Thunderbird not finding certificate

My domain is: mail.wpturbo.uk

I ran this command: Mozilla Thunderbird Get Messages

It produced this output: Thunderbird can send but not receive email on ports 993 or 995 with STARTTLS, and SSL/TLS opens the Security Exception popup and 'Get Certificate' returns 'Unknown Identity'.

My web server is (include version): OpenLiteSpeed 1.7.5

The operating system my web server runs on is (include version): Ubuntu 18.04.3

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
CyberPanel 2.3.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme latest version

The certificate for the subdomain seems to work ok via https and I've followed these instructions for dovecot/postfix to try to resolve.

Your IMAP server is sending a self signed certificate. You shall install the Let's Encrypt certificate for it to be used.

❯ openssl s_client -connect mail.wpturbo.uk:993 </dev/null
CONNECTED(00000003)
depth=0 C = US, ST = Denial, L = Springfield, O = Dis, CN = mail.wpturbo.uk
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, ST = Denial, L = Springfield, O = Dis, CN = mail.wpturbo.uk
verify return:1
---
Certificate chain
 0 s:C = US, ST = Denial, L = Springfield, O = Dis, CN = mail.wpturbo.uk
   i:C = US, ST = Denial, L = Springfield, O = Dis, CN = mail.wpturbo.uk
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 11 16:08:04 2022 GMT; NotAfter: May  8 16:08:04 2032 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIUdcPLxOllUEVnbPrYtdcDR/ddCL4wDQYJKoZIhvcNAQEL
BQAwXDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3By
aW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYGA1UEAwwPbWFpbC53cHR1cmJvLnVr
MB4XDTIyMDUxMTE2MDgwNFoXDTMyMDUwODE2MDgwNFowXDELMAkGA1UEBhMCVVMx
DzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoM
A0RpczEYMBYGA1UEAwwPbWFpbC53cHR1cmJvLnVrMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwz+fnzJL+s46Sb6wzJy8XJhKUl5ZNJc3fN+GTp+gcO+v
PFnVcMMQKsUQge6ZyYBcq3nkBpuRpWOJJYoobFAtB37bJ6cfzt2SISwZ+xOcBnph
aqVUDkU4Q+ZsB33++s40XoLPPt/i5Nl9ZvdGzoHqj5t1sQ4d5HQq3C9HHzDuRiUx
ZfB7ACiZ5NHPJxOGdGOD9bHI0SlEV0WnPUGgWQZwWjag559QqsQUre7z7TW0pe3y
bzt9D7eZNGHDP6i4GHEluuAtDp6Yvos2jV33sMx8r/rk9tY15gxTOfpm0DIbQ+39
qB6QhvJrq8lsjHUmbB5jDVZIV2ZLEqVjdd6jouUyCwIDAQABo1MwUTAdBgNVHQ4E
FgQU8yduPL1geDBBI2ZXC6ScIzIRbGEwHwYDVR0jBBgwFoAU8yduPL1geDBBI2ZX
C6ScIzIRbGEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAS1gZ
mvD/kRm/XeqsSI5VZOTADowlcSWX7oh6Sus/azlwN1/VFfhg8PMM6ZpWx93TLqWy
9eWb18jqP0BE4FNNiP1p2o5Rwm0V5omEMtN6QY6cOS1Vkr4+0+diSoAxqPadr3ul
bgvowGxOuGAnyngTnDj8o5x/xzt0eFOZ8JAOtNJAt6SNvLZwlrVWZr5haeN4uWkI
xQ3k5AyEq4tcPtvTW8A7LvUXWHPJlDlqbN4fxTS80vq7FV8v3z6r4N1KYQLcIGVr
vUQpz1/M1CtqI62CKt5QFKebbwRAL4+x9p5IkuixspR617Pyjt9MFjfEhIut8VcR
Pa0sO7s69qoV/tWVyA==
-----END CERTIFICATE-----
subject=C = US, ST = Denial, L = Springfield, O = Dis, CN = mail.wpturbo.uk
issuer=C = US, ST = Denial, L = Springfield, O = Dis, CN = mail.wpturbo.uk
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1485 bytes and written 401 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
DONE
3 Likes

@9peppe thanks for the test results. The browser says the https cert is verified by Let's Encrypt but I suppose the config for tcp can be different? I suspect there's a DNS issue somewhere.

