Ubuntu
offlineimap package

offlineimap and ssl requires configuration of fingerprint

Bug #1015692 reported by Scott Moser on 2012-06-20

This bug affects 9 people

Affects		Status	Importance	Assigned to	Milestone
	offlineimap (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

Upon upgrade from 12.04 to quantal, my offlineimap configuration broke, showing messages like:

| *** Processing account Gmail
| INFO:OfflineImap:*** Processing account Gmailu
| Establishing connection to imap.gmail.com:993
| INFO:OfflineImap:Establishing connection to imap.gmail.com:993
| ERROR: Server SSL fingerprint 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1'
| for hostname 'imap.gmail.com' does not match configured fingerprint.
| Please verify and set 'cert_fingerprint' accordingly if not set yet.
| INFO:OfflineImap:ERROR: Server SSL fingerprint 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1'
| for hostname 'imap.gmail.com' does not match configured fingerprint.
| Please verify and set 'cert_fingerprint' accordingly if not set yet.

The fix is for the user to add an entry for 'cert_fingerprint' in the same spot as 'ssl = yes' (which is automatic if 'type = Gmail').
Ie add:
cert_fingerprint = f3043dd689a2e7dddfbef82703a6c65ea9b634c1

There is some discussion at http://comments.gmane.org/gmane.mail.imap.offlineimap.general/5654 about possibly using system certificates to make such manual configuration unnecessary.

This bug is filed upstream at:
https://github.com/spaetz/offlineimap/issues/46

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: offlineimap 6.5.4-2
ProcVersionSignature: Ubuntu 3.4.0-5.11-generic 3.4.0
Uname: Linux 3.4.0-5-generic x86_64
ApportVersion: 2.2.3-0ubuntu6
Architecture: amd64
Date: Wed Jun 20 12:50:06 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
PackageArchitecture: all
ProcEnviron:
TERM=xterm
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: offlineimap
UpgradeStatus: Upgraded to quantal on 2011-11-07 (226 days ago)

See original description

Tags:

Revision history for this message

Scott Moser (smoser) wrote on 2012-06-20:

Dependencies.txt Edit (766 bytes, text/plain; charset="utf-8")

Revision history for this message

Scott Moser (smoser) wrote on 2012-06-20:

I see 2 ways to make the situation better:
a.) help upstream use system certificates if that is not already functional and build debian package so that works
b.) improve the error messages in the case where there is no entry for the Repository to be something more useful like:
  | The server for repository 'Gmail' has a fingerprint that cannot be
  | verified. If you trust the fingerprint of
  | 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1' then you need to update the
  | 'Repository Gmail' entry in offlineimaprc to include:
  | ssl = yes
  | cert_fingerprint = f3043dd689a2e7dddfbef82703a6c65ea9b634c1

'a' is definitely useful, but I suspect will not fix the issue for everyone.

Scott Moser (smoser) on 2012-06-20

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-06-20:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in offlineimap (Ubuntu):
status:	New → Confirmed

Scott Moser (smoser) on 2012-06-20

Changed in offlineimap (Ubuntu):
importance:	Undecided → Low

Revision history for this message

Michael Vogt (mvo) wrote on 2012-09-26:

Add a default cacert file Edit (2.6 KiB, text/plain)

This is one way of solving the issue by providing a default setting for the sslcasert file that points to the ubuntu systemwide
/etc/ssl/certs/ca-certificates.crt file

Ubuntu Foundations Team Bug Bot (crichton) on 2012-09-26

tags:

added: patch

Revision history for this message

Rafał Ochmański (rmopl) wrote on 2012-10-21:

You can add

sslcacertfile = /etc/ssl/certs/ca-certificates.crt

in the [Repository remote] section.

Revision history for this message

Mihai Capotă (mihaic) wrote on 2014-09-03:

I successfully tested the solution in the patch from comment #4 on Ubuntu 14.04.