Open Bug 531073 Opened 10 years ago Updated 9 days ago

S/MIME certificate could not be found although it is available

Categories

(MailNews Core :: Security: S/MIME, defect)

x86
Windows XP
defect
Not set

Tracking

(Not tracked)

People

(Reporter: webforen, Unassigned)

References

Details

(Whiteboard: [kerh-bra][psm-smime][psm-cert-manager])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Build Identifier: version 2.0.0.24pre (20091125) (and usually Version 2.0.0.23 (20090812))

When I want to write an E-Mail to user@example.com and encrypt it I get

"Unable to save your message as draft.
You specified encryption for this message, but the application failed to find an encryption certificate for user@example.com"

when sending or saving the message. When I go in "View Security Info" the status of recipient "user@example.com" is shown as "Not Found".

But this is indeed not true. The certificate with exactly the same address (E=user@example.com) is in the list "Other people's" and it is fully trusted as well as valid. Purpose is "Sign,Encrypt" and other certificates from the same CA seem to work with no problems. Also, the same IMAP account (with the same certificated but of course a different profile) works well on a different computer.

I tried to:
*) Delete the certificate and display a message with the signature in order to force a re-import ( a few times with different mails etc.)
*) Resend the message in order to force a "clean" re-import
*) Delete all entries in the address book from the specified user
*) As proposed use the latest nightly build
*) Searched the internet for keywords in German and English --> no results
*) Searched Bugzilla

And I also tried to create a new profile but unfortunately it works with a new profile. But I can't create a new profile because my profile contains all of my personal data.

Maybe there is also a way to reset the information concerning the certificate in the profile? I would try any suggestions; it seems to me that this is a bug in Thunderbird in general.

I would also provide you with more more information but unfortunately until now I have no information on how to reproduce it *without* the complete profile.

Reproducible: Always
Do you have more than one identity for this account ? 

Andything in Tools -> Error console ?

Do you also have the issue in -safe-mode ?
Component: General → Security
QA Contact: general → thunderbird
Hi,

and thanks for the reply.

I tried safe mode and also error console, nothing happens.

What do you mean by "more than one identity"? I by myself have multiple identities and also certificates. But this seems not to be the problem because I can send encrypted mail to any other person except user@example.com.

For the user "user@example.com" there is only one single certificate and as described above I also tried deleting it and reimporting it (by viewing a signed certificate from that person).

In the meantime I tracked the error down to cert8.db: If I delete this file and reimport my personal certificates as well as the problematic for user@example.com it works.

But that also means that all of my other certificates are lost, also from other persons (my cert8.db is a few hundret KB). Until now I also did not find a way to export the certificates of other persons (and websites). I also tried with the pk12util but this seems to only be able to export personal certificates and not certificates from other persons. But with certtool -L all the certificates are listed and also no problem with cert8.db is reported.
(In reply to comment #2)

> What do you mean by "more than one identity"? I by myself have multiple
> identities and also certificates. But this seems not to be the problem because
> I can send encrypted mail to any other person except user@example.com.

For one account you can associate more than one email address and we call that identities
 
> For the user "user@example.com" there is only one single certificate and as
> described above I also tried deleting it and reimporting it (by viewing a
> signed certificate from that person).
> 
> In the meantime I tracked the error down to cert8.db: If I delete this file and
> reimport my personal certificates as well as the problematic for
> user@example.com it works.
> 
> But that also means that all of my other certificates are lost, also from other
> persons (my cert8.db is a few hundret KB). Until now I also did not find a way
> to export the certificates of other persons (and websites). I also tried with
> the pk12util but this seems to only be able to export personal certificates and
> not certificates from other persons. But with certtool -L all the certificates
> are listed and also no problem with cert8.db is reported.

So you have one email account and more than one email address associated with it, right ?
Hello,

Yes, thats true. I even have 2 IMAP Accounts, 3 NNTP Accounts and Weblog Account whereas the first IMAP Account has many identities.

