I found that the Mozilla core platform code, which is shared between Mozilla and Thunderbird, has introduced an automatic cleanup intermediate CA certificates. Firefox uses some more modern code for certificate verification, and it has access to a list of pre-loaded intermediates. This is likely the reason that viewing a certificate using certificate manager can display the full chain (additional tabs with intermediates and root), because this is core Firefox code. The cleanup code runs regularly. It checks if the permanent storage contains intermediate CAs which are already contained in the preload list that Firefox uses. If it finds such certs, it deletes them from the permanent storage. This is very likely causing this regression bug. Because Thunderbird uses older certificate verification code, which doesn't use the list of preloaded intermediates, it can no longer find the intermediate, because it was deleted. The cleanup behavior can apparently be turned off using a preference. If would like to help test, please open Thunderbird settings, open the config editor. In the search box, paste the following text: security.intermediate_preloading_healer.enabled Below the text you have entered, an additional line should appear, which the same security.intermediate_preloading_healer.enabled text, plus the text "true" in a second column. Double click the word "true", and it should be automatically changed to false. After this, ensure you have the intermediate CA imported one last time (for example by clicking a signed email that uses that intermediate). Please report back if that fixes this bug for you. If it does, as an automatic fix, we can try to set this setting for Thunderbird by default to false in the next update.
Bug 1777336 Comment 43 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I found that the Mozilla core platform code, which is shared between Mozilla and Thunderbird, has introduced an automatic cleanup of intermediate CA certificates. Firefox uses some more modern code for certificate verification, and it has access to a list of pre-loaded intermediates. This is likely the reason that viewing a certificate using certificate manager can display the full chain (additional tabs with intermediates and root), because this is core Firefox code. The cleanup code runs regularly. It checks if the permanent storage contains intermediate CAs which are already contained in the preload list that Firefox uses. If it finds such certs, it deletes them from the permanent storage. This is very likely causing this regression bug. Because Thunderbird uses older certificate verification code, which doesn't use the list of preloaded intermediates, it can no longer find the intermediate, because it was deleted. The cleanup behavior can apparently be turned off using a preference. If would like to help test, please open Thunderbird settings, open the config editor. In the search box, paste the following text: security.intermediate_preloading_healer.enabled Below the text you have entered, an additional line should appear, which the same security.intermediate_preloading_healer.enabled text, plus the text "true" in a second column. Double click the word "true", and it should be automatically changed to false. After this, ensure you have the intermediate CA imported one last time (for example by clicking a signed email that uses that intermediate). Please report back if that fixes this bug for you. If it does, as an automatic fix, we can try to set this setting for Thunderbird by default to false in the next update.
I found that the Mozilla core platform code, which is shared between Mozilla and Thunderbird, has introduced an automatic cleanup of intermediate CA certificates. Firefox uses some more modern code for certificate verification, and it has access to a list of pre-loaded intermediates. This is likely the reason that viewing a certificate using certificate manager can display the full chain (additional tabs with intermediates and root), because this is core Firefox code. The cleanup code runs regularly. It checks if the permanent storage contains intermediate CAs which are already contained in the preload list that Firefox uses. If it finds such certs, it deletes them from the permanent storage. This is very likely causing this regression bug. Because Thunderbird uses older certificate verification code, which doesn't use the list of preloaded intermediates, it can no longer find the intermediate, because it was deleted. The cleanup behavior can apparently be turned off using a preference. If would like to help test, please open Thunderbird settings, open the config editor. In the search box, paste the following text: security.intermediate_preloading_healer.enabled Below the text you have entered, an additional line should appear, with the same security.intermediate_preloading_healer.enabled text, plus the text "true" in a second column. Double click the word "true", and it should be automatically changed to false. After this, ensure you have the intermediate CA imported one last time (for example by clicking a signed email that uses that intermediate). Please report back if that fixes this bug for you. If it does, as an automatic fix, we can try to set this setting for Thunderbird by default to false in the next update.