Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Can't use self-signed certificates in Thunderbird 78.x

  • 3 replies
  • 1 has this problem
  • 19 views
  • Last reply by ffsync5

more options

Hi all:

I've been using an internal email server (Postfix and Dovecot) some years ago with no problem. It is configured with STARTTLS, just a basic configuration. I have been using self-signed certifcates, the same certificates generated "by default", stored in:

/etc/ssl/certs/ssl-cert-snakeoil.pem (Postfix, SMTP server) /etc/dovecot/private.dovecot.pem (Dovecot, IMAP server)

With Thunderbird 68.x I have no problems... But with Thunderbird 78.x, it is impossible to accept this certificates.

Things I've tried:

  1. Unckeck "query OSCP responder servers" option.
  2. Create a new self-certificate using openssl (req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt)
  3. Use a certificate generated by certbot (letsencrypt)
  4. Enable outdated security protocols (see https://support.mozilla.org/en-US/kb/thunderbird-78-faq)

None of this things have worked. When I configure the email, the window freezes, and it is unable to continue. If I click to "Get certificate" or "Confirm security exception", I get no response at all (I attach an image to show it). It is no possible to "install" the certificate from "Certificate Manager" section.

Also, server dovecot log shows "SSL routines: ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42". I understand it seems that the certificate is invalid, but in Thunderbird v68 and below it works perfectly.

Any suggestion will be appreciated.

Thank you!

Hi all: I've been using an internal email server (Postfix and Dovecot) some years ago with no problem. It is configured with STARTTLS, just a basic configuration. I have been using self-signed certifcates, the same certificates generated "by default", stored in: /etc/ssl/certs/ssl-cert-snakeoil.pem (Postfix, SMTP server) /etc/dovecot/private.dovecot.pem (Dovecot, IMAP server) With Thunderbird 68.x I have no problems... But with '''Thunderbird 78.x''', it is impossible to accept this certificates. Things I've tried: # Unckeck "query OSCP responder servers" option. # Create a new self-certificate using openssl (req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt) # Use a certificate generated by certbot (letsencrypt) # Enable outdated security protocols (see https://support.mozilla.org/en-US/kb/thunderbird-78-faq) None of this things have worked. When I configure the email, the window freezes, and it is unable to continue. If I click to "Get certificate" or "Confirm security exception",''' I get no response at all '''(I attach an image to show it). It is no possible to "install" the certificate from "Certificate Manager" section. Also, server dovecot log shows "SSL routines: ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42". I understand it seems that the certificate is invalid, but in Thunderbird v68 and below '''it works perfectly'''. Any suggestion will be appreciated. Thank you!
Attached screenshots

All Replies (3)

more options

As it is your server, is there some reason you do not update to TLS 1.2 or later?

Have you tried using an encrypted port number. 143 is designated for unencrypted connections. 993 for encrypted connections. I would think Dovecote would expect the use of default ports. I know Thunderbird does.

What exactly is invalid about the certificate. Perhaps you could post the View screen. I tried a test on https://www.ssllabs.com/ssltest/analyze.html?d=servidor.klemen.cat but the domain simply does not resolve.

What is the actual server name on the certificate?

more options

Hi Matt:

Thanks for helping.

I'm using an internal email, not public to internet (I'm a teacher and I want to explain how it works to my students), so my domain is invented but it internally works in my net.

In fact, I use TLSv1.3, because it is the default certificate that Dovecot creats when you install this software... but using STARTTLS. If I use openssl s_client, I get TLSv1.3.

The fact is that I cannot assume why Thunderbird 68.x works but not 78.x with exactly the same configuration. I don't jnow if this could be a bug...

Modified by supragay

more options

I had a similar problem since about 2 weeks on my hosted mail server. I have 2 domains which both use a let's encrypt certificate. Since the latest update to TB 78.6.0 64bit one of my 2 domains was repeatedly asking to create an exception for my certificate while the other domain worked flawlessly. A look in cert_override.txt showed that the exception was added for both domains. I ended up removing the problem account and re-add it and that made it working again. The only pain was that I needed to manually re-enter my different identities which I use to separate different communication channels. It would be great if there was an import/export functions for this.