rtyler

Solving CERTIFICATE_VERIFY_FAILED with Gmail and Offlineimap

Offlineimap has been a major part of my desktop computing environment for many years, indulging my use of mutt for all work and personal email. My work email has unfortunately been stored in Gmail, which does support IMAP but tends to do a few wacky things with files and folders.

I recently started seeing certificate validation errors when syncing Gmail accounts:

Establishing connection to imap.gmail.com:993 (GmailRemote)
ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for repository 'GmailRemote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

I think that either offlineimap or my distribution has started be more strict with TLS versions. Some searching around didn’t get me very far until I stumbled into this GitHub issue which suggested a version tweak for the “remote” configuration for Gmail:

[Repository GmailRemote]
type = Gmail
ssl = yes
# https://github.com/LukeSmithxyz/mutt-wizard/issues/85
ssl_version = tls1_2
remoteuser = xxx

With this change in place, the vacation is over and mail is flowing back into my inbox, for better or worse! :)