Thunderbird not updating certificate, keeps using old one and saying it's expired

0

I have an email server where I have Let's Encrypt SSL certs, expiring every 3 months, and certbot automatically renews it. If I access the server through a website in the browser, the correct and newest SSL certificate is used, but thunderbird complains that the SSL certificate is not valid, by that it has expired.

The complaint is displayed through a dialog window, and if I click to view the certificate through this window, it shows an old certificate that has indeed expired. However, if I click the button "Get certificate", that button itself grays out, but nothing else happens. I tried right-clicking the name of the e-mail address (account) in thunderbird, and going to Settings -> Security and deleted all the certificates for the domain, but somehow still it has the old stored certificate stored.

My setup is dovecot + postfix.

Any ideas?

simernes

Posted 2019-10-21T06:09:53.713

Reputation: 125

Answers

2

Thunderbird does not access the mail using the same server as the browser does. The browser accesses a web server using HTTP/HTTPS while Thunderbird accesses a mail server using the IMAP/IMAPs or POP3/POP3s protocol for receiving mail and the SMTP protocol for sending. These are separate servers with separate configuration, which means that they need to be configured to use the appropriate certificates in the first place and that they must also be restarted when the certificates got renewed.

While it is impossible to say what your specific setup includes (EDIT: after an edit of the question it got clear that it is the setup I've described), a common setup is to use dovecot for receiving mail and postfix for sending. So you might try to look at these software and configurations on your (unknown) system and make sure that these get updated and restarted whenever the certificates change.

Steffen Ullrich

Posted 2019-10-21T06:09:53.713

Reputation: 3 897

Thanks sir for the thoughts, I've now verified that both of these services indeed point to the same ssl files as the one for my https website, which are links pointing into the /etc/letsencrypt/archive, and then pointing to the renewed certificate files from a few days ago. I restarted the services for both and now Thunderbird sees a new certificate, with the new dates, but TB still won't accept it, saying that the cert is invalid! Is it possible the default certbot renew is too barebone to be accepted for mail? – simernes – 2019-10-21T19:08:26.863

1@simernes: Thunderbird usually provides details of why it thinks the certificate is invalid. Typical problems if you reuse the same certificate for web and mail are that you might use different hostnames, i.e. www.example.com vs. mail.example.com. And if the certificate is only valid for the first it will fail when used for mail. – Steffen Ullrich – 2019-10-21T19:27:15.193

Thunderbird is telling me that the error stems from "Wrong site: The certificate belongs to a different site, which could mean that someone is trying to impersonate the site". Could that be because I have several domains on the same certificate? – simernes – 2019-10-23T19:15:20.027

1@simernes: That's exactly what I'm saying. You have a certificate which fits the name of your web server (i.e. www.example.com) but not your mail server (i.e. mail.example.com). – Steffen Ullrich – 2019-10-23T19:51:24.057

Asked: 2019-10-21T06:09:53.713

Viewed: 135 times

Active: 2019-10-21T06:35:17.860