Om de ûnderfining foar jo te ferbetterjen is tydlik de funksjonaliteit dan dizze website troch ûnderhâldswurk beheind. Wannear in artikel jo probleem net oplost en jo in fraach stelle wolle, kin ús stipemienskip jo helpe yn @FirefoxSupport op Twitter en /r/firefox op Reddit.

Avatar for Username

Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

Self-signed encryption cert stopped working in Thunderbird 60.2.1

  • 7 antwurd
  • 1 hat dit probleem
  • 1 werjefte
  • Lêste antwurd fan Matt

gbell12
gbell12
more options

I've used a self-signed certificate for years to send and receive encrypted emails with family. I don't use Enigmail or PGP.

Somewhere near Thunderbird 60.2.1, this stopped working. When I try to send an email, Thunderbird reports: 

   "Sending of the message failed.
   You specified encryption for this message, but the application either failed to find the 
   encryption certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

The certificate has not expired, and it can be found in the Certificate Manager. Viewing details it says "This certificate has been verified for the following uses: SSL Certificate Authority". I can't remember if this used to say something different.

The CA is my own generated CA called "self-signed".

Did something tighten down recently?

I've used a self-signed certificate for years to send and receive encrypted emails with family. I don't use Enigmail or PGP. Somewhere near Thunderbird 60.2.1, this stopped working. When I try to send an email, Thunderbird reports: "Sending of the message failed. You specified encryption for this message, but the application either failed to find the encryption certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." The certificate has not expired, and it can be found in the Certificate Manager. Viewing details it says "This certificate has been verified for the following uses: SSL Certificate Authority". I can't remember if this used to say something different. The CA is my own generated CA called "self-signed". Did something tighten down recently?

Keazen oplossing

gbell12 said

Matt said
I think the key is self signed certificates are not valid for encryption.

Just recently? Because these same certs have been working for years.

I "sort of" follow certificate changes, but in all honesty most of it goes over my head. One of the reasons is the Thunderbird community use the Firefox certificate manager and store, so the developers never touch the stuff really. SO I try and follow it a bit, but usually the first we know about certificate changes are when something stops working.

I think perhaps this bug is relevant https://bugzilla.mozilla.org/show_bug.cgi?id=1485013 "The problem appears to that certs without the x509 v3 extensions cannot be added."

This might be relevant https://bugzilla.mozilla.org/show_bug.cgi?id=1475348

This is also in the current sort of timeframe. https://bugzilla.mozilla.org/show_bug.cgi?id=1122239

But given how easy it is to get a SSL/TLS certificate https://letsencrypt.org/ really is it worth messing around with self signed ones.

Dit antwurd yn kontekst lêze 👍 0

Alle antwurden (7)

gbell12
gbell12 Fraacheigener
more options

I should note that I've checked the release notes.

And in the message compose window, if I go Security->View Security Info, it does indeed show that the status is Invalid, but no indication as to why.

Bewurke troch gbell12 op

gbell12
gbell12 Fraacheigener
more options

References: https://bugzilla.mozilla.org/show_bug.cgi?id=531073 https://bugzilla.mozilla.org/show_bug.cgi?id=1321977

Bewurke troch gbell12 op

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

I think the key is self signed certificates are not valid for encryption.

gbell12
gbell12 Fraacheigener
more options

Matt said

I think the key is self signed certificates are not valid for encryption.

Just recently? Because these same certs have been working for years.

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

Keazen oplossing

gbell12 said

Matt said
I think the key is self signed certificates are not valid for encryption.

Just recently? Because these same certs have been working for years.

I "sort of" follow certificate changes, but in all honesty most of it goes over my head. One of the reasons is the Thunderbird community use the Firefox certificate manager and store, so the developers never touch the stuff really. SO I try and follow it a bit, but usually the first we know about certificate changes are when something stops working.

I think perhaps this bug is relevant https://bugzilla.mozilla.org/show_bug.cgi?id=1485013 "The problem appears to that certs without the x509 v3 extensions cannot be added."

This might be relevant https://bugzilla.mozilla.org/show_bug.cgi?id=1475348

This is also in the current sort of timeframe. https://bugzilla.mozilla.org/show_bug.cgi?id=1122239

But given how easy it is to get a SSL/TLS certificate https://letsencrypt.org/ really is it worth messing around with self signed ones.

gbell12
gbell12 Fraacheigener
more options

According to http://kb.mozillazine.org/Getting_an_SMIME_certificate

"Let's Encrypt does not currently offer S/MIME certificates"

I grabbed 4 from comodo for all the people in my family, but unfortunately they expire in a year! When the "Greg CA" was acceptable to TBird, my certs had a 10-year expiry :)

Thanks for the info Matt.

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

I know the pain, as comodo is the last free S/mime certificate issuer I use them myself.

The only other option is enigmail and while I do not use it, it has become much more user friendly in recent years is my understanding. (at least you get to issue and revoke your own certificates.)