Yonke imikhiqizo Community Forum

1. 1. Резюме выделенного

1. 1. 1. Общее

Выделенный фрагмент содержит **цепочку из трёх X.509 TLS-сертификатов** (формат PEM), а также временну́ю метку **«5–7 минут»** (вероятно, срок действия или контекст страницы).

---

1. 1. 1. Сертификат 1 — Конечный (End-Entity)

- **Субъект:** `accounts.firefox.com` - **Выдан:** Let's Encrypt (R13) - **Действителен:** 15.02.2026 — 16.05.2026 - **Тип:** TLS-сертификат сервера (Domain Validated) - **Алгоритм:** RSA 2048 / SHA-256

---

1. 1. 1. Сертификат 2 — Промежуточный (Intermediate CA)

- **Субъект:** `R13` (Let's Encrypt) - **Выдан:** ISRG Root X1 - **Действителен:** 13.03.2024 — 12.03.2027 - **Назначение:** Подпись конечных сертификатов Let's Encrypt

---

1. 1. 1. Сертификат 3 — Корневой (Root CA)

- **Субъект:** `ISRG Root X1` (Internet Security Research Group) - **Действителен:** 04.06.2015 — 04.06.2035 - **Назначение:** Доверенный корневой центр сертификации; самоподписанный

---

1. 1. 1. Итог

Полная цепочка доверия: `accounts.firefox.com` → `Let's Encrypt R13` → `ISRG Root X1`

Hello

I just recently purchased a new SSL certificate for our domain from bluehost. Now I get the following error message from Thunderbird.

Configuration not trusted. We received the configuration for your email over a connection that isn't as secure as we'd like. This means there is a tiny chance that someone could have altered it. Double check provided configuration.

I entered my server dashboard and compared the manual email settings and the settings match exactly.

I have paused anti-virus software on both my mobile and laptop and have uninstalled and reinstalled Thunderbird but nothing helped. Contacted Bluehost all is working fine. I can access my email from other clients but not from Thunderbird.

Any thoughts thanks

Gary K.

I would kindly ask for adding support for PGP/inline for Thunderbird on desktop. I am aware that there is a valid argument against PGP/inline and a workaround for using it regardless [1]. However, there are also some use cases, which apparently led to it being implemented for Android [2]. My use case are PGP/inline signatures for (unencrypted) newsgroup posts. In this context, the advantages of MIME are less pronounced and some disadvantages show. PGP is less supported by newsreaders, which in the worst case leads to illegible messages in the case of MIME. In some groups, multipart messages are prohibited by the charter. Similarly, for discussion based groups, attachments are seldom (or prohibited) and messages often monolithic, thus ensuring integrity even with PGP/inline. Also, privacy (unencrypted metadata) is not really a concern on a public message board. While PGP/MIME is a good default, newsgroups are an example where it would be desirable to have an option to switch to PGP/inline on a message-by-message basis or even as an account default. There are already PGP specific options in both, the account settings and the message settings. Extending that by another checkbox seems like a good solution to me.

[1] https://support.mozilla.org/en-US/questions/1446050 [2] https://github.com/thunderbird/thunderbird-android/issues/1974

I've disabled HTTPS only mode. When i enter a local http://server.localdomain server Firefox upgrades that to https://server.localdomain. How do I disable that?

Hi there.

Since quite a while Firefox is trying to enhance our browsing security by "upgrading" connections from "http" to "https." This may generally be a good idea, but it is literally driving me crazy at the moment because it also does so for "internal" sites I host within my LAN (such as my "Home Assistant" instance or a Zigbee coordinator, accessible via its own hostname and web UI). However, these connections will fail, because I don't have certificates for my internal hosts, and thus there is no "https" listener. :-(

(I use my own subdomain "<host>.city.internal.example.org" internally, so Firefox may be confused?)

I feel this behavior has become "more aggressive" within the last few days, so maybe it is due to a Firefox update?

Is there a bullet-proof way to prevent Firefox from doing so?

I've already set the below options to false: - dom.security.https_first - dom.security.https_first_for_custom_ports - dom.security.https_first_for_local_addresses - dom.security.https_first_for_unknown_suffixes - dom.security.https_first_pbm - dom.security.https_first_schemeless - dom.security.https_only_mode - dom.security.https_only_mode.upgrade_local - dom.security.https_only_mode_pbm

Help, please!

