Certificate is not trusted because it hasn't been verified by a trusted authority.
I recently got a new wildcard certificate for my domain and have installed it on my centos server. It's issued by "GlobalSign nv-sa", and I believe it's installed properly. The configuration is the same as before with my old certificate although the issuer is different. I rebooted the server.
Firefox (and other browsers) accept it on my website and other email clients accept it. The only issue I am aware of currently is with Thunderbird and I'm troubleshooting this problem on my Windows 10 PC with Thunderbird 60.9.0 (32bit)
Thunderbird issues this message (I'll attach screenshots): "The site attempts to identify itself with invalid information" ... "Unknown identity" ... "The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature".
Or course, from the client point of view I know I can just add the exception, that's not my question. I want to fix the root cause of the problem on the server side.
I exited Thunderbird and deleted the cert*.db files from my profile folder, and restarted, and still get the same message.
When I view "Tools -> Account Settings -> an_account_name -> Security -> View Certificates -> Authorities", I can see GlobalSign nv-sa there.
How can I determine what's causing this problem?
I've attached an image showing the message and certificate in Thunderbird, and another showing it in Firefox. Also, there's an image showing the certificate manager - authorities.
All Replies (6)
Is your server sending the intermediate certificate(s), such as the AlphaSSL CA - SHA256 - G2 certificate used to sign your site certificate?
This test page will tell you if there is an incomplete chain: https://www.ssllabs.com/ssltest/
(In your browser where the site works, you can check whether this is listed as a "Software Security Device" certificate, meaning Firefox picked it up from a website or other installation rather than it being a built-in root certificate.)
Thanks. I checked on that site, and the chain appears to be complete. I notice for the Global SignRoot CA, it says 'weak or insecure signature'. Maybe that's where the problem lies?
I also looked on the website with firefox and I'm not seeing 'software security device' indicated anywhere in the certificate viewer.
Screenshots attached.
Hi AndreP, Software Security Device would appear in the Certificate Manager in Firefox, similar to how it appears in Thunderbird. Perhaps you can do a little export/import to patch over this difficulty.
In Firefox:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type cert and Firefox should filter to the "Certificates" section. Click the "View Certificates" button top open the Certificate Manager, then click the Authorities tab.
Under GlobalSign, highlight the AlphaSSL CA - SHA256 - G2 certificate and click Export. I assume the default format is one that Thunderbird will be able to Import on the corresponding Authorities tab of its Certificate Manager.
In Thunderbird:
Return to the Certificate Manager, Authorities tab, and Import the certificate. Any luck?
I am getting this message for both my incoming and outgoing server. The attached message stating that the certificate does not match appears multiple times, I click on confirm security exception but the screen keeps appearing. After some time it will stop and I can then click to get mail but the whole process will repeat if I try to send any emails, this time for the sending server.
If you click View Certificate for the Virgin server, does it have an unexpected issuer? A test site told me:
imap4.virgin.net resolves to 62.254.26.200
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by GlobalSign.
The certificate will expire in 573 days.
The hostname (imap4.virgin.net) is correctly listed in the certificate.
Common name: imap4.virgin.net SANs: imap4.virgin.net Location: GB Valid from March 11, 2019 to April 23, 2021 Serial Number: 0692b4fcb6b544268359ec84 Signature Algorithm: sha256WithRSAEncryption Issuer: AlphaSSL CA - SHA256 - G2
Common name: AlphaSSL CA - SHA256 - G2 Organization: GlobalSign nv-sa Location: BE Valid from February 20, 2014 to February 20, 2024 Serial Number: 040000000001444ef03631 Signature Algorithm: sha256WithRSAEncryption Issuer: GlobalSign Root CA
Sorry for the delay in replying, I couldn't find anything wrong so I resorted to the old trick of removing and reinstalling Thunderbird and I've had no more issues.
Many thanks for your help,
Ian.