offlineimap and ssl requires configuration of fingerprint

Bug #1015692 reported by Scott Moser on 2012-06-20
This bug affects 9 people
Affects Status Importance Assigned to Milestone
offlineimap (Ubuntu)

Bug Description

Upon upgrade from 12.04 to quantal, my offlineimap configuration broke, showing messages like:

| *** Processing account Gmail
| INFO:OfflineImap:*** Processing account Gmailu
| Establishing connection to
| INFO:OfflineImap:Establishing connection to
| ERROR: Server SSL fingerprint 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1'
| for hostname '' does not match configured fingerprint.
| Please verify and set 'cert_fingerprint' accordingly if not set yet.
| INFO:OfflineImap:ERROR: Server SSL fingerprint 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1'
| for hostname '' does not match configured fingerprint.
| Please verify and set 'cert_fingerprint' accordingly if not set yet.

The fix is for the user to add an entry for 'cert_fingerprint' in the same spot as 'ssl = yes' (which is automatic if 'type = Gmail').
Ie add:
 cert_fingerprint = f3043dd689a2e7dddfbef82703a6c65ea9b634c1

So that your Repository entry looks something like:
| [Repository GmailRemote]
| type = Gmail
| # ssl = yes # this is default for gmail
| cert_fingerprint = f3043dd689a2e7dddfbef82703a6c65ea9b634c1
| remoteuser = <email address hidden>

There is some discussion at about possibly using system certificates to make such manual configuration unnecessary.

This bug is filed upstream at:

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: offlineimap 6.5.4-2
ProcVersionSignature: Ubuntu 3.4.0-5.11-generic 3.4.0
Uname: Linux 3.4.0-5-generic x86_64
ApportVersion: 2.2.3-0ubuntu6
Architecture: amd64
Date: Wed Jun 20 12:50:06 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
PackageArchitecture: all
 PATH=(custom, user)
SourcePackage: offlineimap
UpgradeStatus: Upgraded to quantal on 2011-11-07 (226 days ago)

Scott Moser (smoser) wrote :
Scott Moser (smoser) wrote :

I see 2 ways to make the situation better:
 a.) help upstream use system certificates if that is not already functional and build debian package so that works
 b.) improve the error messages in the case where there is no entry for the Repository to be something more useful like:
  | The server for repository 'Gmail' has a fingerprint that cannot be
  | verified. If you trust the fingerprint of
  | 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1' then you need to update the
  | 'Repository Gmail' entry in offlineimaprc to include:
  | ssl = yes
  | cert_fingerprint = f3043dd689a2e7dddfbef82703a6c65ea9b634c1

'a' is definitely useful, but I suspect will not fix the issue for everyone.

Scott Moser (smoser) on 2012-06-20
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in offlineimap (Ubuntu):
status: New → Confirmed
Scott Moser (smoser) on 2012-06-20
Changed in offlineimap (Ubuntu):
importance: Undecided → Low
Michael Vogt (mvo) wrote :

This is one way of solving the issue by providing a default setting for the sslcasert file that points to the ubuntu systemwide
/etc/ssl/certs/ca-certificates.crt file

tags: added: patch
Rafał Ochmański (rmopl) wrote :

You can add

sslcacertfile = /etc/ssl/certs/ca-certificates.crt

in the [Repository remote] section.

Mihai Capotă (mihaic) wrote :

I successfully tested the solution in the patch from comment #4 on Ubuntu 14.04.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers