Closed Bug 1939637 Opened 9 months ago Closed 6 months ago

Thunderbird does not want to digitally sign the message.

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Thunderbird 128
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: rogelli, Unassigned, NeedInfo)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0

Steps to reproduce:

tried to send electronically signed message

I have a valid certificate , several times restarted and installed root certificates of authority.

Actual results:

Message sending failed.
You have selected to electronically sign this message, but the application could not find the corresponding certificate specified in the account settings for mail and newsgroups or the certificate has expired.”

Expected results:

What i did, to fix it:
I have a valid certificate for signing and it is imported into TB > remove it from TB
download (if you don’t already have it) CA Authority postsignum and install it - you can get it here:
http://www.postsignum.cz/certifikaty_autorit.html
go to TB Account Settings / Security / Manage Certificates / Authorities – here look for the authority certificate (we are interested in Postsignum……., e.g. CA 5 is mentioned, we are talking about the authority by which our certificate is signed), click on Edit trust and check the trust here, typically it will be “This certificate can identify e-mail user".

then import the personal certificate back into TB and set it to the account.

after restarting TB everything is OK
BUT IT DIDNT HELP ME.

I think the whole problem lies in this: When importing personal certificates into TB, the necessary certification authorities are also imported, such as "PostSignum Qualified CA 3", etc. The problem is that no "trust" is set for these authorities, so in the end TB refuses to sign the mail. It's such stupid behavior, I don't know the reason,

Component: Untriaged → Security: S/MIME
Product: Thunderbird → MailNews Core

According to this page, which was cited above,
the root CA is not yet included in Mozilla's root CA program.
http://www.postsignum.cz/certifikaty_autorit.html?l=en#googtrans(cs|en)

The CA states it has applied for inclusion.

As long as the process isn't completed, it's expected that it doesn't work automatically.

Users may manually install and trust the root CA, if desired.

I'm marking as invalid, because this isn't a bug in Thunderbird, it's working as intended.

Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Resolution: --- → INVALID

ok, could you please instruct me, how to add root CA in thunderbird?

I asssume, I did it.

The instructions are the same as in Firefox, so you can follow those instructions.
However, there's an important detail that's different.
After importing a cert, you need to decide for which purpose you trust it.
Firefox use is typically for TLS server trust, which affects web pages that you visit for https.
If you set this trust flag in Thunderbird, it only affects connections to TLS email servers and (web pages displayed in Thunderbird).

To trust a CA for email, it must have the email trust bit set.

I'll point you to an article that might be helpful regarding OS setup.

But if necessary, and possible easier, you can set it up in one specific Thunderbird instance, by using prefs, certificate manager, CA tab. Ensure the CA cert is installed. Then edit the trust of the CA. Make sure you use proper mechanism to verify that you are indeed adding trust flags for the intended CA certificate. Only do it if trust the CA not to issue false certificates.

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

great. could you please navigate me, where to find Thunderbird instance, by using prefs, certificate manager, CA tab?

I am rather user, not programmer at all :-(
thanks for your patience

Edit | Settings | Search for Certificates

Hi,
trust of root certificate was set-up correctly. Trusted, see https://prnt.sc/xYisiC0TSdrg

rogelli, do you say the CA has been manually installed and configured as trusted, but it still doesn't work?

Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(rogelli)
Resolution: INVALID → ---

yes still not working (In reply to Kai Engert [:KaiE:] from comment #7)

rogelli, do you say the CA has been manually installed and configured as trusted, but it still doesn't work?

Flags: needinfo?(rogelli)

Ok, you say you have a valid personal certificate from that CA (including secret key),
you have imported that CA and marked it as trusted.

You mentioned, when you import your certificate, you see that additional CAs are imported into Thunderbird, but those aren't explicitly marked.

What you see are probably "intermediate" CA certificates. Usually, the root CA isn't used to signed the certificates of individual people. Rather, the root CA (the one you imported) signed an intermediate CA, and the intermediate CA signed the certificate for your person.

In this scenario it is sufficient to mark the root CA as trusted. Issued certificates automatically inherit the trust (if permitted).

There are a lot of rules that need to be followed when issueing certificates. Although it's possible that Thunderbird has a bug, it's also possible that your CA made a mistake when issueing your certificates (or the intermediate certificate).

We don't have a good automated tool to analyze why exactly a certificate might be rejected by Thunderbird. Please ask your CA whether your certificate is expected to work with Thunderbird. They should have tested that, and they should be able to give guidance what's necessary to make it work (if it's supported and tested by the CA).

Here is one thing you can try.

In Thunderbird's certificate manager, go to the "your certificates" tab.
Find your own certificate (the one you are trying to use, the one that you have selected in account settings),
click it to select it, then click the "view..." button.

A tab will open, and inside the tab, the line at the top shows the word "Certificate".

Please pay close attention to the line that is immediately below that line.

At the very least, should see at least one column below is, with an identifier of the certificate, usually the email.

Please check what is shown "to the right of that email address".

If Thunderbird can find the issuer of your certificate, then to the right, you will see another certificate identifier, usually the name of an intermediate CA. And again to the right, you'll usually see the top issuer certificate (the root certificate), which is the one you have imported and marked as trusted.

Please tell me what you see. Do you see those names to the right? Or is there nothing shown on the right hand side? Nothing shown means, Thunderbird couldn't find a valid issuer certificate. If it cannot find it, then Thunderbird doesn't treat it as valid.

Regardless of whether the intermediate and root issuer certificates were found, this certificate viewer window will offer you to download the certificate - which will contains the "public" parts of the certificate, only, which is fine to share with others.

Please click on the Download "PEM (chain)" link, and save it to a file.

If you wish me to have a look, please attach that file to an email and send it to me, kaie@kuix.de

(You may doublecheck the contents of the file to ensure it's really only a public certificate. If you open that file with a text editor, and the first line says "-----BEGIN CERTIFICATE-----" then it's fine to send, it does NOT have your secret key.)

(If you send an email to me, please mention this bug number 1939637)

See Also: → 1944810

e-mail sent with PEM, just talked with support of certification authority. They have confirmed that certificated is valid /we use them in another software on daily basis/ and latest version of Thunderbird is place, where certificate is not working.
They confirmed, that they tried all possible with several clients, but latest version of Thunderbird 128.6.1esr is buggy on this issue.
Please forward inside of your team.
Hoping for fix soon.
cheers

Thanks, I've received your certificate by email.

I notice that only certificate is inside the file. That probably means that Thunderbird couldn't find the intermediate CA certificate to chain up to the root.

Please make sure you have the intermediate CA certificate imported that issued your certificate.

Look at the issuer name of your certificate. You need to import a certificate that has that name as its subject.

yes, all root certificates installed and set up to be trusted
https://prnt.sc/zuSTtuVxvnts

Can you please also execute the steps I described above in comment 10, and tell me the result?
Thank you

Flags: needinfo?(rogelli)
Status: REOPENED → RESOLVED
Closed: 9 months ago6 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.