I'm close to abandoning Firefox in favor of a different browser, because at the moment it's close to being unusable for me anymore... :-(

Kind regards,

Ralf

I am trying to export multiple messages that were sent to me encrypted with my pgp key as .eml files that contain the unencrypted message without needing to be decrypted. When using the default save function and ImportExportToolsNG on both server messages and locally stored messages, the .eml files exported just contain the encrypted pgp message block. Is this possible or will I have to manually decrypt each message?

In my work account on a Microsoft Exchange server, we have public keys for all users in LDAP. Sometimes an encrypted email message from a known user fails to decrypt, instead showing a panel with no menu: "Thunderbird cannot decrypt this message". Errors are sporadic: for a few senders, all messages fail to decrypt on my Thunderbird, while for a few other senders, all messages successfully decrypt. For most senders, it seems to randomly depend on the particular message. In one odd case, a chain of replies can be successfully decrypted up to a point, and from there on, all replies fail to decrypt for me. We've looked into all the settings, and we've tried variations where someone sends me an encrypted message without signature, then another with encryption and signature. Nothing seems to consistently cause or avoid the error, it just seems to happen randomly.

Can someone recommend a way to diagnose the problem, for example debug logs?

It would also be helpful to try manually decrypting the raw received message using openssl. Is it possible to find it somewhere in the `~/.thunderbird/` area?

How does one export one's private key (secret key) using OpenPGP in Thunderbird in Windows 10?

In this directory... C:\Users\meow\AppData\Roaming\Thunderbird\Profiles\yy677g4j.default-release\

I find these files... (I have obfuscated some of the file names) secring.gpg pubring.gpg 0xBBBBBBBBBBBBBB_rev.asc 0xAAAAAAAAAAAAAA_rev.asc 0xCCCCCCCCCCCCC_rev.asc

It seems that the secring.gpg file would contain 3 private keys, corresponding to the 3 public keys shown. I would like to ask how can I create a file containing the private key which corresponds to the "CCCCC..." public key but NOT containing the private key for any other key pair.

Thunderbird's OpenPGP menu allows me to easily export the public key, but does not seem to provide any mechanism for exporting my private key.

Thanks for your advice! ~uxfail

Dzień dobry, podczas tworzenia wiadomości i próbie zapisania jej na później, otrzymuję komunikat:

Ostrzeżenie Błąd podczas zapisywania szkicu - W Twojej bazie kluczy nie można odnaleźć identyfikatora klucza „0xD3ADE4868E262032”.

Nie potrafię tego naprawić. System iOS na Mac.

Proszę o wsparcie.

Pozdrawiam

DEUTSCH (English see below):

Hallo zudammen,

Konfiguration: - Window11 25H2 (aktuell) - Thunderbird Beta-6 (BuildID=20260213180051) - gpg2.5.17 (Gpg4Win 5.0.1); siehe auch: <https://www.gpg4win.de/>

Der bisherige und standarmärige Installationspfad von "Gpg4Win": "C:\Progam Diles (x86)\Gpg4Win\" wurde softwareseitig auf: "C:\Progam Diles\Gpg4Win\" geändert!

Bug 1967121 (Closed) => thunderbird148 --- fixed! <https://bugzilla.mozilla.org/show_bug.cgi?id=1967121>

Zur Zeit verfolge ich die Änderungen bezüglich der externen Schlüsselverwaltung in Thunderbird-Beta, da das Arbeiten mit externen Schlüsseln in der esr- und in der relesease-Version von Thunderbird seit der offiziellen Herausgabe von gpg2.5.x absolut nicht mehr möglich ist! Die geheimen Schlüssel für das Entschlüsseln und Signieren werden mit gpg2.5.x nicht mehr gefunden!

In der Schlüsselverwaltung von TB-Beta befinden sich meine öffentlichen Schlüssel und alle öffentlichen Schlüssel meiner Kommunikationspartner. Extern sind meine geheimen Schlüssel gelagert. Folgende Präferenz wurde aufgrund von gpg2.5.x hinzugefügt:

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-35-46-df59be.png

Allerdings erscheint nach all diesen Maßnahmen die Fehlermeldung: "The secret key that's required to decrypt this message is not availlable."

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-36-58-d8280e.png

Mit Herausgabe von Thunderbird/148.0 (release) sind dort die gleichen Probleme mit der externen Schlüsselverwaltung zu bepbachten!

Mit Versionen gpg < 2.5 funktioniert unter Windows alles problemlos!

UNTER LINUX haben hier Änderungen an der Präferenz: "mail.openpgp.load_untested_gpgme_version" nachweislich keinerlei Auswirkungen!

