We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

New SSL certificate but Thunderbird or Mozilla pulling old settings

more options

Hi,

We run our own email server and have recently changed the SSL certificate provider. However, when we setup mail accounts on client machines, Thunderbird brings up the old certificate. The certificate publisher is now untrusted and the expiry date is May 19th 2019. It is impossible to 'add an exception' or use different ports as Thunderbird always pulls up the certificate. Thus, it is impossible to setup mail accounts in Thunderbird. This is not local caching or anything. We believe Mozilla is actively storing account details and their associated SSL certs. Does anyone know a way out of this?

Thanks Nick

Hi, We run our own email server and have recently changed the SSL certificate provider. However, when we setup mail accounts on client machines, Thunderbird brings up the old certificate. The certificate publisher is now untrusted and the expiry date is May 19th 2019. It is impossible to 'add an exception' or use different ports as Thunderbird always pulls up the certificate. Thus, it is impossible to setup mail accounts in Thunderbird. This is not local caching or anything. We believe Mozilla is actively storing account details and their associated SSL certs. Does anyone know a way out of this? Thanks Nick

Saafara biñ tànn

trinitech.nick said

Thunderbird is pulling the old (invalid) certificate.

It gets what the server offers. It pulls nothing.

There is a cache Options > Advanced > network and disk space. I have never heard of anything to do with SSL/TLS being cached but it will not hurt to clear it.

You appear to be using Windows. Windows has it's own certificate store as well. We often see anti virus program modify the windows store and assume they have all the basses covered for their hacking and then Thunderbird chokes on their hacked certificates, but that does not appear to be the case here.

The certificate you posted the details of however is acceptable to windows. https://cloudblogs.microsoft.com/microsoftsecure/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ So I am assuming the serer is still misconfigured and issuing the wrong certificate but the certificate only fails the more rigorous acceptability of Thunderbird. Windows less rigorous standards will result in mail clients that rely on Windows for certificate management to have no idea there is a problem. Given Mailbird is basically a port from OSX and postbox is Thunderbird V3 with a glossy cover and only windows support I would assume both use the windows certificate store. A lot of effort is required to maintain your own certificate store.

Jàng tontu lii ci fi mu bokk 👍 0

All Replies (8)

more options

Is there an error message Thunderbird shows?

You may also have to reconfigure the server to send the proper intermediate CA cert, in case it hasn't been imported into the Thunderbird certificate store.

In general, Thunderbird needs to know the entire certificate chain, from the issuing CA up to the root CA.

We believe Mozilla is actively storing account details and their associated SSL certs.

I don't think so.

more options

Hi, thanks for the quick reply. I've attached a screenshot of the error. Sequence is: Add security exception > View certificate.

"in case it hasn't been imported into the Thunderbird certificate store."

What does this mean if Thunderbird is not storing certificates?

Nick

more options

Sorry, I assume you're referring to local store.

more options

When Thunderbird connects to the server, the certificate is passed to Thunderbird. Thunderbird then attempts to validate the certificate it has received.

As you are saying that the old certificate is being used, I think you need to re examine the certificates on the server, not Thunderbird.

more options

Hi,

Thunderbird is pulling the old (invalid) certificate. We have tested this on several machines in several locations with the same outcome. Other emails clients (Mailbird, Postbox) connect via SSL with no issues. We are convinced Mozilla are storing/caching settings.

Nick

more options

SSL is deprecated to the point of being disabled. Do you have TLS enabled?

more options

Saafara yiñ Tànn

trinitech.nick said

Thunderbird is pulling the old (invalid) certificate.

It gets what the server offers. It pulls nothing.

There is a cache Options > Advanced > network and disk space. I have never heard of anything to do with SSL/TLS being cached but it will not hurt to clear it.

You appear to be using Windows. Windows has it's own certificate store as well. We often see anti virus program modify the windows store and assume they have all the basses covered for their hacking and then Thunderbird chokes on their hacked certificates, but that does not appear to be the case here.

The certificate you posted the details of however is acceptable to windows. https://cloudblogs.microsoft.com/microsoftsecure/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ So I am assuming the serer is still misconfigured and issuing the wrong certificate but the certificate only fails the more rigorous acceptability of Thunderbird. Windows less rigorous standards will result in mail clients that rely on Windows for certificate management to have no idea there is a problem. Given Mailbird is basically a port from OSX and postbox is Thunderbird V3 with a glossy cover and only windows support I would assume both use the windows certificate store. A lot of effort is required to maintain your own certificate store.

more options

Hi Matt,

Thanks for your help. We explored the Windows SSL cert issues, clear everything and even tried TB setup on a new install but same problem. This is why we were convinced it was out of our control. However, our server administrator has since found some additional configuration where the old SSL certificate still resided. He's removed this now and all is working! Very happy to report we can keep using Thunderbird!

Nick