offlineimap
offlineimap copied to clipboard
Published
20 hours ago •
OfflineIMAP
OfflineIMAP
SSL: CERTIFICATE_VERIFY_FAILED to Exchange Server
General informations
-
system/distribution (with version):
Linux 4.19.60-1-MANJARO -
offlineimap version (
offlineimap -V):offlineimap v7.2.4, imaplib2 v2.57 (bundled), Python v2.7.16, OpenSSL 1.1.1c 28 May 2019 -
Python version:
Python 3.7.3 -
server name or domain:
ex01.vcat.de -
CLI options:
none
Configuration file offlineimaprc
[general]
accounts = Work
[Account Work]
localrepository = work-local
remoterepository = work-remote
[Repository work-local]
type = Maildir
localfolders = ~/Maildir/work
[Repository work-remote]
type = IMAP
remotehost = ex01.vcat.de
ssl = yes
sslcacertfile = /etc/ssl/certs/ca-certificates.crt
remoteuser = $username
remotepass = $passwd
realdelete = no
maxconnections = 4
pythonfile (if any)
none
Logs, error
OfflineIMAP 7.2.4
Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
imaplib2 v2.57 (bundled), Python v2.7.16, OpenSSL 1.1.1c 28 May 2019
Account sync Work:
*** Processing account Work
Establishing connection to ex01.vcat.de:993 (work-remote)
ERROR: Unknown SSL protocol connecting to host 'ex01.vcat.de' for repository 'work-remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
*** Finished account 'Work' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: Unknown SSL protocol connecting to host 'ex01.vcat.de' for repository 'work-remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
Traceback:
File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 293, in syncrunner
self.__sync()
File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 369, in __sync
remoterepos.getfolders()
File "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py", line 452, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line 658, in acquireconnection
exc_info()[2])
File "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line 572, in acquireconnection
af=self.af,
File "/usr/lib/python2.7/site-packages/offlineimap/imaplibutil.py", line 194, in __init__
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2183, in __init__
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
File "/usr/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 361, in __init__
self.open(host, port)
File "/usr/lib/python2.7/site-packages/offlineimap/imaplibutil.py", line 202, in open
super(WrappedIMAP4_SSL, self).open(host, port)
File "/usr/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2196, in open
self.ssl_wrap_socket()
File "/usr/lib/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 548, in ssl_wrap_socket
self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version)
File "/usr/lib/python2.7/ssl.py", line 931, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python2.7/ssl.py", line 599, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake
self._sslobj.do_handshake()
Steps to reproduce the error
- running
openssl s_client -connect ext01.vcat.de:imapsyields the following:
CONNECTED(00000003)
depth=0 CN = *.vcat.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.vcat.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = *.vcat.de
