New SSL certificate but Thunderbird or Mozilla pulling old settings
Hi,
We run our own email server and have recently changed the SSL certificate provider. However, when we setup mail accounts on client machines, Thunderbird brings up the old certificate. The certificate publisher is now untrusted and the expiry date is May 19th 2019. It is impossible to 'add an exception' or use different ports as Thunderbird always pulls up the certificate. Thus, it is impossible to setup mail accounts in Thunderbird. This is not local caching or anything. We believe Mozilla is actively storing account details and their associated SSL certs. Does anyone know a way out of this?
Thanks Nick
الحل المُختار
trinitech.nick said
Thunderbird is pulling the old (invalid) certificate.
It gets what the server offers. It pulls nothing.
There is a cache Options > Advanced > network and disk space. I have never heard of anything to do with SSL/TLS being cached but it will not hurt to clear it.
You appear to be using Windows. Windows has it's own certificate store as well. We often see anti virus program modify the windows store and assume they have all the basses covered for their hacking and then Thunderbird chokes on their hacked certificates, but that does not appear to be the case here.
The certificate you posted the details of however is acceptable to windows. https://cloudblogs.microsoft.com/microsoftsecure/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ So I am assuming the serer is still misconfigured and issuing the wrong certificate but the certificate only fails the more rigorous acceptability of Thunderbird. Windows less rigorous standards will result in mail clients that rely on Windows for certificate management to have no idea there is a problem. Given Mailbird is basically a port from OSX and postbox is Thunderbird V3 with a glossy cover and only windows support I would assume both use the windows certificate store. A lot of effort is required to maintain your own certificate store.
Read this answer in context 👍 0All Replies (8)
Is there an error message Thunderbird shows?
You may also have to reconfigure the server to send the proper intermediate CA cert, in case it hasn't been imported into the Thunderbird certificate store.
In general, Thunderbird needs to know the entire certificate chain, from the issuing CA up to the root CA.
We believe Mozilla is actively storing account details and their associated SSL certs.
I don't think so.
Hi, thanks for the quick reply. I've attached a screenshot of the error. Sequence is: Add security exception > View certificate.
"in case it hasn't been imported into the Thunderbird certificate store."
What does this mean if Thunderbird is not storing certificates?
Nick
Sorry, I assume you're referring to local store.
When Thunderbird connects to the server, the certificate is passed to Thunderbird. Thunderbird then attempts to validate the certificate it has received.
As you are saying that the old certificate is being used, I think you need to re examine the certificates on the server, not Thunderbird.
Hi,
Thunderbird is pulling the old (invalid) certificate. We have tested this on several machines in several locations with the same outcome. Other emails clients (Mailbird, Postbox) connect via SSL with no issues. We are convinced Mozilla are storing/caching settings.
Nick
SSL is deprecated to the point of being disabled. Do you have TLS enabled?
الحل المُختار
trinitech.nick said
Thunderbird is pulling the old (invalid) certificate.
It gets what the server offers. It pulls nothing.
There is a cache Options > Advanced > network and disk space. I have never heard of anything to do with SSL/TLS being cached but it will not hurt to clear it.
You appear to be using Windows. Windows has it's own certificate store as well. We often see anti virus program modify the windows store and assume they have all the basses covered for their hacking and then Thunderbird chokes on their hacked certificates, but that does not appear to be the case here.
The certificate you posted the details of however is acceptable to windows. https://cloudblogs.microsoft.com/microsoftsecure/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ So I am assuming the serer is still misconfigured and issuing the wrong certificate but the certificate only fails the more rigorous acceptability of Thunderbird. Windows less rigorous standards will result in mail clients that rely on Windows for certificate management to have no idea there is a problem. Given Mailbird is basically a port from OSX and postbox is Thunderbird V3 with a glossy cover and only windows support I would assume both use the windows certificate store. A lot of effort is required to maintain your own certificate store.
Hi Matt,
Thanks for your help. We explored the Windows SSL cert issues, clear everything and even tried TB setup on a new install but same problem. This is why we were convinced it was out of our control. However, our server administrator has since found some additional configuration where the old SSL certificate still resided. He's removed this now and all is working! Very happy to report we can keep using Thunderbird!
Nick