I've had a annoying problem with OfflineIMAP. My .offlineimaprc looks something like this:

[Repository main-remote]
type = IMAP
remotehost = ...
ssl = yes
cert_fingerprint = fe4e3a31666d...

If your email provider happens to use Let's Encrypt, then very 90 days the certificate will get renewed, meaning that cert_fingerprint will be invalid. Since I have offlineimap invoked by a cronjob in the background I would suddenly stop receiving email. I got annoyed and reluctantly manually updated the fingerprint in ~/.offlineimaprc.

Since this only happened every 3 months couldn't motivate myself to do anything about this issue. However I stumbled upon a fix.

Simply replace the cert_fingerprint with

sslcacertfile = /etc/ssl/certs/ca-certificates.crt

A trivial solution to a stupid problem but maybe someone has the same problem and will find this useful.