Was übersehe ich?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ENGLISH:

Hello,

Configuration: - Window11 25H2 (current status) - Thunderbird Beta-6 (BuildID=20260213180051) - gpg2.5.17 (Gpg4Win 5.0.1); see also: <https://www.gpg4win.de/>

The previous and default installation path of "Gpg4Win": "C:\Program Files (x86)\Gpg4Win\" has been changed by the software to: "C:\Program Files\Gpg4Win\"!

Bug 1967121 (Closed) => thunderbird148 --- fixed! <https://bugzilla.mozilla.org/show_bug.cgi?id=1967121>

At the moment, I’m following the changes regarding external key management in Thunderbird Beta, because working with external keys in the ESR and release versions of Thunderbird has become absolutely impossible since the official release of gpg 2.5.x! The secret keys required for decryption and signing are no longer found when using gpg 2.5.x!

In Thunderbird Beta’s key manager, my public keys and all public keys of my communication partners are present. My secret keys are stored externally. The following preference was added because of gpg 2.5.x:

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-35-46-df59be.png

However, even after all these measures, the following error message appears: **"The secret key that's required to decrypt this message is not available."**

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-36-58-d8280e.png

With the release of Thunderbird 148.0 (release), the same problems with external key management can be observed there as well!

With gpg versions **older than 2.5**, everything works flawlessly under Windows!

• • UNDER LINUX**, changes to the preference

"mail.openpgp.load_untested_gpgme_version" have demonstrably no effect at all!

What am I missing?

J'ai déjà un mail gmx , "andre.et@gmx.fr" est-ce cette adresse qui est crypter ?

Ou est ce une nouvelle adresse ? Chez Mozilla

Merci de m'éclairer André

Using firefox 148, when I select the "CIRA Canadian shield" DNS over HTTPS option it does not work. If I select the other 2 options Cloudflare or NextDNS those options work.

What is the problem with DOH for CIRA option ?

Several of my financial accounts give me this error with Firefox. I had to go to Edge to get my tax documents. I'd much rather have a way to get to my sites without leaving Firefox.

HSTS required

Other websites may require HTTP Strict Transport Security (HSTS) and will not allow access with an insecure connection.

Hello,

I am moving over to Thunderbird from outlook. I have about 8 emails with two domains. First email works okay. The second one on the same domain has turned red on the left panel and thunderbird keeps poppoing up the certificate for mail.xxx.com is not valid for the server. The other works I added the exception when setting it up. The mail server is another domain used from my cpanel hosting provider. So it does not match the domain of the emails.

I can't seem to find a way around this to get it to work. Also I under account settings it looks correct. I am thinking this error message is the incoming mail server? I don't see under account setting anything for incoming mail server which on my hosting is the same for incoming and outgoing. Appreciate any help.

Thank you!

I wanted to completely disable TLS 1.3 when using Firefox, so I set security.tls.version.max to 3 (which corresponds to TLS 1.2). That worked up until I got version 140.0.4 installed - now it completely ignores this setting no matter what I set. I tried using cloudflare-ech.com website for test and it confirms that my browser uses TLS 1.3 with ECH. I also tried modifying security.tls.version.fallback-limit to 0 and security.tls.version.min to 0 to get a possible range of TLS 1.0-1.2, but it still uses TLS 1.3.

Have two accounts in Thunderbird, for one configured PGP-Encryption, for another wanted to setup S/MIME with a certificate, however, I'm missing end-to-end encryption menu in this account setup (only the first one has it). Do I miss some check-box somewhere?

My mobile package site shows mixed-content warnings on Firefox — how can I fix this? Hello everyone, I run a website, which provides information about mobile phone prices and SIM packages in Bangladesh. Recently, I noticed that when users visit some pages in Firefox, the browser shows a “mixed-content” warning or blocks certain scripts. The same pages load fine in Chrome. All my URLs use HTTPS, and I’m using a LiteSpeed server with Cloudflare CDN. Could this issue be related to how Firefox handles external resources (like embedded operator banners or analytics scripts)? What’s the best way to debug and fix mixed-content problems in Firefox Developer Tools? Any detailed guidance or best practices would be greatly appreciated. Thanks in advance!

I received 2 notifications stating that 1) The certificate for imap.gmail.com does not come from a Trusted Source and 2) You are about to override how Thunderbird Identifies this site. Legitimate banks, stores and other public sites will not ask you to do this. This site attempts to identify itself with invalid information. The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure Signature. I have been with Thunderbird for around 20 years and have contributed to it twice, so please help me!