Open Bug 1481969 Opened Last year Updated 24 days ago

Thunderbird 60 unable to find certificate for signing or encrypting (SMIME) email

Categories

(Thunderbird :: Security, defect)

defect
Not set

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: mozilla-bugs, Unassigned)

References

Details

Attachments

(1 file)

Attached image TB sign failure.JPG
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

    Name: Thunderbird
    Version: 60.0
    Build ID: 20180731173940

    Update Channel: release
    User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0
    OS: Windows_NT 10.0       (v 1803 with all updates applied at 08/08/2018)

When writing email select either (or both) encrypt or digitally sign the message from Options menu.

All seems fine at this stage, relevant icons appear on message.

Press "send" button - get error message as detailed

Revert to Thunderbird 52.9.1, repeat above steps & message sends fine

Upgrade back to Thunderbird 60 & error returns. It is consistent and happens without fail.

I have tried restarting Thunderbird, restarting machine, removing certificates & re-installing, but error persists. Has been tried with Outlook.com & gmail.com email addresses, with identical results.


Actual results:

After trying to send email, get error message
"Sending of the message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."
or
"Sending of the message failed.
You specified encryption for this message, but the application either failed to find the encryption certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Have confirmed certificate is visible in Thunderbird certificate store, expiry date in March 2019, and machine date/time is correct. And it continues to work fine in Thunderbird 52.9.1.


Expected results:

Send SMIME encrypted or signed (as appropriate for selection) email without error.
See bug 1470077 comment #8. The user there removed cert8.db (and possibly re-imported his personal certificates).
A solution for our institution was as follows:

*Go to Account Settings - "Security"

*Digital Signing - "Select"

*Simply reselect your certificate

Afterwards you are able to send SMIME encrypted or signed Emails again.
Hi all,

I tried the workaround to remove the cert8.db file but I had no luck. Even the tip in #2 doesn't work for me.

Before Thunderbird 60.0 for Mac everything works like a charm, but now...

Please tell me if you need any information to be able to replicate this behaviour.

Cheers
Flo
Reselecting certificate worked for me - thanks Franz
Hello,
I just wanted to confirm the bug. Same system as the original poster. Deleting the certificate and re-installing it did NOT solve the issue.
POSSIBLE SOLUTION:

Do check the account settings under S/MIME safety:
if the encryption certificate is missing try to choose one even if you do not want to encrypt.

That did the trick on my side. Signing emails was possible from that point on.

Cheers
Component: Untriaged → Security

A possible explanation/solution:
I was having the same issue in Thunderbird 68, on both Windows and Linux. I tried all of the above recommended solutions, to no avail. Then I came across bug 1574325, and had an "aha" moment.
The problem, in my case, was that the issuer of my certificate had the wrong trust settings in Thunderbird's certificate manager. So I had to get into Preferences -> Advanced -> Manage Certificates -> Authorities, and find my certificate issuer. The issuer was there all right, and listed as a proper authority - but for some reason there was no tick in the "This certificate can identify mail users" box. So I ticked it, and immediately the signing procedure was working.
Don't do this unless you really trust the certificate issuer! ... but then, if you don't, you probably wouldn't be having your certificate issued by them.
There may be lots of other ways this could go wrong, of course - the above is just one more thing to try.
I am all in favour of the idea, as expressed in bug 1574325, that the error message produced by Thunderbird in such a situation is too imprecise to be of much use.

You need to log in before you can comment on or make changes to this bug.