Nevertheless I think I have found the bug and a way how to reproduce it :-)

As said before, I would not write encrypted mail to user@example.com although the Certificate (from "The USERTRUST Network" aka Comodo) was in the certificate store and valid.

Now I saw that there was another certificate from "Thawte Freemail". This certificate s expired and had a different mail address for the same user. But Thawte allowed to enter mote than one mail address. And this certificate had also an entry for the address user@example.com.

Can you follow me?

So it seems to me that the problem can be reproduces that way:

*) Get a certificate for "John Doe" with E-Mail address "foobar@example.com". Assign a second value for the "E" field with user@example.com, i.e.: E=foobar@example.com,E=user@example.com. Let this certificate expire

*) Get a new certificate for "John Doe" (maybe from a different CA) with mail address user@example.com, i.e. E=user@example.com

Now try to write encrypted mail to user@example.com.
So now you can send signed emails ?
I could also send *signed* mail but not *encrypted*.

Yes, now I can send *encrypted* mail to user@example.com but after deleting the other certificate from the certificate store.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Thunderbird → Core
QA Contact: thunderbird → psm
I do have the same issue with Thunderbird 3 betas as well as the current final release of Thunderbird 3. When I try to send a S/MIME encrypted e-mail to myself it's not able to find any cert. Platform is Mac OS X.

In the cert store the cert is listed, not as person but under "my certs". Did not found any workaround or solution.
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Whiteboard: [psm-smime]
I experienced the same problem and applied a workaround from StartSSL user forum (see last post in this thread : https://forum.startcom.org/viewtopic.php?f=15&t=1656&st=0&sk=t&sd=a&start=15 )

Here's my setup:
. Thunderbird 3.1.5 on Mac OS 10.6.4 for user A
. Thunderbird 3.1.6 on Windows XP SP3 for user B

A has a valid personal certificate from StartSSL for signature and encryption, and several public certificates from B (1 valid by StartSSL, and several expired by StartSSl and Thawte).

B is the same situation (1 valid personal certificate from StartSSL for signature and encryption, and several public certificates from A (1 valid by StartSSL, and several expired by StartSSl and Thawte).

Signed mail from A to B and B to A is valid (TB shows the signatures as valid, and imports the certs into it's database).

When A tries to send encrypted mail to B, Thunderbird blocks with a "no valid certificate found" error. Same when B tries to send encrypted mail to A.

The workaround is to delete all certificates from your correspondent and then reimport the last one from a signed e-mail. This worked in both cases (A and B).

I hope this helps, and that someone can fix it.
Paul-Henri
I experienced a similar problem today, involving multiple accounts that have multiple certificates. I was unable to send an encrypted message to myself, either from account 1 to account1, account 1 to account 2, etc...

I "fixed' the problem by doing the following:

1. backed all of my personal certificates in one .pk12 file (the two new ones plus a number of old certificates for these and other accounts)
2. backed up the newest certificate for first account in second .pk12 file
3. backed up the newest certificate for second account in third .pk12 file
4. deleted all personal certificates, exited and restarted Thunderbird.
5. imported second and third pk12 file
6. successfully sent encrypted email from each account to itself and other account
7. imported all the certificates in the first pk12 file
8. At this point everything worked properly, even after exiting and restarting.

Hope this helps someone who needs a work around. Unfortunately, I don't know how to create the problem from scratch, so it may not be helpful for debuggers.
Same problem experienced in both Thunderbird 3.1.6 and Firefox 3.6.12 after adding a 2 new personal certs to 3 already expired existing certs.

I can confirm that the above workaround from tlauck "corrected" the problem for me in both FF and TB, without restarting after step 4, nor sending mails in step 6.

