Open Bug 531073 Opened 15 years ago Updated 1 month ago

S/MIME certificate could not be found although it is available

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

People

(Reporter: webforen, Unassigned)

References

Details

(Whiteboard: [kerh-bra][psm-smime][psm-cert-manager])

Attachments

(2 files)

This bug can be reproduced using this profile
241.29 KB, application/zip
Details
SMIME Issue Overview
322.81 KB, image/jpeg
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Build Identifier: version 2.0.0.24pre (20091125) (and usually Version 2.0.0.23 (20090812)) When I want to write an E-Mail to user@example.com and encrypt it I get "Unable to save your message as draft. You specified encryption for this message, but the application failed to find an encryption certificate for user@example.com" when sending or saving the message. When I go in "View Security Info" the status of recipient "user@example.com" is shown as "Not Found". But this is indeed not true. The certificate with exactly the same address (E=user@example.com) is in the list "Other people's" and it is fully trusted as well as valid. Purpose is "Sign,Encrypt" and other certificates from the same CA seem to work with no problems. Also, the same IMAP account (with the same certificated but of course a different profile) works well on a different computer. I tried to: *) Delete the certificate and display a message with the signature in order to force a re-import ( a few times with different mails etc.) *) Resend the message in order to force a "clean" re-import *) Delete all entries in the address book from the specified user *) As proposed use the latest nightly build *) Searched the internet for keywords in German and English --> no results *) Searched Bugzilla And I also tried to create a new profile but unfortunately it works with a new profile. But I can't create a new profile because my profile contains all of my personal data. Maybe there is also a way to reset the information concerning the certificate in the profile? I would try any suggestions; it seems to me that this is a bug in Thunderbird in general. I would also provide you with more more information but unfortunately until now I have no information on how to reproduce it *without* the complete profile. Reproducible: Always
Do you have more than one identity for this account ? Andything in Tools -> Error console ? Do you also have the issue in -safe-mode ?
Component: General → Security
QA Contact: general → thunderbird
Hi, and thanks for the reply. I tried safe mode and also error console, nothing happens. What do you mean by "more than one identity"? I by myself have multiple identities and also certificates. But this seems not to be the problem because I can send encrypted mail to any other person except user@example.com. For the user "user@example.com" there is only one single certificate and as described above I also tried deleting it and reimporting it (by viewing a signed certificate from that person). In the meantime I tracked the error down to cert8.db: If I delete this file and reimport my personal certificates as well as the problematic for user@example.com it works. But that also means that all of my other certificates are lost, also from other persons (my cert8.db is a few hundret KB). Until now I also did not find a way to export the certificates of other persons (and websites). I also tried with the pk12util but this seems to only be able to export personal certificates and not certificates from other persons. But with certtool -L all the certificates are listed and also no problem with cert8.db is reported.
(In reply to comment #2) > What do you mean by "more than one identity"? I by myself have multiple > identities and also certificates. But this seems not to be the problem because > I can send encrypted mail to any other person except user@example.com. For one account you can associate more than one email address and we call that identities > For the user "user@example.com" there is only one single certificate and as > described above I also tried deleting it and reimporting it (by viewing a > signed certificate from that person). > > In the meantime I tracked the error down to cert8.db: If I delete this file and > reimport my personal certificates as well as the problematic for > user@example.com it works. > > But that also means that all of my other certificates are lost, also from other > persons (my cert8.db is a few hundret KB). Until now I also did not find a way > to export the certificates of other persons (and websites). I also tried with > the pk12util but this seems to only be able to export personal certificates and > not certificates from other persons. But with certtool -L all the certificates > are listed and also no problem with cert8.db is reported. So you have one email account and more than one email address associated with it, right ?
Hello, Yes, thats true. I even have 2 IMAP Accounts, 3 NNTP Accounts and Weblog Account whereas the first IMAP Account has many identities. Nevertheless I think I have found the bug and a way how to reproduce it :-) As said before, I would not write encrypted mail to user@example.com although the Certificate (from "The USERTRUST Network" aka Comodo) was in the certificate store and valid. Now I saw that there was another certificate from "Thawte Freemail". This certificate s expired and had a different mail address for the same user. But Thawte allowed to enter mote than one mail address. And this certificate had also an entry for the address user@example.com. Can you follow me? So it seems to me that the problem can be reproduces that way: *) Get a certificate for "John Doe" with E-Mail address "foobar@example.com". Assign a second value for the "E" field with user@example.com, i.e.: E=foobar@example.com,E=user@example.com. Let this certificate expire *) Get a new certificate for "John Doe" (maybe from a different CA) with mail address user@example.com, i.e. E=user@example.com Now try to write encrypted mail to user@example.com.
So now you can send signed emails ?
I could also send *signed* mail but not *encrypted*. Yes, now I can send *encrypted* mail to user@example.com but after deleting the other certificate from the certificate store.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Thunderbird → Core
QA Contact: thunderbird → psm
I do have the same issue with Thunderbird 3 betas as well as the current final release of Thunderbird 3. When I try to send a S/MIME encrypted e-mail to myself it's not able to find any cert. Platform is Mac OS X. In the cert store the cert is listed, not as person but under "my certs". Did not found any workaround or solution.
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Whiteboard: [psm-smime]
