I've had a annoying problem with OfflineIMAP. My .offlineimaprc looks something like this:
[Repository main-remote] type = IMAP remotehost = ... ssl = yes cert_fingerprint = fe4e3a31666d...
If your email provider happens to use Let's Encrypt, then very 90 days the certificate will get renewed, meaning that cert_fingerprint will be invalid. Since I have offlineimap invoked by a cronjob in the background I would suddenly stop receiving email. I got annoyed and reluctantly manually updated the fingerprint in ~/.offlineimaprc.
Since this only happened every 3 months couldn't motivate myself to do anything about this issue. However I stumbled upon a fix.
Simply replace the cert_fingerprint with
sslcacertfile = /etc/ssl/certs/ca-certificates.crt
A trivial solution to a stupid problem but maybe someone has the same problem and will find this useful.