Author Topic: Avast certificate & Thunderbird (certificate import doesn't work)  (Read 855 times)

0 Members and 1 Guest are viewing this topic.

Offline Griphon

  • Newbie
  • *
  • Posts: 5
I’m having a problem with Avast Premium Security 21.8 and Thunderbird email client 91.2.0 (x86/32bit)
Checking email with Thunderbird gives “Add Security Exception” warning:
“Site attempts to identify itself with invalid information
Unknown identity
The certificate is not trusted because it hasn’t been verified as issued by a trusted authority using a secure signature”


At first glance this sounds like the Avast certificate needs to be imported into Thunderbird as mentioned in https://support.avast.com/en-ww/article/Troubleshoot-invalid-email-certificate

But the problem is even though I do the procedure on that page (and it appears to complete), the Avast authority certificate is not listed after doing the process. No error message is displayed.

When import is clicked and the file selected, the following dialog appears, I select (check) the “Trust this CA to identify websites”.
https://ibb.co/FXRKJjZ

The photo below shows the list after doing the import. Notice that there is no entry starting with “Avast”.
https://ibb.co/LZnfJqN

Uninstalling Thunderbird 91.2.0 and installing Thunderbird 78.13.0 somehow magically lists the Avast certificate in the authority certificate list but this does not occur with 91.2.0. Looks like 91.2.0 handles things differently with certificates?

But, with 78 installed Thunderbird complains that the profile has been upgraded by a newer version and refuses to start, so I cannot use 78 with the profile data files.
I cannot use 91 either as the “Security Exception” warning comes up, and I would prefer not to add an exception, AND I cannot actually add the certificate even though the import process seems to complete and does not generate any sort of error message.

How to solve this issue? The preferred solution is to fix 91 so that the certificate can be imported to solve the “Security Exception” issue but I do not understand why the Avast certificate appears with 78 but not 91.

Questions:
    1. Why does importing Avast Mailshield certificate not show up in Thunderbird 91.2.0 ?
    2. How to get Thunderbird 91 to import the certificate and have it visible in the “Authorities” list after doing the import?
    3. Additionally, how to downgrade the thunderbird profile from 91 to 78 ?

Thanks
« Last Edit: October 18, 2021, 06:05:37 PM by Griphon »

Offline r@vast

  • Avast team
  • Super Poster
  • *
  • Posts: 1837
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #1 on: October 19, 2021, 11:35:21 AM »
Hi,

I have tested this on my side and confirming the Security Exception resolves the issue. When you receive the "Add Security Exception" message, you can click on "View certificate" and it will show that it is Avast Mail Shield. There is no need to manually install the certificate.
After manually installing the certificate, you need to click on OK and then it will show the certificate (You can also try to restart your device if need be).

Offline Griphon

  • Newbie
  • *
  • Posts: 5
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #2 on: October 19, 2021, 03:26:57 PM »
R@vast,

Quote
I have tested this on my side and confirming the Security Exception resolves the issue. When you receive the "Add Security Exception" message, you can click on "View certificate" and it will show that it is Avast Mail Shield. There is no need to manually install the certificate.
After manually installing the certificate, you need to click on OK and then it will show the certificate (You can also try to restart your device if need be).

Thanks for your reply.

1. Why do I need to confirm the "Add Security Exception" with 91 if the MailShield certificate has been installed already? I thought adding the certificate would prevent the "Security Exception" dialog from being shown in the first place? (The dialog mentions “Site attempts to identify itself with invalid information / Unknown identity / The certificate is not trusted because it hasn’t been verified as issued by a trusted authority using a secure signature" so it appears that something is wrong with the certificate?). Using "Add Security Exception" seems to indicate an issue that is being bypassed rather than fixed.

2. One issue is that the Thunderbird certificate list behavior is different between versions 78 & 91. In 78, I can see the Avast certificate in Tools/Preferences/Privacy & Security/Manage Certificates/Authorities tab but the Avast certificate does not appear in 91's list (unless as you say I need to confirm the Security Exception first, which is non-intuitive). If the MailShield certificate has been installed then logically I should be able to see it in both 78 and 91?

3. I recommend that the Avast page at https://support.avast.com/en-ww/article/Troubleshoot-invalid-email-certificate be updated to include Thunderbird 91 instructions.

4. Also, please suggest improving Post Verification images for this forum, some of these are impossible to recognize and I am very much a human!