I experienced the same problem and applied a workaround from StartSSL user forum (see last post in this thread : https://forum.startcom.org/viewtopic.php?f=15&t=1656&st=0&sk=t&sd=a&start=15 ) Here's my setup: . Thunderbird 3.1.5 on Mac OS 10.6.4 for user A . Thunderbird 3.1.6 on Windows XP SP3 for user B A has a valid personal certificate from StartSSL for signature and encryption, and several public certificates from B (1 valid by StartSSL, and several expired by StartSSl and Thawte). B is the same situation (1 valid personal certificate from StartSSL for signature and encryption, and several public certificates from A (1 valid by StartSSL, and several expired by StartSSl and Thawte). Signed mail from A to B and B to A is valid (TB shows the signatures as valid, and imports the certs into it's database). When A tries to send encrypted mail to B, Thunderbird blocks with a "no valid certificate found" error. Same when B tries to send encrypted mail to A. The workaround is to delete all certificates from your correspondent and then reimport the last one from a signed e-mail. This worked in both cases (A and B). I hope this helps, and that someone can fix it. Paul-Henri
I experienced a similar problem today, involving multiple accounts that have multiple certificates. I was unable to send an encrypted message to myself, either from account 1 to account1, account 1 to account 2, etc... I "fixed' the problem by doing the following: 1. backed all of my personal certificates in one .pk12 file (the two new ones plus a number of old certificates for these and other accounts) 2. backed up the newest certificate for first account in second .pk12 file 3. backed up the newest certificate for second account in third .pk12 file 4. deleted all personal certificates, exited and restarted Thunderbird. 5. imported second and third pk12 file 6. successfully sent encrypted email from each account to itself and other account 7. imported all the certificates in the first pk12 file 8. At this point everything worked properly, even after exiting and restarting. Hope this helps someone who needs a work around. Unfortunately, I don't know how to create the problem from scratch, so it may not be helpful for debuggers.
Same problem experienced in both Thunderbird 3.1.6 and Firefox 3.6.12 after adding a 2 new personal certs to 3 already expired existing certs. I can confirm that the above workaround from tlauck "corrected" the problem for me in both FF and TB, without restarting after step 4, nor sending mails in step 6. So my workaround was as follows: 1. Backup All 2. Backup only new 1 3. Backup only new 2 4. Delete all personal certs 5. Import new 1 6. Import new 2 7. Import all
I had a slightly different issue (Bug 614109) that dealt only with signing my mail, rather than encrypting. The workaround didn't work for me the first time - I had to add new steps - step 7 in this flow: 1. Backup All 2. Backup only new 1 3. Backup only new 2 4. Delete all personal certs 5. Import new 1 6. Import new 2 7. NEW - go to Tools->Account Settings->Security of the account(s) that is giving issues and "Clear" the selected certificate even if it's using the right one. 8. NEW - on that same screen, "Select" the certificate 9. Import all Thanks to all for pointing out the workaround!
This bug is still present in Thunderbird 3.1.7 (Win7). Existing expired public keys are still blocking the use of new valid public keys when encrypting an email. Manually purging the certificats of other people in the certificate window of thunderbird with hundrets of entries is... troublesome.
I have removed my own certificate. But you have to create an account and send an crypted mail to dr.juergen.winter@online.de and the bug is reproducable.
(In reply to comment #15) > This bug is still present in Thunderbird 3.1.7 (Win7). > > Existing expired public keys are still blocking the use of new valid public > keys when encrypting an email. > Manually purging the certificats of other people in the certificate window of > thunderbird with hundrets of entries is... troublesome. I think this bug is independent from os version. My sample profile i have uploaded has only three certificates for only one email address and the bug is present. I cannot send an encrypted mail to this address althouhg the certificate is valid. Can anyone confirm this bug?
Changing to NEW as this seems to affect SeaMonkey as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [psm-smime] → [kerh-bra][psm-smime][psm-cert-manager]
Is this a duplicate of bug 596221 ? We recently added a fix to the Mozilla Aurora branch. If there are nightly Thunderbird builds based on the aurora branch, could you try if this is fixed for you?
I have the same problem...
Bug still seems to be around... Mac OSX 10.9.5 Thunderbird: 31.1.2
With Earlybird (34.0a2) on Mac OSX 10.9.5 I am able to send encrypted S/MIME e-mails, but the certs still don't show up in the certificate store.
Same problem here with the version of Thunderbird from CentOS 7. 31.4.0
Component: Security: PSM → Security: S/MIME
Product: Core → MailNews Core
Same problem, using Thunderbird 45.2.0 on a Mac (OSX 10.8.5). Also using Thunderbird 45.0.0 / 45.2.0 on Windows 7 Pro 64-bit. All the certificates work OK with Apple Mail. But despite certificates being installed correctly in Thunderbird, as they are supposed to be, under Authorites and under Your Certificates, *none* are found by Thunderbird when sending and trying to encrypt: Security Info > Certificates > Recipient (recipient's e-mail address) > Status ("Not Found")
(In reply to Mike from comment #29) And, the same problem exists in Mozilla SeaMonkey 2.40.
Today I faced the following error message using Thunderbird 60.0 on two computers with Windows 10 Pro 64-bit and Windows 10 Home Single Language 64-bit: "Sending of message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." Using Thunderbird 52.4.0 on those same computers I was able to send digitally signed e-mail messages. The Bug 614109 linked me here.
Can confirm. Getting the same message with Thunderbird on Ubuntu 18.04 when trying to even sign a message with S/MIME certificate: "Sending of message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." Earlier versions worked fine.
(In reply to vinyanalista from comment #31) > Today I faced the following error message using Thunderbird 60.0 on two > computers with Windows 10 Pro 64-bit and Windows 10 Home Single Language > 64-bit: > > "Sending of message failed. > You specified that this message should be digitally signed, but the > application either failed to find the signing certificate specified in your > Mail & Newsgroup Account Settings, or the certificate has expired." Today I got the same error message using Thunderbird 60.2.1 on a computer with openSUSE Leap 15.0 64-bit. I made a screenshot: http://paste.opensuse.org/30679294 > Using Thunderbird 52.4.0 on those same computers I was able to send > digitally signed e-mail messages. I realized that Thunderbird 52.9.1 was available on the openSUSE Leap 15.0 OSS Update repo, so I downgraded it. Then, I was able to send a digitally signed e-mail.
Related thread: https://support.mozilla.org/en-US/questions/1238056#answer-1166442 The problem went away when I replaced my self-signed certificates with free ones from Comodo (but they expire in 12 months :( ). https://www.comodo.com/home/email-security/free-email-certificate.php In the message compose window go Security->View Security Info and see what it thinks of your cert.