No, it doesn't: https://mail.wpturbo.uk/

$ openssl s_client -connect mail.wpturbo.uk:https -brief </dev/null 
depth=0 C = US, ST = Denial, L = Springfield, O = Dis, CN = www.example.com
verify error:num=18:self-signed certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: C = US, ST = Denial, L = Springfield, O = Dis, CN = www.example.com
Hash used: SHA256
Signature type: RSA-PSS
Verification error: self-signed certificate
Server Temp Key: X25519, 253 bits
DONE

It's self signed as well (different certificate).

For Dovecot, you have to tell it where your Let's Encrypt certificate is.

1 Like
Name:    mail.wpturbo.uk
Address: 161.35.33.120

Name:    wpturbo.uk
Address: 161.35.33.120

[F A I L S] openssl s_client -connect mail.wpturbo.uk:443
[WORKS] openssl s_client -connect wpturbo.uk:443

3 Likes

I ran the following command to re-issue:

/root/.acme.sh/acme.sh --issue -d mail.wpturbo.uk -d www.mail.wpturbo.uk --cert-file /etc/letsencrypt/live/mail.wpturbo.uk/cert.pem --key-file /etc/letsencrypt/live/mail.wpturbo.uk/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.wpturbo.uk/fullchain.pem -w /home/mail.wpturbo.uk/public_html --force --debug

And within the response is the following error:

mail.wpturbo.uk:Verify error:161.35.33.120: Invalid response from http://mail.wpturbo.uk/.well-known/acme-challenge/7n8gZoeKUhkJheUvydnxW7-TDqUQ3w2F5m2KfDmAamw: 404

The path /home/mail.wpturbo.uk/public_html/.well-known/acme-challenge/7n8gZoeKUhkJheUvydnxW7-TDqUQ3w2F5m2KfDmAamw existed but the url was loading from
/home/wpturbo.uk/public_html/mail.wpturbo.uk/.

Once I changed the path and re-issued there was then a dns error for www.mail.wpturbo.uk, looks like it wants an A and an AAAA record for the www.mail.wpturbo.uk subdomain.

Name:    mail.wpturbo.uk
Address: 161.35.33.120

Name:    www.mail.wpturbo.uk
*** 8.8.8.8 can't find www.mail.wpturbo.uk: Non-existent domain

Don't include it in:

3 Likes

@rg305 thank you for your valued help! My mistake in including www in the issue command is obvious when you point it out :roll_eyes:

Updated command:

/root/.acme.sh/acme.sh --issue -d mail.wpturbo.uk --cert-file /etc/letsencrypt/live/mail.wpturbo.uk/cert.pem --key-file /etc/letsencrypt/live/mail.wpturbo.uk/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.wpturbo.uk/fullchain.pem -w /home/wpturbo.uk/public_html/mail.wpturbo.uk --force --debug

The issuance now indicates success but this tool says it's still self-signed, and openssl says self-signed too!

1 Like

Ok, since you insist on using acme.sh.

# This issues the certificate: 
acme.sh --issue \
    -d mail.wpturbo.uk \
    -w /home/wpturbo.uk/public_html/mail.wpturbo.uk \
    --debug

# This installs it:
acme.sh --install-cert \
    -d mail.wpturbo.uk \
    --cert-file /path/to/some/dir/cert.pem \
    --chain-file  /path/to/some/dir/chain.pem \
    --key-file  /path/to/some/dir/privkey.pem \
    --fullchain-file  /path/to/some/dir/fullchain.pem \
    --reloadcmd "systemctl reload postfix dovecot nginx apache2 ..."

And for the love of God don't make anything that's not Certbot write in /etc/letsencrypt.

Of course you have to tell "postfix dovecot nginx apache2 ..." that the certificate is in /path/to/some/dir/ -- only reload the services you have. Don't install a second webserver because of my example.

3 Likes

@9peppe thank you for your helpful assistance. My earlier mistake in thinking the https://mail.wpturbo.uk/ was secure was due to cookies masking the certificates status, once cookies were cleared it was unsecure.

I'm only using acme.sh because that's what I believe Cyberpanel uses. I believe I've solved the issue by taking the certificate and private key that were generated by the issuance via the console command above and pasting them into the Add SSL section for the mail.wpturbo.uk sub-domain in CyberPanel. So I assume the issue was associated with how Cyberpanel was configuring the paths when clicking their 'Issue SSL' button for the mail sub-domain (worked fine for the root domain). I had checked the dovecot paths, so not sure what it was.

SSLLabs was giving a grade B because 'certificate chain is incomplete', however adding the intermediate certificate below the main certificate returned a grade A.

1 Like

That means you forgot to use chain.pem or you used cert.pem instead of fullchain.pem.

2 Likes