ca-certificates Mac OS X

Question

I need to install offlineimap and mu4e on emacs. Problem is configuration. When I run offlineimap I get :

OfflineIMAP 6.5.5
Licensed under the GNU GPL v2+ (v2 or any later version)
Thread 'Account sync Gmail' terminated with exception:
Traceback (most recent call last):
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/threadutil.py", line 158, in   run
Thread.run(self)
File "/anaconda/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/accounts.py", line 226, in  syncrunner
self.remoterepos = Repository(self, 'remote')
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/__init__.py", line 78, in __new__
return repo(name, account)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/Gmail.py", line 37, in __init__
IMAPRepository.__init__(self, reposname, account)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/IMAP.py", line 34, in __init__
self.imapserver = imapserver.IMAPServer(self)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/imapserver.py", line 83, in __init__
self.sslcacertfile = repos.getsslcacertfile()
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/IMAP.py", line 211, in getsslcacertfile
% (self.name, cacertfile))
SyntaxWarning: CA certfile for repository 'Remote' could not be found. No such file: '/usr/share/curl/ca-bundle.crt.original'


Last 2 debug messages logged for Account sync Gmail prior to exception:
thread: Register new thread 'Account sync Gmail' (account 'Gmail')
imap: Using authentication mechanisms ['GSSAPI', 'CRAM-MD5', 'PLAIN', 'LOGIN']

This is my .offlineimaprc

[general]
accounts = Gmail
maxsyncaccounts = 1
pythonfile = ~/.offlineimap.py

[Account Gmail]
localrepository = Local
remoterepository = Remote

[Repository Local]
type = Maildir
localfolders = ~/Maildir

[Repository Remote]
type = Gmail
remoteuser = enrico.pirani0@gmail.com
remotepasseval = get_password_emacs("imap.gmail.com", "enrico.pirani0@gmail.com", "993")
realdelete = no

folderfilter = lambda foldername: foldername not in ['[Gmail]/Spam', '[Gmail]/All Mail',    '[Gmail]/Starred', '[Gmail]/Important']

holdconnectionopen = true
keepalive = 60
sslcacertfile = /usr/share/curl/ca-bundle.crt.original #??

There is a problem with python install and one with the CA certificate. Point is there no any curl-ca-bundle brew package. I there any other way to install a certificate ?

Answer 1

I've been experimenting with Selenium Wire which runs under Python3, but by default when using chromedriver it opens https sites as http only, and you get a warning that the connection is insecure. You can solve the problem by generating a certificate:

python3 -m seleniumwire extractcert

This will generate a ca.crt file which can then be imported into Chrome. Except that on a Mac, Chrome uses the Apple Keychain to store certificates, so you have to do this (this is in MacOS Monterey, but may work for future versions):

• Open Keychain Access and click on Login in the left hand panel (you have to do this first or it puts the certificate in the wrong place).
• In Finder double click the ca.crt file - this should install it in Keychain Access under "login" and the "Certificates" tab.
• In Keychain Access, right click on the newly added "Selenium Wire CA" certificate, then click "Get Info", then at the top of the panel that appears expand the "Trust" section by clicking on the > next to it.
• In the "Trust" section, change both "Secure Sockets Layer (SSL)" and "X.509 Basic Policy" to "Always Trust" using the dropdowns. Change all the others in that section to "no value specified" (the top item should automatically change to "Use Custom Settings").
• If you mess up anything (the certificate gets installed to the wrong place, or you screw up the settings) or if you just don't need it anymore, you can easily remove it by right-clicking on it and making the appropriate selection.

After doing this, when Selenium Wire opens a site using a https link, you should not see the dreaded warning that the connection is not secure anymore.

This will probably work for other types of certificates with recognized filenames or extensions, like ca.crt in this example.

Answer 2

I'm using the localhost gem, and added my certificate from ~/.localhost/localhost.crt to /usr/local/etc/openssl@1.1/cert.pem

Then ran /usr/local/opt/openssl@1.1/bin/c_rehash

Can be tested with:

URI.open(URI.parse("https://localhost:3000"))

Answer 3

A simple way to proceed is to use the curl certificate bundle. I use MacPorts, so this was obtained with the port curl-ca-bundle

sudo port install curl-ca-bundle

You can then run port contents curl-ca-bundle to see what it installed, and then add the following to ~/.offlineimaprc in the section for your remote account

sslcacertfile =/opt/local/share/curl/curl-ca-bundle.crt

Note that this will also put a link to these certificates as /opt/local/etc/openssl/cert.pem.

Answer 4

For macOS 10.15.6 (which is currently the latest stable OS version until macOS 11 future release) I found that brew info openssl is the easiest and convenient way of how to find out where all CA certificates are located and how to add your custom CA .pem certificate.

Spoiler from the command's output

To add additional certificates, place .pem files in /usr/local/etc/openssl@1.1/certs

and run /usr/local/opt/openssl@1.1/bin/c_rehash

Answer 5

I ran the above command given by @wood-guardian and then ran to fix the issue.

ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"

export the result of above statement to SSL_CERT_FILE env variable

export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem

Answer 6

This could happen if you have multiple installations of openssl (say v1.0.2 and 1.1.1). If they were both installed by brew at some point in time, you'll have to uninstall both of them to remove the conflict

brew uninstall --ignore-dependencies --force openssl@1.1
brew uninstall --ignore-dependencies --force openssl

And the reinstall one of them, like

brew install openssl@1.1

Hope this works!

Answer 7

I had success on a Mac running 10.6 where I prefer the Homebrew ecosystem by using @patrick-sanan's answer and then symlinking in the Macports ecosystem version of cert.pem:

sudo rm /usr/local/etc/openssl
sudo ln -s /opt/local/etc/openssl/cert.pem /usr/local/etc/openssl

Answer 8

There is usually no CA certificate bundle on OS X, because SSL libraries typically use Apple's Security Framework internally and obtain certificates from Keychain.

You can create your own bundle from Keychain certificates, though: Open Keychain, navigate to the “Certificates” category in the “System Roots” keychain, and press Command+Shift+E (“Export items”), to save all certificates. I think that Python can handle the PEM format, so be sure to select that.

Alternatively, on OS X 10.6 and newer, the system Python is build against an OpenSSL version which always looks into Keychain as well. Hence, you can create a dummy bundle that only contains a dummy self-signed certification, and use that in your configuration to make OfflineIMAP shut up. It'll look into the Keychain certificates anyway.

See https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higher for details.

Answer 9

I had a similar problem (on MacOS 10.10.2, openssl 1.0.2 and offlineimap 6.5.5 both from homebrew) and couldn't get the dummy certificate solution to work. However, I found a certfile that makes offlineimap stop complaining in /usr/local/etc/openssl/cert.pem (which is put there during the installation of openssl through homebrew, brew info openssl tells me). Caveat: I don't know whether this is a good or safe way to do this.