X
Tippen Sie hierhin, um die Version dieser Website für Mobilgeräte aufzurufen.

Hilfeforum

Thunderbird does not recognize a signed SSL certificate

Veröffentlicht

Dear support,

I experience a very strange problem that I don't quite understand.

I run an ISP server serving HTTPS and IMAP with TLS/SSL encryption. Both services use the same SSL certificate issued by GeoTrust/RapidSSL for server edward.ennabe.de

When I open a https connection to the server, Firefox correctly resolves the certificate chain and uses the Equifax root CA (which is correct). However, when I try to connect to a mailbox via Thunderbird, all I get in the Certificate Hierarchy is my server edward.ennabe.de. I don't think that this is "works as designed", or is it?

Is something wrong with my Thunderbird or my Dovecot configuration? What really strange is that firefox recognizes it properly.

Thank you in advance

Kind Regards

ZeroEnna

Dear support, I experience a very strange problem that I don't quite understand. I run an ISP server serving HTTPS and IMAP with TLS/SSL encryption. Both services use the same SSL certificate issued by GeoTrust/RapidSSL for server edward.ennabe.de When I open a https connection to the server, Firefox correctly resolves the certificate chain and uses the Equifax root CA (which is correct). However, when I try to connect to a mailbox via Thunderbird, all I get in the Certificate Hierarchy is my server edward.ennabe.de. I don't think that this is "works as designed", or is it? Is something wrong with my Thunderbird or my Dovecot configuration? What really strange is that firefox recognizes it properly. Thank you in advance Kind Regards ZeroEnna

Ausgewählte Lösung

In Thunderbird click the 'Details' tab in the Certificate Viewer window. Do you see all CA certificates listed in the 'Certificate Hierarchy' field also installed in your Thunderbird certificate store? When checking that look for the 'Authorities' tab. If there are any certs listed in the chain missing in the Thunderbird certificate store (for whatever reason), you can try to export them in Firefox, and import them into Thunderbird.

Diese Antwort im Kontext lesen 0

Mehr Details zum System

Anwendung

  • User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Weitere Informationen

christ1
  • Top 25 Contributor
2200 Lösungen 16086 Antworten
Veröffentlicht

What is the exact error message you get with Thunderbird? Do you get a prompt to create an exception ('I understand the risks')?

For https://edward.ennabe.de I do get: The certificate is only valid for the following names: www.foto-treff-bielefeld.de, foto-treff-bielefeld.de (Error code: ssl_error_bad_cert_domain)

I'd expect something similar for Thunderbird.

What is the exact error message you get with Thunderbird? Do you get a prompt to create an exception ('I understand the risks')? For https://edward.ennabe.de I do get: The certificate is only valid for the following names: www.foto-treff-bielefeld.de, foto-treff-bielefeld.de (Error code: ssl_error_bad_cert_domain) I'd expect something similar for Thunderbird.

Fragesteller

Hello,

yeah..uhm...sorry for this confusion. The Cert is valid for https://edward.ennabe.de:8080 (my ISPConfig Backend)

I get the message

"Certificate is not trusted because it hasn't been verified by a recognized authority using a secure signature."

Whch is very strange because I use the very same certificate for both HTTPS and Mailing.

Hello, yeah..uhm...sorry for this confusion. The Cert is valid for https://edward.ennabe.de:8080 (my ISPConfig Backend) I get the message "Certificate is not trusted because it hasn't been verified by a recognized authority using a secure signature." Whch is very strange because I use the very same certificate for both HTTPS and Mailing.

Fragesteller

I found this article in the mozillazine:

Link to MozillaZine KB

But I don't quite understand How I should tell any Issuer to not use MD5 hashes.

By the way, I tried the same with a new certificate signed by COMODO...same problem.

I found this article in the mozillazine: [http://kb.mozillazine.org/Security_Error:_Domain_Name_Mismatch_or_Server_Certificate_Expired Link to MozillaZine KB] But I don't quite understand How I should tell any Issuer to not use MD5 hashes. By the way, I tried the same with a new certificate signed by COMODO...same problem.
christ1
  • Top 25 Contributor
2200 Lösungen 16086 Antworten
Veröffentlicht

I don't understand what you're trying to say with 'Issuer to not use MD5 hashes'.

Can you create a screenshot of the error you get in Thunderbird, and also possibly one with the cert details? See attached instructions.

I don't understand what you're trying to say with 'Issuer to not use MD5 hashes'. Can you create a screenshot of the error you get in Thunderbird, and also possibly one with the cert details? See attached instructions.

Fragesteller

Here are the screens :) Two from Thunderbird (english language pack, but this error is language independent in Thunderbird), and two other from Firefox, where it's working properly.

Kind Regards

Here are the screens :) Two from Thunderbird (english language pack, but this error is language independent in Thunderbird), and two other from Firefox, where it's working properly. Kind Regards

Geändert am von ZeroEnna

christ1
  • Top 25 Contributor
2200 Lösungen 16086 Antworten
Veröffentlicht

Ausgewählte Lösung

In Thunderbird click the 'Details' tab in the Certificate Viewer window. Do you see all CA certificates listed in the 'Certificate Hierarchy' field also installed in your Thunderbird certificate store? When checking that look for the 'Authorities' tab. If there are any certs listed in the chain missing in the Thunderbird certificate store (for whatever reason), you can try to export them in Firefox, and import them into Thunderbird.

In Thunderbird click the 'Details' tab in the Certificate Viewer window. Do you see all CA certificates listed in the 'Certificate Hierarchy' field also installed in your Thunderbird certificate store? When checking that look for the 'Authorities' tab. If there are any certs listed in the chain missing in the Thunderbird certificate store (for whatever reason), you can try to export them in Firefox, and import them into Thunderbird.

Fragesteller

Hello,

your suggestion was quite helpful in many ways. I just checked the certificate chain, and it turned out to be broken. Some intermediate certs were missing. I fixed that and now it works like a charm.

Thank you very much!

Hello, your suggestion was quite helpful in many ways. I just checked the certificate chain, and it turned out to be broken. Some intermediate certs were missing. I fixed that and now it works like a charm. Thank you very much!