Thunderbird not seeing letsencrypt cert anymore?

I'm not good with this stuff.. but its been working fine for like 3 years. I'm not sure where the problem is, but nothing on my server has changed other than updating the certs every few months. Its running UBUNTU 14.04 LTS with APACHE2..

The problem is, Thunderbird has stopped seeing my letsencrypt certs and is downloading the one issued by the server (bit of a fallback method). All HTTPS connections on my website all seem fine still..

I have no idea even where to start, it just started acting up within the past 3 months I think.

Which server is Thunderbird connecting to, when you experience this issue?

Are you running something like Dovecot/Postfix? Is the fallback certificate happening with a IMAPS/POP3S/SMTPS server or something else?

Identifying the relevant server is what you'll want to do first, because that will tell you which configuration file you need to look at in order to fix it.

If you want to share your domain names, we can check this for you.

1 Like

Yeah its dovecot & postfix.. POP3..

I just cleared all the certs out, and it just downloads from the server (exxoshost.co.uk) .. I haven't touched the mail server for literally years and its been fine previously..

Well, what domain is Thunderbird configured to connect to?

Indeed, the certificate that you get when connecting to 81.4.101.12:110 (STARTTLS POP3) is that self-signed one for exohost.co.uk.

However, you would usually tell Thunderbird to connect to a domain that matches one of the certificates on the Dovecot server (like mail.example.com), rather than connecting directly to the IP address. Do you have such a domain?

Yeah, theres a few domains, I wonder if for some reason its not updated the new certs on other domains.. though not sure why they would get missed after all this time...

All the domain names go to the same server IP anyway, its why I started just using the IP address instead of the domain names..

How SSL works in general is that:

  • Thunderbird connects to the mail server and says: "I'm connecting to domain X"
  • The mail server looks for a certificate for "X" and responds with that
  • Thunderbird confirms that it trusts that certificate ( because it came from a trusted CA like Let's Encrypt, and the domain on the certificate matches "X")
  • The secure session is established

If you instead just connect to the IP address directly, then Thunderbird is going to say "I'm connecting to IP address a.b.c.d".

Since your Dovecot server does not have a trusted certificate for that IP address, it instead just picks the "default" certificate on the server, which isn't going to match the requested peer name (the IP address).

In turn, that is is going to result in a trust error in Thunderbird.

Hopefully that provides an understanding as to why you need to configure the server domain in Thunderbird to match the certificates you have installed in Dovecot and Postfix.

Yes, that is a bit of a mystery. None of those certificates seem to be available on Dovecot anymore.

I think you need to take a look in your Dovecot configuration to see what happened. It all depends how you set it up all those years ago.

How it's meant to look is a bit like this, one for each of your domains: https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support.

I think I am doing something dumb.. Is there a way to use the same cert across multiple domain names ? All the domains use the same server IP.. Or is there a way to add multiple domain names so they all update together without having to update them individually ?

Sure, you can create one certificate which contains all of your domains, and use that. It's a valid option.

I think most people would opt to have separate certificates for unrelated domains, because it makes life a little less complicated if you want to add/remove domains to the mailserver.

However I'm not really sure that it would address the root issue here, which is that Dovecot is not configured to use your Let's Encrypt certificates at all.

Is the server at 81.4.101.12 managed by you? If so, how can it have a cert for exxohost.co.uk? Or do you own that domain too?

I own all the domain and the server is my own as well.

I'm looking through my notes to see what I have got in the dovecot setup.. gotta find what file I am supposed to be looking at yet :-\

doveconf -n

gives this.. i dont think its right...

ssl_cert = </etc/ssl/certs/server.crt
ssl_key = </etc/ssl/private/server.key

?

If you want Dovecot to have separate certificates per hostname, take a look at:

Also do note the warning about some clients not having SNI support. Those clients will be sent the default cert.

Looks sorted now!

found this example..

ssl_cert = </etc/letsencrypt/live/YOURSITE/fullchain.pem
ssl_key = </etc/letsencrypt/live/YOURSITE/privkey.pem

Which is in /etc/dovecot/conf.d/10-ssl.conf

Before it was

ssl_cert = </etc/ssl/certs/server.crt
ssl_key = </etc/ssl/private/server.key

I have no idea how all this got screwed up in the first place.. Thanks for everyone's input anyway! hopefully this will help some other people who run into the same issue in the future! (probably me!)

Now you're sending just the exxoshost.co.uk-certificate. Normally, this wouldn't be valid for any other hostname entered in Thunderbird besides exxoshost.xo.uk. However, you seem to be adding overrides for the certificate. That's not really recommended and I suggest use the same host to connect to as the host within the certificate.
So either you can use exxoshost.co.uk as the hostname in Thunderbird or you can add any of your other hostnames to a certificate and use that cert and hostname.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.