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFoDCCBIigAwIBAgIQDWRJJ2mqKyqqjkMmq6ri2DANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
Fw0xOTAyMTgwMDAwMDBaFw0yMDAzMTkxMjAwMDBaMBQxEjAQBgNVBAMMCSoudmNh
dC5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANQ/xmf1Rgp9D5T4
yA2Dmkz57Hf6yAW1OdRRXHQPsFPNRDXQtfbwL14ZSmtd2JgWvJnmKfWpvaPmauyU
KJCpxQKkIzaqj5086QFl5eNgEQI1S49CDzpxYFiMJTIHv52uf7KwN/Btm2ExMOgB
vaIVbSY3sLGQi6Bj2YuwUbmsRPcAtVC80JmTtrFboX/h8IAa1Xt1TZLceKU9Ph6z
lNvbh2lpiHCecADugYFJr/+ptH8Yaf9soyXr6fnzVeBDKP/OH4nf7HT1IIJryrsU
VQSX9ntJeKvamvlDPHT0WiVSg/dj6WDg8U20cUKoSznIKDH//Dj2CtLy/sX+RAaN
ykXBqosCAwEAAaOCAqIwggKeMB8GA1UdIwQYMBaAFKWM/jLM6w8s1BnGCLgAJIhd
w8W3MB0GA1UdDgQWBBQY+J5C8kx2u1PXvsj10LRLKLOvCzAdBgNVHREEFjAUggkq
LnZjYXQuZGWCB3ZjYXQuZGUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY2RwLnRo
YXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5jcmwwTAYDVR0gBEUwQzA3BglghkgB
hv1sAQIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAIBgZngQwBAgEwcAYIKwYBBQUHAQEEZDBiMCQGCCsGAQUFBzABhhhodHRwOi8v
c3RhdHVzLnRoYXd0ZS5jb20wOgYIKwYBBQUHMAKGLmh0dHA6Ly9jYWNlcnRzLnRo
YXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5jcnQwCQYDVR0TBAIwADCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7I
DdwQAAABaQFKJ1gAAAQDAEcwRQIhANptz64z4Sxenhbb7T1oVa33KzETJx7lk51z
GAGGTEoMAiBYss8HdJIMgBsIZsly+T7fYQkjYI8+Ek9lxt6mYDq6CQB2AF6nc/nf
VsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABaQFKJ4IAAAQDAEcwRQIgPgK0
uviDZbiE86z4InkAI0LpJTDgH8l6EVVrU26NQ5MCIQCHyQobtbUoS2FMABppwxgM
xJqhOnpUghf5zSuzUTJSxTANBgkqhkiG9w0BAQsFAAOCAQEAl7hCUW78mN9u8D/I
Q14V/hBjrShQv3TqOugoyJqFrSqKL/4WQO9ra8YdbyiH2GCmTrk1UxYQMfDdT8jE
WAP52Ii1DMUMz8tpdXGpGmHrgiW7vgj79Q0Xq9hkhWgrR7No0ZQkG+x1P2bZ37RI
DopLd54jGA+Sv1bELHgSk+YbmjYUIca8PWEisbH2B2ou2CRaKtVzUjfX5/wzBIMx
h1TPhS839AzVDOFLCWKPBOhTsOYYZcRvyk8c8eOzG2J5p9p9h/fL7aGKynHXXn7Z
IUj1iPfMlZjqgZhb1Ed4cp+Y8K2sTvEPi/EFX9yvO3PNO+PFozxPTfCK33+X9cVG
8o5dMw==
-----END CERTIFICATE-----
subject=CN = *.vcat.de
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2304 bytes and written 505 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 4ED7080F6B7C95D66E554EDD2F428CC018CC7CB049C3C41DE7DE8C5F9A2E16D9
Session-ID-ctx:
Master-Key: 61A45E40AA23CF438E2152373585FAD91A03F184C97ED31233E45E9AFB6AB8719FBC8BF90F65B93AA401E20AD6527617
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6f 9a f1 06 57 1c e2 23-7b 11 b0 f2 2b a3 ee bf o...W..#{...+...
0010 - 3b 7b 2f 96 90 aa 58 7b-38 8c fa 47 f8 96 b6 0b ;{/...X{8..G....
0020 - 73 60 1a af bd 16 ab 13-21 7a bf 87 c6 fb f2 f3 s`......!z......
0030 - 29 7d 0e 8f 56 f5 c0 78-6c 6a b7 00 51 8e 52 e5 )}..V..xlj..Q.R.
0040 - 17 d4 9d 7a 41 88 34 26-57 c8 06 35 9d 49 c7 14 ...zA.4&W..5.I..
0050 - 14 ce 52 3b 7a 10 63 ac-76 60 00 b2 52 d5 f2 a0 ..R;z.c.v`..R...
0060 - ce 33 a8 13 a1 09 4b 07-2c 40 52 b6 07 b9 78 30 .3....K.,@R...x0
0070 - 8a 39 c5 13 0e e4 77 51-f9 dc 86 74 22 08 91 c9 .9....wQ...t"...
0080 - 81 b2 67 ea 18 6a 15 3c-b6 f4 0b 4e fb fc 79 07 ..g..j.<...N..y.
0090 - c5 3f f0 1d b0 53 7a a0-5f 50 6a 73 37 e9 f2 15 .?...Sz._Pjs7...
00a0 - e5 74 ba a1 bb be 1f ae-aa 35 b5 03 98 0e 94 ad .t.......5......