(In reply to vinyanalista from comment #31)

"Sending of message failed.
You specified that this message should be digitally signed, but the
application either failed to find the signing certificate specified in your
Mail & Newsgroup Account Settings, or the certificate has expired."

Today I got the same error message using Thunderbird 60.6.1 on a computer with openSUSE Leap 15.1 64-bit.

But I got it SOLVED.

Googling, I found this page:

https://maian.org/blog/2011/05/thunderbird-and-smime-certificates-fixing-unable-to-sign-message-error/

It suggests verifying the CA trusts:

  1. Go to Preferences > Advanced > Certificates > Manage Certificates > Authorities
  2. Select your CA certificate (in case it is not in the list, import it)
  3. Click Edit Trust
  4. Check all the available options (for me: "This certificate can identify web sites." and "This certificate can identify mail users.")
  5. OK, OK, Close

After doing that, I was able to send a digitally signed message.

(In reply to vinyanalista from comment #35)

Today I got the same error message using Thunderbird 60.6.1 on a computer with openSUSE Leap 15.1 64-bit.

But I got it SOLVED.

Not so fast...

Today the same message appeared, even though yesterday I sent some digitally signed messages.

Then I went to Preferences > Advanced > Certificates > Manage Certificates and Thunderbird asked me my token PIN password.

Everything was in place, I closed the Preferences dialog.

Back to the message, this time I was able to send it. Thunderbird did not ask my token PIN password again.

I remember that Thunderbird 52.9.1 used to ask the PIN password right after clicking Send in the message window.

Comment 36 might be about bug 1519093.

(In reply to vinyanalista from comment #35)

(In reply to vinyanalista from comment #31)

"Sending of message failed.
You specified that this message should be digitally signed, but the
application either failed to find the signing certificate specified in your
Mail & Newsgroup Account Settings, or the certificate has expired."

Today I got the same error message using Thunderbird 60.6.1 on a computer with openSUSE Leap 15.1 64-bit.

But I got it SOLVED.

Googling, I found this page:

https://maian.org/blog/2011/05/thunderbird-and-smime-certificates-fixing-unable-to-sign-message-error/

It suggests verifying the CA trusts:

  1. Go to Preferences > Advanced > Certificates > Manage Certificates > Authorities
  2. Select your CA certificate (in case it is not in the list, import it)
  3. Click Edit Trust
  4. Check all the available options (for me: "This certificate can identify web sites." and "This certificate can identify mail users.")
  5. OK, OK, Close

After doing that, I was able to send a digitally signed message.

