Configuring offlineimap for gmail: SSL error

I'm trying to configure offlineimap to download my gmail but am getting the error:

OfflineIMAP 6.5.7
  Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
Account sync Gmail:
 *** Processing account Gmail
 Establishing connection to imap.gmail.com:993
 ERROR: No CA certificates and no server fingerprints configured.  You must configure at least something, otherwise having SSL helps nothing.
 *** Finished account 'Gmail' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: No CA certificates and no server fingerprints configured.  You must configure at least something, otherwise having SSL helps nothing.

Traceback:
  File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 263, in syncrunner
    self.__sync()
  File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 326, in __sync
    remoterepos.getfolders()
  File "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py", line 351, in getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line 439, in acquireconnection
    use_socket=self.proxied_socket,
  File "/usr/lib/python2.7/site-packages/offlineimap/imaplibutil.py", line 186, in __init__
    super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/offlineimap/imaplib2.py", line 2063, in __init__
    IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
  File "/usr/lib/python2.7/site-packages/offlineimap/imaplib2.py", line 344, in __init__
    self.open(host, port)
  File "/usr/lib/python2.7/site-packages/offlineimap/imaplibutil.py", line 193, in open
    "having SSL helps nothing.", OfflineImapError.ERROR.REPO)

My .offlineimaprc is:

[general]
accounts = Gmail
maxsyncaccounts = 3
sslcacertfile = /etc/ssl/certs/ca-certificates.crt

[Account Gmail]
localrepository = Local
remoterepository = Remote

[Repository Local]
type = Maildir
localfolders = ~/mail

[Repository Remote]
type = IMAP
remotehost = imap.gmail.com
remoteuser = [email protected]
remotepass = Secret
ssl = yes
maxconnections = 3
realdelete = no

I am specifying where my certs are. Why is it still erroring out?


Solution 1:

Put entry:

sslcacertfile = /etc/ssl/certs/ca-certificates.crt

In section:

[Repository Remote]

Solution 2:

In order for OfflineIMAP to use the system’s default CA roots file put the line

sslcacertfile = OS-DEFAULT

in the [Repository $remoterepository] section of your OfflineIMAP config file.

The relevant documentation from offlineimap.conf reads:

Special value OS-DEFAULT makes Offlineimap to automatically determine system-wide location of standard trusted CA roots file for known OS distributions and use the first bundle encountered (if any).

Solution 3:

For FreeBSD install the port security/ca_root_nss

and then add

sslcacertfile = /usr/local/share/certs/ca-root-nss.crt