Start Time: 1565444665
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
- I've tried it also with
ssl_version = tls1_2 - I've tried to append the certificate from the openssl command to the certfile
- if I use the
cert_fingerprintoption, it works. (how secure is that?)
Could you please try the current 'next' branch with SNI support?
if I use the cert_fingerprint option, it works. (how secure is that?)
This is a good workaround.
Would love to. How do I run this version without overwriting my current installation? When I checkout the next branch and run ./offlineimap.py I get an ImportError: No module named rfc6555
In the requirements.txt file of the 'next' branch there is this line:
rfc6555
To manually install this dependency:
pip2 install rfc6555
right. Same thing.
➜ offlineimap git:(next) ./offlineimap.py
OfflineIMAP 7.2.4
Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
imaplib2 v2.101 (bundled), Python v2.7.16, OpenSSL 1.1.1c 28 May 2019
Account sync Work:
*** Processing account Work
Establishing connection to ex01.vcat.de:993 (work-remote)
ERROR: Unknown SSL protocol connecting to host 'ex01.vcat.de' for repository 'work-remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
*** Finished account 'Work' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: Unknown SSL protocol connecting to host 'ex01.vcat.de' for repository 'work-remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
Traceback:
File "/home/sean/git/offlineimap/offlineimap/accounts.py", line 293, in syncrunner
self.__sync()
File "/home/sean/git/offlineimap/offlineimap/accounts.py", line 369, in __sync
remoterepos.getfolders()
File "/home/sean/git/offlineimap/offlineimap/repository/IMAP.py", line 452, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/home/sean/git/offlineimap/offlineimap/imapserver.py", line 658, in acquireconnection
exc_info()[2])
File "/home/sean/git/offlineimap/offlineimap/imapserver.py", line 572, in acquireconnection
af=self.af,
File "/home/sean/git/offlineimap/offlineimap/imaplibutil.py", line 202, in __init__
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
File "/home/sean/git/offlineimap/offlineimap/bundled_imaplib2.py", line 2191, in __init__
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
File "/home/sean/git/offlineimap/offlineimap/bundled_imaplib2.py", line 360, in __init__
self.open(host, port)
File "/home/sean/git/offlineimap/offlineimap/imaplibutil.py", line 210, in open
super(WrappedIMAP4_SSL, self).open(host, port)
File "/home/sean/git/offlineimap/offlineimap/bundled_imaplib2.py", line 2204, in open
self.ssl_wrap_socket()
File "/home/sean/git/offlineimap/offlineimap/bundled_imaplib2.py", line 554, in ssl_wrap_socket
self.sock = ctx.wrap_socket(self.sock, server_hostname=self.host)
File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 599, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake
self._sslobj.do_handshake()
I am also finding myself in this scenario. Were you able to find a solution?
I began having this issue after my mail server certificate expired. After renewing the certificate, running offlineimap triggers the error.
I've updated to the latest OS packages, but no luck there either.
Edit: I am running offlineimap 7.3.3 and rfc6555-0.0.0
Edit2: mutt works just fine for sending mail. My mobile device also works for sending/receiving, so it's not a server certificate issue,
Edit3:
I removed offlineimap, rfc6555, and selectors2 via pip2 and pip. I reinstalled these packages via pacman -S offlineimap. The following packages and versions were installed:
Packages (4) python2-rfc6555-0.0.0-2 python2-selectors2-2.0.1-4 python2-uritemplate-3.0.1-1 offlineimap-7.3.3-1
Same error still occurs.
Edit4: I ran:
SSL_CERT_DIR="" openssl s_client -connect mail.mydomainname.com:993 -showcerts -CAfile /etc/ssl/certs/ca-certificates.crt
and it appeared as the certificate still being expired.
Solution: Restart mail server
It'd be brilliant for the code to surface this error ("Mail server TLS certificate expired") to the user!
Can offlineimap add a option like wget's --no-check-certificate?
In our company the mail server is not well maintained many years ago, most users use outlook or other mature GUI mail clients, it works by do some settings.
But offlineimap is not worked stable, it broken after upgrade to latest version.
