Unclear sending message failure when sending signed S/MIME email
I recently obtained a digital certificate for use with S/MIME. I followed the process laid out in
https://support.mozilla.org/en-US/kb/instructions-smime-certificate-using-csr
to generate my key pair, create a CSR, submit it to a CA, download the resulting certificate file, and import it into Thunderbird. I also imported the intermediate certificate showed as the issuer for my cert, which in turn appears to be signed by one of the certs trusted by default in Thunderbird.
Having done that, I see the certificate showing up under "your certificates" in the Certificate Manager, with a "not before" date in the past and a "not after" date in the future. So everything appears to look correct, but when I try to send a signed email I get the following error message as a pop-up:
"Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."
And if I look at the console in developer tools I see:
"mailnews.send: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation]
_startCryptoEncapsulation resource:///modules/MimeMessage.sys.mjs:488 _writePart resource:///modules/MimeMessage.sys.mjs:536 createMessageFile resource:///modules/MimeMessage.sys.mjs:82 createAndSendMessage resource:///modules/MessageSend.sys.mjs:147 CompleteGenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6456 GenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6372 SendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6984 doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1085 doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1263 goDoCommand chrome://messenger/content/globalOverlay.js:99 oncommand chrome://messenger/content/messengercompose/messengercompose.xhtml:1 openWindowPrompt resource:///actors/PromptParent.sys.mjs:75 receiveMessage resource:///actors/PromptParent.sys.mjs:18 openPrompt resource://gre/modules/Prompter.sys.mjs:1228 openPromptSync resource://gre/modules/Prompter.sys.mjs:1071 alert resource://gre/modules/Prompter.sys.mjs:1375 alert resource://gre/modules/Prompter.sys.mjs:78 fail resource:///modules/MessageSend.sys.mjs:358 createAndSendMessage resource:///modules/MessageSend.sys.mjs:157
MessageSend.sys.mjs:149:32
createAndSendMessage resource:///modules/MessageSend.sys.mjs:149 CompleteGenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6456 GenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6372 SendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6984 doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1085 doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1263 goDoCommand chrome://messenger/content/globalOverlay.js:99 oncommand chrome://messenger/content/messengercompose/messengercompose.xhtml:1 openWindowPrompt resource:///actors/PromptParent.sys.mjs:75 receiveMessage resource:///actors/PromptParent.sys.mjs:18 openPrompt resource://gre/modules/Prompter.sys.mjs:1228 openPromptSync resource://gre/modules/Prompter.sys.mjs:1071 alert resource://gre/modules/Prompter.sys.mjs:1375 alert resource://gre/modules/Prompter.sys.mjs:78 fail resource:///modules/MessageSend.sys.mjs:358 createAndSendMessage resource:///modules/MessageSend.sys.mjs:157"
I can't make sense of the error message, since the certificate appears under "your certificates" in the certificate manager, and it does not appear to be expired. Can anyone suggest how to determine the root cause and fix it? Does it matter that the certificate is for a non-default identify I've added for the account in Thunderbird? Does it matter if the "common name" in the certificate doesn't match the "Your Name" field in Thunderbird? Any pointers on what to check would be appreciated.
All Replies (3)
Does it matter that the certificate is for a non-default identify I've added for the account in Thunderbird?
It could matter. Did you set up the new cert in your account settings after importing it? You should do this in the account settings for your identity, not for your main account: Account Settings - End-to-End Encryption Look at the S/MIME section. Check if a certificate is selected for "Digital Signing" and/or "Encryption".
Typically the email address in the certificates SAN (subject alternative name) field should match the email address for your Thunderbird identity. Note, you'll also need the recipients public key (a.k.a. their certificate) for sending an encrypted message.
Thanks for the reply! If I go to Account Settings > Manage Identifies > (select the non-default identity that the cert is for) > Edit > End-to-End Encryption I see the certificate selected under S/MIME for both "Personal Certificate for Digital Signing" and "Personal Certificate for Encryption". When I select Manage S/MIME Certificates > Your Certificates > View the SAN is shown as the email address for the identity in question (I setup the cert such that the common name, SAN, and email address all have the same value).
I suppose you did follow the instructions as per this support article? https://support.mozilla.org/en-US/kb/instructions-smime-certificate-using-csr
In addition you may want to ask at the Topicbox Thunderbird End-to-End Encryption (e2ee) mailing list. https://thunderbird.topicbox.com/groups/e2ee
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.