So my workaround was as follows:
1. Backup All
2. Backup only new 1
3. Backup only new 2
4. Delete all personal certs
5. Import new 1
6. Import new 2
7. Import all
Duplicate of this bug: 614109
Duplicate of this bug: 613279
I had a slightly different issue (Bug 614109) that dealt only with signing my mail, rather than encrypting.  The workaround didn't work for me the first time - I had to add new steps - step 7 in this flow:

1. Backup All
2. Backup only new 1
3. Backup only new 2
4. Delete all personal certs
5. Import new 1
6. Import new 2
7. NEW - go to Tools->Account Settings->Security of the account(s) that is giving issues and  "Clear" the selected certificate even if it's using the right one.
8. NEW - on that same screen, "Select" the certificate 
9. Import all

Thanks to all for pointing out the workaround!
This bug is still present in Thunderbird 3.1.7 (Win7).

Existing expired public keys are still blocking the use of new valid public keys when encrypting an email.
Manually purging the certificats of other people in the certificate window of thunderbird with hundrets of entries is... troublesome.
I have removed my own certificate. But you have to create an account and send an crypted mail to dr.juergen.winter@online.de and the bug is reproducable.
(In reply to comment #15)
> This bug is still present in Thunderbird 3.1.7 (Win7).
> 
> Existing expired public keys are still blocking the use of new valid public
> keys when encrypting an email.
> Manually purging the certificats of other people in the certificate window of
> thunderbird with hundrets of entries is... troublesome.

I think this bug is independent from os version. My sample profile i have uploaded has only three certificates for only one email address and the bug is present. I cannot send an encrypted mail to this address althouhg the certificate is valid. Can anyone confirm this bug?
Duplicate of this bug: 531066
Changing to NEW as this seems to affect SeaMonkey as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 332867
Whiteboard: [psm-smime] → [kerh-bra][psm-smime][psm-cert-manager]
Duplicate of this bug: 544960
Duplicate of this bug: 619039
Is this a duplicate of bug 596221 ?
We recently added a fix to the Mozilla Aurora branch.
If there are nightly Thunderbird builds based on the aurora branch, could you try if this is fixed for you?
I have the same problem...
Bug still seems to be around... 

Mac OSX 10.9.5
Thunderbird: 31.1.2
With Earlybird (34.0a2) on Mac OSX 10.9.5 I am able to send encrypted S/MIME e-mails, but the certs still don't show up in the certificate store.
Same problem here with the version of Thunderbird from CentOS 7.


31.4.0
Component: Security: PSM → Security: S/MIME
Product: Core → MailNews Core
Same problem, using Thunderbird 45.2.0 on a Mac (OSX 10.8.5).  Also using Thunderbird 45.0.0 / 45.2.0 on Windows 7 Pro 64-bit.

All the certificates work OK with Apple Mail.

But despite certificates being installed correctly in Thunderbird, as they are supposed to be, under Authorites and under Your Certificates, *none* are found by Thunderbird when sending and trying to encrypt:

Security Info > Certificates > Recipient (recipient's e-mail address) > Status ("Not Found")
(In reply to Mike from comment #29)

And, the same problem exists in Mozilla SeaMonkey 2.40.
Today I faced the following error message using Thunderbird 60.0 on two computers with Windows 10 Pro 64-bit and Windows 10 Home Single Language 64-bit:

"Sending of message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Using Thunderbird 52.4.0 on those same computers I was able to send digitally signed e-mail messages.

The Bug 614109 linked me here.
Can confirm. Getting the same message with Thunderbird on Ubuntu 18.04 when trying to even sign a message with S/MIME certificate:

"Sending of message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Earlier versions worked fine.
(In reply to vinyanalista from comment #31)
> Today I faced the following error message using Thunderbird 60.0 on two
> computers with Windows 10 Pro 64-bit and Windows 10 Home Single Language
> 64-bit:
> 
> "Sending of message failed.
> You specified that this message should be digitally signed, but the
> application either failed to find the signing certificate specified in your
> Mail & Newsgroup Account Settings, or the certificate has expired."

Today I got the same error message using Thunderbird 60.2.1 on a computer with openSUSE Leap 15.0 64-bit.