"2.Select your CA certificate (in case it is not in the list, import it)" - Dear friend, you should know that for modern security requirements certificate has to stored on removable storage (usb, smartcard or whatever) and CAN NOT be imported as file!

So, your solution DOES NOT work for good security guidelines.

OMG, bug lasted 10 year and still not solved!!!

My Tunderbird 60.9.0 (64-bit) ESR. My Authorization center is not in the list Certification Authorities and i cant import certificate to check "This certificate can identify web sites" and "This certificate can identify mail users" because of nature of security card. Certificate file cant not be separated from card by security guidelines.

The bug still exists. Need a bug fix.

Ubuntu 18.04

Still applies: TB 68.8.1 on MacOS 10.15. Certificates has been not working for me on TB for as long as I remember. Workaround proposed here do not work. I assume this is a WONT FIX, but I report it anyway.

Functionality can be achieved with the Enigmail add-on. I appreciated it being built into TB in the old days.

Same problem with 68.12.0 (64-bit) :(

Can't sign messages.

[solved] to my case I deleted personal ('Your certificates') .p12 file and .crt (authorities) file. Re-installed .crt (authorities) and THEN .p12 ('Your Certificates) file and everything seems fine.

In my first (failed) attempt, I first instaleld .p12 file and then .crt file.

@korman
Thanks, that helped me. Now it's working.

Blocks: 74157
See Also: → 1481969
No longer blocks: 74157
Severity: normal → S3
Attached image SMIME Issue Overview

Linux Thunderbird 115.2.0 (64-bit), thunderbird-flatpak - 1.0

Certificate for signing is different from certificate for encryption.

a) certificate for SMIME signing is found and working

b) certificate for SMIME encryption is still not found for recipients for unkown reason

  1. I deleted the certificate of authority and people once.
  2. I added authority certificate again and trusted authority for emails.
  3. I added the recipient certificate again.
    => I am still not able to encrypt the email with SMIME for the recipient.
  4. I checked the End-To-End Encryption Section in account settings.
  5. I found the people/recipient certificate in the SMIME Certificat Manager.
  6. I observed that the "View Certificates Of Recipients" dialog is still not able to find the certificate.
  7. I didn'ẗ found a way to check if the recipient certificate is trusted, but I am wondering that the status is "not found".

An other open source application which is able to handle SMIME encryption is the FairEmail Android App. ;-)
May have a look at: https://github.com/M66B/FairEmail/releases

Fixed it on my computer.

For unknown reasons, Thunderbird seems to be missing the Intermediate Certificates from Sectigo.

There may be others, but this seems to be the general problem:

  • Both your individual S/MIME certificate and the authority chain that signed it need to be trusted before you can use it. Otherwise, you get the error: "Sending of message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."
  • One person seems to suggest that it is important to import the p7b/crt file before the p12 file, which I also did, but wasn't sufficient to fix the problem on its own in my case. Nonetheless, this seems to be the best way to import the certificates, and perhaps Thunderbird should default to this method (i.e. two open file prompts in that order rather than just letting the user import them in whatever order).
  • If the Intermediate Certificate Authority that issued your personal S/MIME (e.g. Sectigo) is missing from your trust, you need to import and trust it.

The Sectigo Intermediate S/MIME certificates needed are as follows:

Secure Email
[Download ] Sectigo RSA Client Authentication and Secure Email CA

Root Certificates:
[Download] SHA-2 Root : USERTrust RSA Certification Authority
[Download ] AAA Certificate Services
[Download ] USERTrustRSAAAACA (Cross Sign)

These can be found on the bottom of the following page:
https://www.sectigo.com/knowledge-base/detail/Sectigo-Intermediate-Certificates/kA01N000000rfBO

All of these should be added and trusted in Thunderbird for Sectigo S/MIME certificates to work.

Ideally, the Intermediate Certificates for Sectigo (and any other missing major Intermediate or Root CA's) should be added to Thunderbird's default certificate store for the next releases (including ESR).

However, you can do this manually (in Supernova Thunderbird) while waiting for the bug to be fixed, as follows:

  1. Go to Account Settings > End-to-End Encryption
  2. Under the S/MIME section, click on the Manage S/MIME Certificates button
  3. Click on Authorities, then click the Import button and import the Certificates
  4. Be sure to check that you trust them for e-mail.

After this, you should be able to use Sectigo (or any other added Intermediate CA) certificates for S/MIME in Thunderbird.

If anyone else is experiencing this problem with a different Certificate Authority (CA), please write which one, as it would likely be helpful for the Thunderbird development team to have a list if there are other major CA's missing from the default store.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: