Closed
Bug 1297636
Opened 9 years ago
Closed 9 years ago
Connections to a server with Let's Encrypt certificates are refused
Categories
(Thunderbird :: Untriaged, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: admin, Unassigned)
Details
Attachments
(1 file)
|
380.00 KB,
application/x-tar
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Steps to reproduce:
1. Set up dovecot and postfix with working certificates, f.e. StartSSL
2. Everything works fine with Thunderbird 45.0.2 on Arch Linux
3. Switch to Let's Encrypt certificate
Actual results:
Thunderbird refuses to connect, telling me to choose a different authentication method.
Switching back to other certificate providers makes it work again.
Expected results:
Thunderbird should work with Let's Encrypt certificates.
Note that I asked multiple people from Let's Encrypt, dovecot and Thunderbird about it. There seems to be nothing wrong with my server configuration and other clients work just fine. Multiple people told me that they are using Let's Encrypt with Thunderbird and Dovecot just fine, but they weren't able to find a mistake in my configuration, so I'm filling a bug report.
If someone wants to test the bug with my server I could create an account for you and switch the certificates to the Let's Encrypt ones (I'm currently using the StartSSL certificates), contact me.
|
||
Comment 2•9 years ago
|
||
(In reply to admin from comment #1)
> Multiple people told me that
> they are using Let's Encrypt with Thunderbird and Dovecot just fine, but
> they weren't able to find a mistake in my configuration, so I'm filling a
> bug report.
This looks like a support problem. If the people who are using it successfully can't make it work, how will the overworked and unpaid TB development team find the problem? We have no time to debug specific user's problems. Sorry.
Personally, I'm not a security expert, but this is a server configuration problem, right? It's got little to do with TB, the e-mail client?
I suggest you do your own research:
https://www.google.com.au/?gws_rd=ssl#q=Let%27s+Encrypt+with+Thunderbird+and+Dovecot
https://community.letsencrypt.org/t/thunderbird-doesnt-like-letsencrypt-certificates/6148
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
I expected the invalid resolution and I understand that you don't have time to debug by problems.
Thing is that every other client I tried has no problems with the Let's Encrypt certificate and my dovecot / postfix configuration. Also the only thing I changed in my configuration was the certificates. When I switch back to StartSSL certificates it works with the same configuration in Thunderbird.
Additionally I had multiple people look at my configurations and everyone told me that they were fine.
That's why I think that the problem is with TB. I guess I'll have to dig into https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Debugging_Mozilla_with_gdb .
|
|
||
Comment 4•9 years ago
|
||
(In reply to admin from comment #3)
> I expected the invalid resolution and I understand that you don't have time
> to debug by problems.
Indeed, as the Admin at Hashworks.net you hopefully get paid whereas we don't get paid.
Also note that TB is using M-C core functionality (used in Firefox) and I highly doubt that we do any certificate handling in TB-only code (but I could be wrong on this).
Maybe you want to try logging:
http://kb.mozillazine.org/Session_logging_for_mail/news
Don't you get any logging out of your dovecot server? It must log when a client attaches.
Just for fun, I could connect to your server in a debug build of TB this morning and see whether I get any clues. How does that sound? Mail the details to mozilla@jorgk.com.
(In reply to Jorg K (GMT+2, PTO during summer) from comment #4)>
> Don't you get any logging out of your dovecot server? It must log when a
> client attaches.
See the attached dovecot logs in attachment "Tar archive of logs and image files about the issue".
> Just for fun, I could connect to your server in a debug build of TB this
> morning and see whether I get any clues. How does that sound? Mail the
> details to mozilla@jorgk.com.
Thanks, that would be great! I'll mail you.
|
||
Comment 6•9 years ago
|
||
I think the resolved->invalid was premature.
As far as I can tell, Let's Encrypt root certificates are not included yet in Mozilla code, see bug 1204656. This bug is likely a dup of that one, meaning that once the root certificate gets added, it should work. But I have not followed it that closely, so I could misunderstand the status.
(In reply to Kent James (:rkent) from comment #6)
> As far as I can tell, Let's Encrypt root certificates are not included yet
> in Mozilla code
As you can see in the logs I posted, the certificate was signed by the Let's Encrypt Authority X3, which is signed by the DST Root CA X3. So this isn't signed by the LE root CA, right? Also my Thunderbird trusts LE Authority X3 and DST Root CA X3 (as you can also see in the tar archive I posted).
|
|
||
Comment 8•9 years ago
|
||
I can still reproduce exactly the same issue with the same error messages in the current TB 45.5.1 but also with the newest EarlyBird (Alpha)release. It started with my switch to Letsencrypt certificates for Dovecot and Postfix. As soon as I switch back to the old (StartSSL) certificate, everything works fine again. I do not see any issue with other clients or external testing websites or OpenSSL verifying my SSL certificate for IMAPS. So I do not think that the issue is on my side. If anybody has a hint what I could change on my client or Dovecot server I would be happy to test it.
|
||
Comment 10•8 years ago
|
||
I had the same problem. I deleted my user profile (~/.thunderbird) and re-created a new one, and the problem disappeared. Obviously, this is not a good solution, but I think it hints towards a bug in Thunderbird (i.e. Thunderbird has chain trust validation problems when the IMAP server changes its certificate).
You need to log in
before you can comment on or make changes to this bug.
Description
•