SSL Validation broken between v1.69.1 - latest version

M_D · November 12, 2025, 10:18am

Run the command 'rclone version' and share the full output of the command.

Problematic Version:

rclone v1.71.2
- os/version: Microsoft Windows 11 Pro 25H2 25H2 (64 bit)
- os/kernel: 10.0.26200.7171 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.25.3
- go/linking: static
- go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

OneDrive.

The command you were trying to run (eg `rclone about /tmp remote:tmp`)

rclone about OneDrive_CloudStorage:

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.


[OneDrive_CloudStorage]
type = onedrive
client_id = XXX
client_secret = XXX
token = XXX
drive_id = XXX
drive_type = personal

[OneDrive_Personal]
type = onedrive
client_id = XXX
client_secret = XXX
token = XXX
drive_id = XXX
drive_type = personal

[OneDrive_Personal_Vault]
type = crypt
remote = OneDrive_Personal:rc_crypt
password = XXX
password2 = XXX
### Double check the config for sensitive info before posting publicly

A log from the command that you were trying to run with the `-vv` flag


2025/11/12 10:13:10 CRITICAL: Failed to create file system for "OneDrive_CloudStorage:": failed to get root: Get "https://graph.microsoft.com/v1.0/drives/UID/root": tls: failed to verify certificate: x509: negative serial number

My Issue:

In my environment, I have a proxy system intercepting all HTTPS traffic. Obviously this interferes with the certificates of HTTPS servers. Thus, the Windows Trusted Root CA store has the cert from the proxy installed. This is a commercial proxy system and this works great for browsers, most applications, etc.

Previously, this has worked fine with Rclone too. Then, I tried updating to the latest version (1.71.2), and received the above error. I tried specifying the --ca-file as per Additional HTTPS remote flags · Issue #2966 · rclone/rclone · GitHub , but Rclone refused to load the CA cert from the file, with an error.

Reverting back to the 1.69.1 binary fixes everything. This is the version which WORKS fine, I have not tried others (apart from latest):

rclone v1.69.1
- os/version: Microsoft Windows 11 Pro 25H2 25H2 (64 bit)
- os/kernel: 10.0.26200.7171 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.24.0
- go/linking: static
- go/tags: cmount

Question: What has changed between 1.69.1 and 1.71.2 which is preventing this working? More importantly, how can I solve this issue on the later Rclone versions?

ncw · November 12, 2025, 10:00pm

Likely the Go version upgrade caused the TLS connections to be checked more carefully.

There is an explanation and an alternative fix here

In your config for the OneDrive remotes put

override.no_check_certificate = true

This will stop rclone checking the certificate.

M_D · November 13, 2025, 10:13am

Thanks Nick.

I have tracked down a certificate using a negative serial number, which is actually invalid according to RFC 5280. I have contacted the proxy vendor who will hopefully update the certificate.

In the meantime I will continue to use the version of Rclone prior to the Go update, as bypassing certificate checks is generally considered bad practice except in a few cases (testing etc).

Thanks.

ncw · November 13, 2025, 2:14pm

Setting the environment variable GODEBUG to x509negativeserial=1 should allow the new rclone version to run, with certificate checks.

Maybe I should burn this into rclone in the go.mod as I don't really think this is a security issue just a spec violation.

godebug (
    x509negativeserial=1
)

M_D · November 13, 2025, 2:30pm

I will test this out.

Good idea, I think you are right - all down to the RFC spec, which some CA’s don’t fully comply with (esp. small ones, E.G proxy systems).

ncw · November 13, 2025, 4:47pm

I tried adding the fix to go.mod - can you give this a try? Thanks

v1.72.0-beta.9299.e202b61e0.fix-negative-serial-numbers on branch fix-negative-serial-numbers (uploaded in 15-30 mins)

M_D · November 13, 2025, 5:55pm

Looks like that has done it. Not complaining about the slightly wonky certificate serial numbers anymore.

> rclone-beta about OneDrive_XXXX:
Enter configuration password:
password:
Total:   1.005 TiB
Used:    949.800 GiB
Free:    79.200 GiB
Trashed: 0 B

Thanks.

ncw · November 14, 2025, 12:51pm

Thanks for testing. I've merged this to master now which means it will be in the latest beta in 15-30 minutes and released in v1.72

system · November 17, 2025, 12:52pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.