We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cannot add Security Certificate (Security Exception) under the right server name

  • 1 reply
  • 1 has this problem
  • 8 views
  • Last reply by aNDy

more options

In my home network I have an IMAP server (dovecot) running with a self-signed SSL certificate. When I want to sync the mail ("Get Messages") then a window pops up (correctly) warning me about the "incorrect" certificate. (The window title is "Add Security Exception" and the error is "Wrong Site"). Wat is strange is that the Location indicated, is not the same as as the Server Name as set in the server settings in Thunderbird. Example: suppose I have a server name set as a.b.c.com, then in the warning window it would say imap.c.com:993 (so a.b removed and replaced by the word imap). I have no idea why the address gets changed.

If I confirm the security exception and store it, then the correct certificate is stored (checked fingerprint), but it is added under the wrong server name (under imap.c.com). Subsequent "Get Messages" will trigger the warning again.

If I correct in the warning window the Location to a.b.c.com:993, then is says No Information Available. If I correct it to the address with the SSL port number removed (so only a.b.c.com) then I can store the Security Exception, but the wrong certificate is stored. What is stored is the certificate that belongs to my web (https) server and what can be reached at my domain name b.c.com .

In the past the same set-up did work form both local network and from outside (obviously with some earlier version of Thunderbird), the security certificate was stored in the right way in Thunderbird. I still have clients running using the certificate that was stored some years ago. In one client I accidentally deleted it, and now I cannot get it back.

The system is an up to date Fedora 33 system.

In my home network I have an IMAP server (dovecot) running with a self-signed SSL certificate. When I want to sync the mail ("Get Messages") then a window pops up (correctly) warning me about the "incorrect" certificate. (The window title is "Add Security Exception" and the error is "Wrong Site"). Wat is strange is that the Location indicated, is not the same as as the Server Name as set in the server settings in Thunderbird. Example: suppose I have a server name set as a.b.c.com, then in the warning window it would say imap.c.com:993 (so a.b removed and replaced by the word imap). I have no idea why the address gets changed. If I confirm the security exception and store it, then the correct certificate is stored (checked fingerprint), but it is added under the wrong server name (under imap.c.com). Subsequent "Get Messages" will trigger the warning again. If I correct in the warning window the Location to a.b.c.com:993, then is says No Information Available. If I correct it to the address with the SSL port number removed (so only a.b.c.com) then I can store the Security Exception, but the wrong certificate is stored. What is stored is the certificate that belongs to my web (https) server and what can be reached at my domain name b.c.com . In the past the same set-up did work form both local network and from outside (obviously with some earlier version of Thunderbird), the security certificate was stored in the right way in Thunderbird. I still have clients running using the certificate that was stored some years ago. In one client I accidentally deleted it, and now I cannot get it back. The system is an up to date Fedora 33 system.

All Replies (1)

more options

Meanwhile I found an answer to my own question. It seems to be a bug under Thunderbird 78.6.0, but it has a workaround: - Accept/store the certificate when asked - Exit Thunderbird - In your Thunderbird profile (~/.thunderbird/<profile name>/, or C:\Users\<pofile_name>\AppData\Roaming\Thunderbird\Profiles\<profile_in_use>\ ) there is a file called Cert_Override.txt (or cert_override.txt). - Edit that file, and change the address of the wrongly named certificate and port number to the correct address and port number. - Start Thunderbird

Related support question: https://support.mozilla.org/en-US/questions/1315845 Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1665577