From a5f0c1613e9f7f75bbd8336546170504c8d24b95 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Tue, 3 Oct 2023 18:58:32 +0000
Subject: [PATCH] fix: add Let's Encrypt root certificate to `reqwest`

This certificate does not exist on older Android phones.
It is already added manually for IMAP and SMTP,
this commit adds the same certificate for HTTP requests.
---
 src/net/http.rs | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/net/http.rs b/src/net/http.rs
index cbee57959..6f31e3348 100644
--- a/src/net/http.rs
+++ b/src/net/http.rs
@@ -4,12 +4,20 @@ use std::time::Duration;
 
 use anyhow::{anyhow, Result};
 use mime::Mime;
+use once_cell::sync::Lazy;
 
 use crate::context::Context;
 use crate::socks::Socks5Config;
 
 const HTTP_TIMEOUT: Duration = Duration::from_secs(30);
 
+static LETSENCRYPT_ROOT: Lazy<reqwest::tls::Certificate> = Lazy::new(|| {
+    reqwest::tls::Certificate::from_der(include_bytes!(
+        "../../assets/root-certificates/letsencrypt/isrgrootx1.der"
+    ))
+    .unwrap()
+});
+
 /// HTTP(S) GET response.
 #[derive(Debug)]
 pub struct Response {
@@ -79,7 +87,10 @@ async fn read_url_inner(context: &Context, url: &str) -> Result<reqwest::Respons
 }
 
 pub(crate) fn get_client(socks5_config: Option<Socks5Config>) -> Result<reqwest::Client> {
-    let builder = reqwest::ClientBuilder::new().timeout(HTTP_TIMEOUT);
+    let builder = reqwest::ClientBuilder::new()
+        .timeout(HTTP_TIMEOUT)
+        .add_root_certificate(LETSENCRYPT_ROOT.clone());
+
     let builder = if let Some(socks5_config) = socks5_config {
         let proxy = reqwest::Proxy::all(socks5_config.to_url())?;
         builder.proxy(proxy)