ca-certificates Mac OS X

Question

I need to install offlineimap and mu4e on emacs. Problem is configuration. When I run offlineimap I get :

OfflineIMAP 6.5.5 Licensed under the GNU GPL v2+ (v2 or any later version) Thread 'Account sync Gmail' terminated with exception: Traceback (most recent call last): File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/threadutil.py", line 158, in   run Thread.run(self) File "/anaconda/lib/python2.7/threading.py", line 763, in run self.__target(*self.__args, **self.__kwargs) File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/accounts.py", line 226, in  syncrunner self.remoterepos = Repository(self, 'remote') File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/__init__.py", line 78, in __new__ return repo(name, account) File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/Gmail.py", line 37, in __init__ IMAPRepository.__init__(self, reposname, account) File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/IMAP.py", line 34, in __init__ self.imapserver = imapserver.IMAPServer(self) File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/imapserver.py", line 83, in __init__ self.sslcacertfile = repos.getsslcacertfile() File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/IMAP.py", line 211, in getsslcacertfile % (self.name, cacertfile)) SyntaxWarning: CA certfile for repository 'Remote' could not be found. No such file: '/usr/share/curl/ca-bundle.crt.original'   Last 2 debug messages logged for Account sync Gmail prior to exception: thread: Register new thread 'Account sync Gmail' (account 'Gmail') imap: Using authentication mechanisms ['GSSAPI', 'CRAM-MD5', 'PLAIN', 'LOGIN'] 

This is my .offlineimaprc

[general] accounts = Gmail maxsyncaccounts = 1 pythonfile = ~/.offlineimap.py  [Account Gmail] localrepository = Local remoterepository = Remote  [Repository Local] type = Maildir localfolders = ~/Maildir  [Repository Remote] type = Gmail remoteuser = [email protected] remotepasseval = get_password_emacs("imap.gmail.com", "[email protected]", "993") realdelete = no  folderfilter = lambda foldername: foldername not in ['[Gmail]/Spam', '[Gmail]/All Mail',    '[Gmail]/Starred', '[Gmail]/Important']  holdconnectionopen = true keepalive = 60 sslcacertfile = /usr/share/curl/ca-bundle.crt.original #?? 

There is a problem with python install and one with the CA certificate. Point is there no any curl-ca-bundle brew package. I there any other way to install a certificate ?

Answer 1

I had a similar problem (on MacOS 10.10.2, openssl 1.0.2 and offlineimap 6.5.5 both from homebrew) and couldn't get the dummy certificate solution to work. However, I found a certfile that makes offlineimap stop complaining in /usr/local/etc/openssl/cert.pem (which is put there during the installation of openssl through homebrew, brew info openssl tells me). Caveat: I don't know whether this is a good or safe way to do this.

Answer 2

There is usually no CA certificate bundle on OS X, because SSL libraries typically use Apple's Security Framework internally and obtain certificates from Keychain.

You can create your own bundle from Keychain certificates, though: Open Keychain, navigate to the “Certificates” category in the “System Roots” keychain, and press Command+Shift+E (“Export items”), to save all certificates. I think that Python can handle the PEM format, so be sure to select that.

Alternatively, on OS X 10.6 and newer, the system Python is build against an OpenSSL version which always looks into Keychain as well. Hence, you can create a dummy bundle that only contains a dummy self-signed certification, and use that in your configuration to make OfflineIMAP shut up. It'll look into the Keychain certificates anyway.

See https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higher for details.