I made a screenshot:

http://paste.opensuse.org/30679294

> Using Thunderbird 52.4.0 on those same computers I was able to send
> digitally signed e-mail messages.

I realized that Thunderbird 52.9.1 was available on the openSUSE Leap 15.0 OSS Update repo, so I downgraded it. Then, I was able to send a digitally signed e-mail.
Related thread: https://support.mozilla.org/en-US/questions/1238056#answer-1166442

The problem went away when I replaced my self-signed certificates with free ones from Comodo (but they expire in 12 months :( ).

https://www.comodo.com/home/email-security/free-email-certificate.php

In the message compose window go Security->View Security Info and see what it thinks of your cert.

(In reply to vinyanalista from comment #31)

"Sending of message failed.
You specified that this message should be digitally signed, but the
application either failed to find the signing certificate specified in your
Mail & Newsgroup Account Settings, or the certificate has expired."

Today I got the same error message using Thunderbird 60.6.1 on a computer with openSUSE Leap 15.1 64-bit.

But I got it SOLVED.

Googling, I found this page:

https://maian.org/blog/2011/05/thunderbird-and-smime-certificates-fixing-unable-to-sign-message-error/

It suggests verifying the CA trusts:

  1. Go to Preferences > Advanced > Certificates > Manage Certificates > Authorities
  2. Select your CA certificate (in case it is not in the list, import it)
  3. Click Edit Trust
  4. Check all the available options (for me: "This certificate can identify web sites." and "This certificate can identify mail users.")
  5. OK, OK, Close

After doing that, I was able to send a digitally signed message.

(In reply to vinyanalista from comment #35)

Today I got the same error message using Thunderbird 60.6.1 on a computer with openSUSE Leap 15.1 64-bit.

But I got it SOLVED.

Not so fast...

Today the same message appeared, even though yesterday I sent some digitally signed messages.

Then I went to Preferences > Advanced > Certificates > Manage Certificates and Thunderbird asked me my token PIN password.

Everything was in place, I closed the Preferences dialog.

Back to the message, this time I was able to send it. Thunderbird did not ask my token PIN password again.

I remember that Thunderbird 52.9.1 used to ask the PIN password right after clicking Send in the message window.

Comment 36 might be about bug 1519093.

(In reply to vinyanalista from comment #35)

(In reply to vinyanalista from comment #31)

"Sending of message failed.
You specified that this message should be digitally signed, but the
application either failed to find the signing certificate specified in your
Mail & Newsgroup Account Settings, or the certificate has expired."

Today I got the same error message using Thunderbird 60.6.1 on a computer with openSUSE Leap 15.1 64-bit.

But I got it SOLVED.

Googling, I found this page:

https://maian.org/blog/2011/05/thunderbird-and-smime-certificates-fixing-unable-to-sign-message-error/

It suggests verifying the CA trusts:

  1. Go to Preferences > Advanced > Certificates > Manage Certificates > Authorities
  2. Select your CA certificate (in case it is not in the list, import it)
  3. Click Edit Trust
  4. Check all the available options (for me: "This certificate can identify web sites." and "This certificate can identify mail users.")
  5. OK, OK, Close

After doing that, I was able to send a digitally signed message.

"2.Select your CA certificate (in case it is not in the list, import it)" - Dear friend, you should know that for modern security requirements certificate has to stored on removable storage (usb, smartcard or whatever) and CAN NOT be imported as file!

So, your solution DOES NOT work for good security guidelines.

OMG, bug lasted 10 year and still not solved!!!

My Tunderbird 60.9.0 (64-bit) ESR. My Authorization center is not in the list Certification Authorities and i cant import certificate to check "This certificate can identify web sites" and "This certificate can identify mail users" because of nature of security card. Certificate file cant not be separated from card by security guidelines.

The bug still exists. Need a bug fix.

Ubuntu 18.04

You need to log in before you can comment on or make changes to this bug.