Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Having trouble with digital signature/encryption settings on Ubuntu 20

alexlambleypersonal
alexlambleypersonal
more options

I regularly send/receive encrypted email on Windows with Outlook but seeing as most of my work is done on my Ubuntu partition, I was interested in a Linux solution. I was able to connect to my exchange server using owl automagically and see my email, no problem. I had some experience getting smart-card readers working on Ubuntu so I already had some things in place using the OpenSC Security Device. TB was able to talk to my card reader, grab the certificates, and I was able to set my S/MIME digital signing and encryption certificates. It definitely works, I can decrypt messages that I had already received in the way I expect, it checks if I have a card inserted, asks for me PIN, and the message decrypts correctly as I would expect. The issue is that if I try to send a signed email to myself, I get the error, "Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." A similar message is sent if I try to encrypt (but not sign) a message to myself but for the encryption certificate.

I don't understand this message, as TB can definitely see my card, ask my card for my private key, and use it to decrypt messages, so I believe my E2E settings are correct. Neither certificate is expired, both expire sometime in 2027. I even added my companies root certificate to my Certificate Authorities in TB, so I don't believe it's an issue with my certificate being deemed invalid, and the error message certainly doesn't suggest as much. I've also tried both of my card-readers in case something was only looking at the first one, but both can be signed into correctly but neither let me send signed/encrypted email. The only clues I can see are the console error in my terminal when the message fails to send...

console.error: mailnews.send: "Sending failed; , exitCode=2147500037, originalMsgURI="

Also when I open a remote debugging session, this is the error shown...

mailnews.send: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation] 

   _startCryptoEncapsulation resource:///modules/MimeMessage.jsm:510
   _writePart resource:///modules/MimeMessage.jsm:558

Does anyone know what I might be doing wrong and nudge me in the correct direction?

I regularly send/receive encrypted email on Windows with Outlook but seeing as most of my work is done on my Ubuntu partition, I was interested in a Linux solution. I was able to connect to my exchange server using owl automagically and see my email, no problem. I had some experience getting smart-card readers working on Ubuntu so I already had some things in place using the OpenSC Security Device. TB was able to talk to my card reader, grab the certificates, and I was able to set my S/MIME digital signing and encryption certificates. It definitely works, I can decrypt messages that I had already received in the way I expect, it checks if I have a card inserted, asks for me PIN, and the message decrypts correctly as I would expect. The issue is that if I try to send a signed email to myself, I get the error, "Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." A similar message is sent if I try to encrypt (but not sign) a message to myself but for the encryption certificate. I don't understand this message, as TB can definitely see my card, ask my card for my private key, and use it to decrypt messages, so I believe my E2E settings are correct. Neither certificate is expired, both expire sometime in 2027. I even added my companies root certificate to my Certificate Authorities in TB, so I don't believe it's an issue with my certificate being deemed invalid, and the error message certainly doesn't suggest as much. I've also tried both of my card-readers in case something was only looking at the first one, but both can be signed into correctly but neither let me send signed/encrypted email. The only clues I can see are the console error in my terminal when the message fails to send... console.error: mailnews.send: "Sending failed; , exitCode=2147500037, originalMsgURI=" Also when I open a remote debugging session, this is the error shown... mailnews.send: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation] _startCryptoEncapsulation resource:///modules/MimeMessage.jsm:510 _writePart resource:///modules/MimeMessage.jsm:558 Does anyone know what I might be doing wrong and nudge me in the correct direction?
Bafoto sur écran jointes

Solution eye eponami

Okay after banging my head against a wall, I was about to sign an email to myself, encrypt an email to myself, and even encrypt an email to someone outside of my org, so all my use cases covered. Here's what I did to fix everything for those poor souls trawling google...

1. First issue was that while I had indeed imported my orgs root certificate, I did not import my issuing certificate authority cert. This was complicated by the fact that my signing certificate and my encryption certificate had different certificate authorities (why??). But after importing both intermediaries and then clearing/re-adding my personal certs, I was able to sign/encrypt messages to myself. 2. You will have to do the same with anyone you exchange messages with. I wasn't able to send emails to outside folks until I had imported all of their intermediary and root certificates.

Note on the off chance that someone from Mozilla reads this, please add some information to the error message that spells this out! Something like "A certificate was found, but an intermediary or root CA wasn't found" or something would have saved me significant time.

Tanga eyano oyo ndenge esengeli 👍 0

All Replies (1)

alexlambleypersonal
alexlambleypersonal Nkolo motuna
more options

Solution eye oponami

Okay after banging my head against a wall, I was about to sign an email to myself, encrypt an email to myself, and even encrypt an email to someone outside of my org, so all my use cases covered. Here's what I did to fix everything for those poor souls trawling google...

1. First issue was that while I had indeed imported my orgs root certificate, I did not import my issuing certificate authority cert. This was complicated by the fact that my signing certificate and my encryption certificate had different certificate authorities (why??). But after importing both intermediaries and then clearing/re-adding my personal certs, I was able to sign/encrypt messages to myself. 2. You will have to do the same with anyone you exchange messages with. I wasn't able to send emails to outside folks until I had imported all of their intermediary and root certificates.

Note on the off chance that someone from Mozilla reads this, please add some information to the error message that spells this out! Something like "A certificate was found, but an intermediary or root CA wasn't found" or something would have saved me significant time.

Helpful?

Tuna motuna

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.