzguy2DZo
vZF5yk7hrlNn3D0Dsc3PumdLWq4N080BENgo/p1VJpcrbVvL+ghH5JWnmK18ssqm
wTG4FrJGqS0huyKBUXUT0OIBtrKrFxejkzx8YQUZ0oHdZ9tIwaqtTAblDm/8Wo1p
Ikv/ao29KlTSNMlHvY30rKxkYE1tOYnadAo/R7uJ10OXp2vYiSB5N3z4B4UwpaTx
C1ki2/MREOwwgm6A3DuDkSDli6CPJ3EIf43VFk+BZcYN7rlYDycX03HkTmWBuanf
HPOOusgkS56PuRpnjr8ltOSpeLxks28=
-----END CERTIFICATE-----
subject=CN = proton.me
issuer=C = US, O = Let's Encrypt, CN = R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
When feeding that certificate to openssl x509 -noout -issuer -subject -dates
:
issuer=C = US, O = Let's Encrypt, CN = R10
subject=CN = proton.me
notBefore=Sep 1 13:17:03 2024 GMT
notAfter=Nov 30 13:17:02 2024 GMT
That looks pretty normal for a Lets Encrypt signed server certificate.
(sorry, clicked the wrong button)
I've done some more debugging, trying to replace the ca-bundle.crt
file with an updated one, trying to modify the rclone
calling to use the --ca-cert
option (this might require a single certificate, not a bundle) ... but to no avail. By calling rclone
with -vvvv
, I see the arguments are being passed correctly, so it's not something silly there.
When trying to configure KoboCloud-rclone with a Proton Drive account, I get these errors in the
get.log
:This smells like an out-of-date ca-bundle file. Using
rclone
with the exact same config on my laptop works fine: