Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

New SSL certificate but Thunderbird or Mozilla pulling old settings

  • 8 trả lời
  • 1 gặp vấn đề này
  • 1 lượt xem
  • Trả lời mới nhất được viết bởi trinitech.nick

more options

Hi,

We run our own email server and have recently changed the SSL certificate provider. However, when we setup mail accounts on client machines, Thunderbird brings up the old certificate. The certificate publisher is now untrusted and the expiry date is May 19th 2019. It is impossible to 'add an exception' or use different ports as Thunderbird always pulls up the certificate. Thus, it is impossible to setup mail accounts in Thunderbird. This is not local caching or anything. We believe Mozilla is actively storing account details and their associated SSL certs. Does anyone know a way out of this?

Thanks Nick

Hi, We run our own email server and have recently changed the SSL certificate provider. However, when we setup mail accounts on client machines, Thunderbird brings up the old certificate. The certificate publisher is now untrusted and the expiry date is May 19th 2019. It is impossible to 'add an exception' or use different ports as Thunderbird always pulls up the certificate. Thus, it is impossible to setup mail accounts in Thunderbird. This is not local caching or anything. We believe Mozilla is actively storing account details and their associated SSL certs. Does anyone know a way out of this? Thanks Nick

Giải pháp được chọn

trinitech.nick said

Thunderbird is pulling the old (invalid) certificate.

It gets what the server offers. It pulls nothing.

There is a cache Options > Advanced > network and disk space. I have never heard of anything to do with SSL/TLS being cached but it will not hurt to clear it.

You appear to be using Windows. Windows has it's own certificate store as well. We often see anti virus program modify the windows store and assume they have all the basses covered for their hacking and then Thunderbird chokes on their hacked certificates, but that does not appear to be the case here.

The certificate you posted the details of however is acceptable to windows. https://cloudblogs.microsoft.com/microsoftsecure/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ So I am assuming the serer is still misconfigured and issuing the wrong certificate but the certificate only fails the more rigorous acceptability of Thunderbird. Windows less rigorous standards will result in mail clients that rely on Windows for certificate management to have no idea there is a problem. Given Mailbird is basically a port from OSX and postbox is Thunderbird V3 with a glossy cover and only windows support I would assume both use the windows certificate store. A lot of effort is required to maintain your own certificate store.

Đọc câu trả lời này trong ngữ cảnh 👍 0

Tất cả các câu trả lời (8)

more options

Is there an error message Thunderbird shows?

You may also have to reconfigure the server to send the proper intermediate CA cert, in case it hasn't been imported into the Thunderbird certificate store.

In general, Thunderbird needs to know the entire certificate chain, from the issuing CA up to the root CA.

We believe Mozilla is actively storing account details and their associated SSL certs.

I don't think so.

more options

Hi, thanks for the quick reply. I've attached a screenshot of the error. Sequence is: Add security exception > View certificate.

"in case it hasn't been imported into the Thunderbird certificate store."

What does this mean if Thunderbird is not storing certificates?

Nick

more options

Sorry, I assume you're referring to local store.

more options

When Thunderbird connects to the server, the certificate is passed to Thunderbird. Thunderbird then attempts to validate the certificate it has received.

As you are saying that the old certificate is being used, I think you need to re examine the certificates on the server, not Thunderbird.

more options

Hi,

Thunderbird is pulling the old (invalid) certificate. We have tested this on several machines in several locations with the same outcome. Other emails clients (Mailbird, Postbox) connect via SSL with no issues. We are convinced Mozilla are storing/caching settings.

Nick

more options

SSL is deprecated to the point of being disabled. Do you have TLS enabled?

more options

Giải pháp được chọn

trinitech.nick said

Thunderbird is pulling the old (invalid) certificate.

It gets what the server offers. It pulls nothing.

There is a cache Options > Advanced > network and disk space. I have never heard of anything to do with SSL/TLS being cached but it will not hurt to clear it.

You appear to be using Windows. Windows has it's own certificate store as well. We often see anti virus program modify the windows store and assume they have all the basses covered for their hacking and then Thunderbird chokes on their hacked certificates, but that does not appear to be the case here.

The certificate you posted the details of however is acceptable to windows. https://cloudblogs.microsoft.com/microsoftsecure/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ So I am assuming the serer is still misconfigured and issuing the wrong certificate but the certificate only fails the more rigorous acceptability of Thunderbird. Windows less rigorous standards will result in mail clients that rely on Windows for certificate management to have no idea there is a problem. Given Mailbird is basically a port from OSX and postbox is Thunderbird V3 with a glossy cover and only windows support I would assume both use the windows certificate store. A lot of effort is required to maintain your own certificate store.

more options

Hi Matt,

Thanks for your help. We explored the Windows SSL cert issues, clear everything and even tried TB setup on a new install but same problem. This is why we were convinced it was out of our control. However, our server administrator has since found some additional configuration where the old SSL certificate still resided. He's removed this now and all is working! Very happy to report we can keep using Thunderbird!

Nick