Thunderbird Plugin does not use configured custom CA certs

[jerrac]

Per #257 (comment) here is a new issue based on my comment here: #257 (comment)

System: Ubuntu 18.04 vm, Thunderbird 68.10.0. And version 0.5.0 of the addon from the github releases page.

I've created my own CA on the vm, and added it to the trusted CAs both in Ubuntu, and in Thunderbird. Thunderbird connects just fine to imap and smtp using the certs I signed with the CA.

Here is a screenshot of the Thunderbird Certificate Manager:

As requested I turned on debugging. I did not see the Global section from thsmi's screenshot available to me.

Here is what I have:

When I click "Connect" this is what I see in the error console:

In text:

[15:02:34.004 account3] Connecting to imap.raygun.zat:4190 ...
[15:02:34.004 account3] Using Proxy: Direct
[15:02:34.010 account3] Connected to imap.raygun.zat:4190 ...
[15:02:34.012 account3] Server -> Client
"IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole"

"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"

"NOTIFY" "mailto"

"SASL" "PLAIN LOGIN"

"STARTTLS"

"VERSION" "1.0"

OK "Dovecot (Ubuntu) ready."


[15:02:34.016 account3] Client -> Server:
STARTTLS


[15:02:34.017 account3] Server -> Client
OK "Begin TLS negotiation now."


[15:02:34.018 account3] Client -> Server:
CAPABILITY


[15:02:34.030 account3] Disconnected from  imap.raygun.zat:4190 with status 2153398258
[15:02:34.030 account3] Disconnecting imap.raygun.zat:4190...
[15:02:34.030 account3] Disconnected ...
[15:02:34.031 account3] Sending Request failed Error: Error while validating Certificate

Is there anything else I can provide that would help?

Edit:
While double checking this wasn't an error on my end, I noticed that Thunderbird wasn't displaying the CA for the certs I signed with it.... So I'm looking into that.

[jerrac]

Ok. It's been forever since I set up my initial CA. So I just went and did it all again. This time, with a new tutorial, seems to have worked a bit better.

After importing my new CA cert, Thunderbird no longer asks if I want to trust the certs for my imap connections.

I also found the more button that showed me the missing "Global" section in the debug screen.... So the "User..." and "IPC..." options are now checked.

Unfortunately, I still can't manage my sieve scripts:

[16:37:15.375 account3] Connecting to imap.raygun.zat:4190 ...
[16:37:15.375 account3] Using Proxy: Direct
[16:37:15.393 account3] Connected to imap.raygun.zat:4190 ...
[16:37:15.394 account3] Server -> Client
"IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole"

"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"

"NOTIFY" "mailto"

"SASL" "PLAIN LOGIN"

"STARTTLS"

"VERSION" "1.0"

OK "Dovecot (Ubuntu) ready."


[16:37:15.399 account3] Client -> Server:
STARTTLS


[16:37:15.400 account3] Server -> Client
OK "Begin TLS negotiation now."

BYE "TLS initialization failed."


[16:37:15.400 account3] Disconnected from  imap.raygun.zat:4190 with status 0
[16:37:15.400 account3] Disconnecting imap.raygun.zat:4190...
[16:37:15.400 account3] Disconnected ...

[thsmi]

Sorry for the late response.

According to the to the logs you provided the TLS negotiation failed during initialization on the server side. In all cases I have seen, this message was caused by a broken server side configuration.

To debug this you need to refer to your server's log, and look there for the reason why the server side failed to initialize.

[jerrac]

Somehow, I had ended up with more than just the encoded certificate in my .key and .crt files.... After regenerating them again, the plugin started working.

Thanks for taking the time to respond to my issues. :)

And thanks for making a very useful tool!