Thunderbird is Now Broken or How to Disable the Updater Message?
I keep getting a message to update Mozilla Thunderbird; and yet if I do, Thunderbird totally breaks. I don't dare update it and would like it to stop popping up the message. Can I do that?
How does it break?
When I update, it no longer allows me to use the "self-signed certificate" for MY OWN SERVER! I have tried every single possible way of manually installing the certificate; but it will not allow it. 68.8 allows it just fine with a message that pops up basically saying "do you really trust so and so is so and so" [with because it is my own server, that is asking, "do you trust that you are yourself?" And, yes, I do trust that I am myself, so I click permanently accept the certificate; and it just works. Newer versions stopped working that way; at one point (I believe it was 68.10 or 68.11) I was still able to manually install the certificate; but even that stopped working.
To put for a very apt analogy. Let us say that Thunderbird is a bank for e-mail; it stores e-mail messages; and conducts transactions (deposits/downloads, withdrawals/server deletions, and check processing/connections to servers) with the account owner and those the account owner works with.
A self-signed certificate is literally the same as a person signing their own check and giving it to someone else. The bank is SUPPOSED to process that check; the drawing bank should validate the signature for sure, but the bank that the check is depositing in should have no say. [Thus I have no problem with a warning popping up saying -- do you validate this signature.]
But, can you imagine one day taking your paycheck to the bank and the bank saying "no we will not accept paychecks that aren't notarized." What is the process of notarizing a signature? It is having a third party (a trusted licensed notary public) verify that the person signing (whatever--in this case a bank check) is actually the person they say they are. That is literally what having a third party trusted root certificate signature and chain is doing; it is notarizing the signature on the security certificate.
While that may make sense for someone conducing business with someone that they do not know. It makes no sense for an employer to have to notarize the paychecks for his employees; especially when that is to the tune of several hundred dollars per year. Employees already know who their employer is; and already have established that trust.
Again, when I am providing e-mail only to employees on my company server; there is no reason at all that Thunderbird (which has nothing to do with my business; is simply only the bank account for e-mail transactions) should require me to pay extra money to establish trust that their employer is really their employer.
All Replies (4)
Just curious, why would you use encrypted connections to your own server?
Have you tried turning off the OCSP verification in options? To use your analogy is reaching out to verily your signature at the bank and can not do it.
BTW I have not seen a cheque for about 10 years they are so rare in this country, everyone uses electronic transfers, fast and more secure.
Thanks Matt for at least responding to my message. I saw your first question; and stewed for days.*
However, your second question might be the solution I seek. I honestly don't know why all these years my mind has literally glossed over that check box "Query OCSP responder servers to confirm the current validity of certificates" and the implications of having that checked. The option has been there and worked fine all these years with that checked. But who knows, maybe the newer versions will work without that. I will try that on the next computer I setup, which may be another week or two. I still don't dare make a change to my main desktop. I will reply again when I do, if that did or did not solve my problem.
- In answer to your first question though. Maybe I am just an oddball, but seems to me (or my rationale), if all connections to the email server were originating from the local network (LAN) which is how I setup the server a couple decades ago; encryption may not be necessary. But in today's world with smart phones, tablets, BYOD, people working from home, multiple job sites, etc; many connections of our employees are coming from outside of the LAN; and seems to me encryption is absolutely necessary to secure those connections. The encryption yes; the validation of the certificate no. Does that make sense? Or, am I just eccentric?
I of course use properly validated certificates for our websites that collect information from users; still I don't bother to encrypt any of the websites that are setup only to disseminate public information; no need to pay for encryption of intended public information; even though some of the employees use those domain names for the e-mail, which is where added costs would be to have validated certificates for the single email server as apposed to choosing which websites to run HTTPS vs. HTTP.
Hi there fire 17.
We have read your message. We try to help you.
Your story is right, to make transactions for and with people and / or computer.
It cannot and cannot be done without proper coding for everything electronic, yes that is today.
http://kb.mozillazine.org/OCSP_error_when_accessing_secure_sites
Greetings Firefox volunteer.
Well I said I would report back; though it took a while to get to the next computer as other projects took precedence.
I am more confused than ever (but now suspect a problem with my installs/configs and not Thunderbird).
This because of the randomness of problems I have seen. Such as: The day I went to setup the computer I was planning to test 78 with the OCSP turned off; another computer on the network auto-updated to 78; and thus I tested the OCSP setting first on that computer and still did not get it to work. So, nope that isn't the problem.
I had to uninstall that and put 68.8 back on. However, that didn't immediately work either and I had to do various things including unsintalling and removing all profile files out of AppData/Local/Thunderbird and AppData/Roaming/Thunderbird directories; and following other troubleshooting steps such as deleting the certificate from the Certificate Manager in Thunderbird, and who knows whatever else. Eventually got it to work okay.
However, when I went back to the upgrading computer (from Win 7 to Win 10) and decided to go straight to installing 68.8 it also again as I have not had any trouble with that version and these certificates; this time even 68.8 would not accept the certificates. The notice would pop up as I would expect and I could check the box for a permanent exception and accept that; but it would only give an error claiming the settings were incorrect and the server wouldn't respond (they were definitely correct) and I would click "Get Messages" and the certificate notice would pop up again, basically if it wasn't accepting it. I tried going back to 60.x and still no luck. I followed all the same troubleshooting I did earlier in the day and still nothing. I ended up getting it to only work when I changed which server name (since my work uses 5 domain names) it was connecting to; and then it worked.
On top of that over the weekend both my home computer and my wife's computer also auto-updated to 78; but had no problems with the certificate (also self-signed) for my home server; running exactly the same operating system (and postfix/dovecot versions).
Thus, I have to assume now that my above was barking up the wrong tree; and this support can be closed or ignored. I am assuming now two separate but related problems regarding security certificates:
1) Because I had to create my own OpenSSL script to create a certificate that followed Apple's expectations (see https://support.apple.com/en-us/HT210176) I very well may have created a certificate in a different fashion than what would work. But who knows, I will have to see if I can figure out what pre-programmed script I used for my home server and how it differs from what I did. And perhaps 78 would work fine if I could make the certificates in the same fashion; but still have all the data needed for Apple phones to work.
2) Thunderbird may not be storing certificates in its profile directories (where I would assume); but somewhere else in Windows; and it gets confused when trying to accept a certificate that should already have been accepted located in whichever folder it is being saved in. But, when switching the server name (all of the domain names for my work point to the same server); it assumes it is a new certificate and it just works fine (for version 68.x and below); for the multi-domained server. And no problems on a server of just one domain.
---
Still unless or until I can figure out why it won't work; I don't dare do any updates. Which is very sad.