How to use a custom CA certificate


#1

Hello,

I’ve got a home HTTPS server, which uses a certificate signed by my custom CA (which is the root of my own home “PKI”).

I can browse that content with cURL using this command:

>curl --cacert ca.crt https://USER:PASS@IP:PORT/

Where ca.crt is the root certificate on my CA.

However, if I try to list those contents with rclone v1.46 I get the following error:

>rclone lsf -vv --http-url "https://USER:PASS@IP:PORT/" :http:
2019/02/09 23:54:24 DEBUG : rclone: Version "v1.46" starting with parameters ["rclone" "lsf" "-vv" "--http-url" "https://USER:PASS@IP:PORT/" ":http:"]
2019/02/09 23:54:24 ERROR : : error listing: error listing "": failed to readDir: Get https://USER:***@IP:PORT/: x509: certificate signed by unknown authority
2019/02/09 23:54:24 DEBUG : 2 go routines active

The message clearly says that the certificate is signed by unknown authority, but I can’t find the proper way to provide my CA certificate to rclone.

Just to be sure, I’ve tried to connect without validating the server’s certificate, and then rclone lists the content without any issues (as expected):

>rclone lsf -vv --no-check-certificate --http-url "https://USER:PASS@IP:PORT/" :http:
2019/02/09 23:54:34 DEBUG : rclone: Version "v1.46" starting with parameters ["rclone" "lsf" "-vv" "--no-check-certificate" "--http-url" "https://USER:PASS@IP:PORT/" ":http:"]
DIR_1/
DIR_2/
...
DIR_N/
2019/02/09 23:54:35 DEBUG : 4 go routines active
2019/02/09 23:54:35 DEBUG : rclone: Version "v1.46" finishing with parameters ["rclone" "lsf" "-vv" "--no-check-certificate" "--http-url" "https://USER:PASS@IP:PORT/" ":http:"]

How can I use a custom CA with rclone, I mean, which are the rclone equivalent parameters to --cacert ca.crt in cURL?

Thank you very much.


#2

You can do this on any of the rclone servers but not on the client.

Rclone will be using your system CA, so if you add your certificate to there, then rclone will pick it up automatically I would have though.

You could use this as a work-around which probably isn’t what you want

  --no-check-certificate   Do not verify the server SSL certificate. Insecure.

Or I could add some additional flags which would be used for all backends which use rclone’s http transport something like this…

  --ca-cert string          Client side certificate authority used to verify the server
  --client-cert string      Client side SSL certificate PEM key (concatenation of certificate and CA certificate)
  --client-key string       Client side SSL Private PEM key

you only need the first one, but the last 2 complete the set and allow mutual TLS authentication with client side certificates which is much more secure than using password auth.


#3

I’ve tried that on a Windows 10 Pro laptop, by adding my CA root certificate to Internet Explorer --> Tools (Alt-X) --> Internet options --> Content --> Certificates --> Trusted Root Certification Authorities tab, and it works perfectly. Thank you very much!

Adding those three flags would be even better! It would allow rclone to be fully portable since you wouldn’t have to install/modify anything at the running computer.

Could you please tell me how should I add this as a feature request, please?

Thank you.


#4

Sure, please make a new issue on github with those example flags in and we’ll see what we can do :smile:


#5

Just done: https://github.com/ncw/rclone/issues/2966 :grinning::+1:

Thank you very much.