Unable to send email after updating to Thunderbird 78 – "Certificate key usage inadequate"
Some laptop users are unable to send email after updating to Thunderbird 78. The error message reads "Certificate key usage inadequate for attempted operation. The configuration related to [mail server] must be corrected."
The discussion I've previously seen about email and v78 is centered around the disabling of TLS 1.0 and 1.1, and many users have solved that problem by changing the variables security.tls.version.min and security.tls.version.enable-deprecated. That solution does nothing for our users.
Does anybody have any idea about what could be wrong, or where to start troubleshooting?
I don't know if it's relevant, but our mail server uses a self-signed certificate (which has worked until now in Thunderbird, and continues to work with other email clients).
All Replies (11)
Do you have TB 78.4 or later? There was a fix for self-signed certificates in that version:
https://www.thunderbird.net/en-US/thunderbird/78.4.0/releasenotes/
What is the antivirus on the non-working systems? Programs like Avast that scan SSL connections often cause problems.
Unfortunately, people are having problems with the latest version of Thunderbird (so v78.4.3).
I doubt it's related to the antivirus we use (NOD32); it's never interfered with sending email before version 78, one person with Outlook installed on the same laptop was able to send emails using Outlook but not Thunderbird, and I don't really see how a conflict with an antivirus program would result in Thunderbird displaying the message "Certificate key usage inadequate for attempted operation".
Do you get an exception prompt to override the error?
Try to inspect the troubled cert. Does it have any 'X509v3 Key Usage' or 'X509v3 Extended Key Usage' extensions? What are they?
kanahakkliha said
Unfortunately, people are having problems with the latest version of Thunderbird (so v78.4.3). I doubt it's related to the antivirus we use (NOD32); it's never interfered with sending email before version 78, one person with Outlook installed on the same laptop was able to send emails using Outlook but not Thunderbird, and I don't really see how a conflict with an antivirus program would result in Thunderbird displaying the message "Certificate key usage inadequate for attempted operation".
You can put your doubts to rest by running Windows in safe mode, and then see if the error message still appears in TB.
Thank you for your suggestions!
Try to inspect the troubled cert.
Inspect how? I tried viewing it in Thunderbird's certificate manager, but I didn't see anything related to "X509".
run Windows in safe mode, and then see if the error message still appears in TB.
I started one of the laptops in question in Safe Mode with Networking, but we couldn't get any internet connection in Safe Mode and so couldn't test Thunderbird.
kanahakkliha said
Thank you for your suggestions! run Windows in safe mode, and then see if the error message still appears in TB. I started one of the laptops in question in Safe Mode with Networking, but we couldn't get any internet connection in Safe Mode and so couldn't test Thunderbird.
Can you run in safe mode with networking over wifi by following these instructions?
One user managed to get networking to work in safe mode. Safe mode made no difference for the problem; the error message is still "Certificate key usage inadequate for attempted operation. The configuration related to [mail server] must be corrected".
What about trying this: Menu icon > Options > Privacy & Security scroll down to 'Security' section Under 'Certificates' - click on 'Manage Certificates' button Select 'Authorities' tab selected the relevant Certificate and click on ‘Edit Trust’
Try to inspect the troubled cert. Inspect how?
If you get an exception prompt to override the cert error, you can press the 'View' button' to inspect the cert.
You didn't answer the question whether you get an exception prompt in the first place.
Editing the trust settings didn't make any difference.
There's no exception prompt. (Sorry about missing that question.)
I'd suggest you raise a bug in Bugzilla. https://bugzilla.mozilla.org/
This kind of problem has happened in the past, and it was somehow fixed at that time.