OfflineIMAP 7.1.5
Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
imaplib2 v2.57 (bundled), Python v2.7.14, OpenSSL 1.0.2o 27 Mar 2018
Account sync erictapen:
*** Processing account erictapen
Establishing connection to mail.erictapen.de:993 (erictapen-Remote)
ERROR: Unknown SSL protocol connecting to host 'mail.erictapen.de' for repository 'erictapen-Remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
*** Finished account 'erictapen' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: Unknown SSL protocol connecting to host 'mail.erictapen.de' for repository 'erictapen-Remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Traceback:
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/accounts.py", line 283, in syncrunner
self.__sync()
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/accounts.py", line 359, in __sync
remoterepos.getfolders()
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/repository/IMAP.py", line 452, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/imapserver.py", line 630, in acquireconnection
exc_info()[2])
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/imapserver.py", line 544, in acquireconnection
af=self.af,
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/imaplibutil.py", line 194, in __init__
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2183, in __init__
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 361, in __init__
self.open(host, port)
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/imaplibutil.py", line 202, in open
super(WrappedIMAP4_SSL, self).open(host, port)
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2196, in open
self.ssl_wrap_socket()
File "/nix/store/abz63s1hsf38m9b9k1yvigxcs4l535pg-offlineimap-7.1.5/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 548, in ssl_wrap_socket
self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version)
File "/nix/store/nx3jw576gqw01iiijgsav39w2qa4cni2-python-2.7.14/lib/python2.7/ssl.py", line 943, in wrap_socket
ciphers=ciphers)
File "/nix/store/nx3jw576gqw01iiijgsav39w2qa4cni2-python-2.7.14/lib/python2.7/ssl.py", line 611, in __init__
self.do_handshake()
File "/nix/store/nx3jw576gqw01iiijgsav39w2qa4cni2-python-2.7.14/lib/python2.7/ssl.py", line 840, in do_handshake
self._sslobj.do_handshake()
$ openssl s_client -connect mail.erictapen.de:993 -crlf
CONNECTED(00000003)
depth=1 C = UK, ST = Warwickshire, L = Leamington, O = OrgName, OU = Security Department, CN = example.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com
i:/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com
1 s:/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com
i:/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com
...
I would expect, that the example config contains not a self signed certificate but one from Let's encrypt? Also after a quick glance at the source, I wonder wether this Warwickshire cert should be used for anything other than nginx config file validation?