<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Lucien<div class=""><br class=""></div><div class="">Thanks for the response. OpenSSL wasn’t doing The Right Thing, and a variety of other fixes weren’t working either—various certs downloaded offline, etc.</div><div class=""><br class=""></div><div class="">What ended up working was just dumping all the Keychain System Roots certs to a PEM file (<a href="http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x" class="">http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x</a>), which feels a bit hacky but at least works</div><div class=""><br class=""></div><div class="">Thanks for the help again.</div><div class=""><br class=""></div><div class="">Henry</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On May 17, 2015, at 4:13 AM, Lucien Pullen <<a href="mailto:drurowin@gmail.com" class="">drurowin@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">Also sprach M. Henry Linder on 2015-05-16:<br class=""><blockquote type="cite" class="">I’m on OS X, with offlineimap and openssl installed through homebrew. I can’t for the life of me<br class="">find a CA certfile or PEM file that Gmail will accept. It seems that I may need to generate a<br class="">certfile from the keychain; how might I do that?<br class=""></blockquote><br class="">I only use the keychain to store the password.  For the certificate, I'm<br class="">using cert.pem from MacPorts' curl-ca-bundle package.<br class=""><br class="">From the Homebrew commit history<br class=""><<a href="https://github.com/Homebrew/homebrew/commit/ab926db10c47352b38e114d0945ac1c0596eef74" class="">https://github.com/Homebrew/homebrew/commit/ab926db10c47352b38e114d0945ac1c0596eef74</a>><br class="">they seem to have deprecated curl-ca-bundle in favor of a certificate<br class="">file generated from the keychain, though, since I don't use Homebrew, I<br class="">don't know if there's a One Big PEM option still.<br class=""><br class="">Have you tried leaving off the sslcacertfile option and seeing if<br class="">offlineimap calls openssl to just do The Right Thing, since Gmail only<br class="">accepts connections over SSL?<br class=""><br class="">_______________________________________________<br class="">OfflineIMAP-project mailing list: <a href="mailto:OfflineIMAP-project@lists.alioth.debian.org" class="">OfflineIMAP-project@lists.alioth.debian.org</a><br class=""><a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project" class="">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project</a><br class=""><br class="">OfflineIMAP homepages:<br class="">- https://github.com/OfflineIMAP<br class="">- http://offlineimap.org</div></blockquote></div><br class=""></div></body></html>