Getting a self-signed certificate error with ProtonBridge and mbsync

I am attempting to setup isync with ProtonBridge and getting the following error:

SSL error connecting 127.0.0.1 (127.0.0.1:1143): self signed certificate

I am aware that this is the localhost, as such the certificate that we provide is self-signed. In any other email client, in Thunderbird for instance, it is a matter of confirming a security exception for port 1143 on 127.0.0.1. as detailed in step 5 here. What I quite did not figure out is how to do that in mbsync. Here is my .msyncrc:

IMAPStore someuser-remote
Host 127.0.0.1
Port 1143
User [email protected]
Pass protonbridgepassword
SSLType STARTTLS
CertificateFile /etc/ssl/certs/ca-certificates.crt

MaildirStore user-local
Path ~/Mail/
Inbox ~/Mail/INBOX
Subfolders Verbatim
Flatten .

Channel user
Master :user-remote:
Slave :user-local:
Create Both
Expunge Both
Patterns *
SyncState *

Tried with option SystemCertificates no to no avail as well. Here is the full log:

Reading configuration file /home/user/.mbsyncrc
C: 0/1  B: 0/0  M: +0/0 *0/0 #0/0  S: +0/0 *0/0 #0/0
Channel user
Opening master store user-remote...
Resolving 127.0.0.1... ok
Connecting to 127.0.0.1 (127.0.0.1:1143)... 
Opening slave store user-local...
SSL error connecting 127.0.0.1 (127.0.0.1:1143): self signed certificate
C: 1/1  B: 0/0  M: +0/0 *0/0 #0/0  S: +0/0 *0/0 #0/0

You need to copy ProtonBridge's certificate as explained here in Step #1: Get the certificates. The openssl command is somewhat different though, as you need to specify the STARTTLS protocol when connecting to the local server:

openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts

It should give you something along these lines:

CONNECTED(00000003)
depth=0 C = CH, O = Proton Technologies AG, OU = ProtonMail, CN = 127.0.0.1
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, O = Proton Technologies AG, OU = ProtonMail, CN = 127.0.0.1
verify return:1
---
Certificate chain
 0 s:/C=CH/O=Proton Technologies AG/OU=ProtonMail/CN=127.0.0.1
   i:/C=CH/O=Proton Technologies AG/OU=ProtonMail/CN=127.0.0.1
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgIQBW7/mrcQcB5Iu1POkJ3YNzANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJDSDEfMB0GA1UEChMWUHJvdG9uIFRlY2hub2xvZ2llcyBBRzET

(...)

kNvCZidKp31PdIO9IzQn2cI86f2mo1a+ad5dsd1HU4ZB+B3nMiWbQizaFmD3MrgO
cR/KRJtxKTcXQCBLqIi+t2sDFQ8uozs0xYbGHDrCPgCayZLfAVxGCwP2LANnQKw=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CH/O=Proton Technologies AG/OU=ProtonMail/CN=127.0.0.1
issuer=/C=CH/O=Proton Technologies AG/OU=ProtonMail/CN=127.0.0.1
---
Acceptable client certificate CA names
/C=CH/O=Proton Technologies AG/OU=ProtonMail/CN=127.0.0.1
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms:

(...)

Copy the very first block that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, paste this into a file and save it with a .pem extension. Let's say you name it protonbridge.pem subsequently saving it in /etc/ssl/certs/, you would need to add this to your ~/mbsyncrc file:

CertificateFile /etc/ssl/certs/protonbridge.pem

This should be it, you should now be able to sync. I did not seem to have to copy the root issuer certificate as explained at the end of the step #1 in the link. If you do mbsync -l channel-name you will see a list of all mailboxes to sync. You may want to add Patterns INBOX Sent if you do not want all and every folder in you Protonmail account to sync, including one called "All Mail"!


As mentioned on the comment above by @pusillanimous, I confirm that pointing directly to the cert at the protomail bridge works.

So you simply need to to add the following to your .mbsyncrc

CertificateFile ~/.config/protonmail/bridge/cert.pem