« Last Edit: October 19, 2021, 03:40:25 PM by Griphon »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72894
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #3 on: October 19, 2021, 03:51:06 PM »
4. Also, please suggest improving Post Verification images for this forum, some of these are impossible to recognize and I am very much a human!
Captcha is only needed for your first 3 posts. (Spam protection)
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.681] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #4 on: October 19, 2021, 05:23:48 PM »
<snip quotes>

2. One issue is that the Thunderbird certificate list behavior is different between versions 78 & 91. In 78, I can see the Avast certificate in Tools/Preferences/Privacy & Security/Manage Certificates/Authorities tab but the Avast certificate does not appear in 91's list (unless as you say I need to confirm the Security Exception first, which is non-intuitive). If the MailShield certificate has been installed then logically I should be able to see it in both 78 and 91?
<snip quote>

I'm using Thunderbird 91.2.0 (64-bit) and it appears in my list.

That said it has been there for some considerable time as I have updated Thunderbird regularly through the program updates and not done a clean install of Thunderbird.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Griphon

  • Newbie
  • *
  • Posts: 5
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #5 on: October 19, 2021, 05:45:20 PM »
Hi,

I have tested this on my side and confirming the Security Exception resolves the issue. When you receive the "Add Security Exception" message, you can click on "View certificate" and it will show that it is Avast Mail Shield. There is no need to manually install the certificate.
After manually installing the certificate, you need to click on OK and then it will show the certificate (You can also try to restart your device if need be).

I have just tested the above "confirm security exception" and it doesn't work for me - confirming add security exception doesn't make checking emails work, and the same "Add Security Exception" dialog is shown in the future even if I click the permanently remember checkbox. Something is obviously not right here but I don't have detailed knowledge of Thunderbird to fix it.

If I could import messages from this profile into a new profile / installation, maybe that might help? How to do that with multiple accounts, mail subfolders etc?


Offline Griphon

  • Newbie
  • *
  • Posts: 5
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #6 on: October 19, 2021, 05:49:23 PM »
<snip quotes>

2. One issue is that the Thunderbird certificate list behavior is different between versions 78 & 91. In 78, I can see the Avast certificate in Tools/Preferences/Privacy & Security/Manage Certificates/Authorities tab but the Avast certificate does not appear in 91's list (unless as you say I need to confirm the Security Exception first, which is non-intuitive). If the MailShield certificate has been installed then logically I should be able to see it in both 78 and 91?
<snip quote>

I'm using Thunderbird 91.2.0 (64-bit) and it appears in my list.

That said it has been there for some considerable time as I have updated Thunderbird regularly through the program updates and not done a clean install of Thunderbird.

I originally had an older version of TB installed (15) that I am not sure why it never updated but uninstalled it and then manually installed 91.2.0 and had the certificate / security exception dialog problems start. Upgraded because of potential security fixes but now this looks like it was a mistake to try. Have years of emails from different accounts that I want to retain rather than create new fresh installation / profile and lose old emails.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #7 on: October 19, 2021, 08:42:28 PM »
I think uninstalling thunderbird is definitely a mistake.  I had to do a clean install a very long time ago after my XP system died and whilst I had backups, I couldn't install these on the new win10 system.  So I had start from square one, a pain.

Whilst I like thunderbird, it has poor backup functionality. There is a Thunderbird backup add-on/extension, ImportExportTools NG, I got this some time ago and it does a reasonable job of backing up your emails.  Currently it doesn't support (compatible with) the new version 90+ of Thunderbird.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanb

  • Poster
  • *
  • Posts: 593
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #8 on: October 20, 2021, 03:28:09 PM »
Currently it doesn't support (compatible with) the new version 90+ of Thunderbird.

v11 supports TB91.  It is available at: https://addons.thunderbird.net/en-us/thunderbird/addon/importexporttools-ng/

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #9 on: October 20, 2021, 05:25:38 PM »
Currently it doesn't support (compatible with) the new version 90+ of Thunderbird.

v11 supports TB91.  It is available at: https://addons.thunderbird.net/en-us/thunderbird/addon/importexporttools-ng/

Thanks for that I did try a manual update before but didn't work.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Griphon

  • Newbie
  • *
  • Posts: 5
Re: Avast certificate & Thunderbird (certificate import doesn't work)
« Reply #10 on: October 20, 2021, 06:52:12 PM »
If I could import messages from this profile into a new profile / installation, maybe that might help? How to do that with multiple accounts, mail subfolders etc?

After trying everything I could think of I gave up trying to fix TB 91.

What I did was uninstall TB 91 and install TB 78. Since the profile data was upgraded by 91 I could not directly use the same profile data files. But since I wanted to keep my years of emails, I did the following process to keep Inbox etc files. Hopefully this helps someone else in the future.

Run TB 78 after install, creating a new profile and profile folder. DO NOT SELECT TB 91 PROFILE FOLDER when creating profile, you want to make an entirely new profile folder.
Setup the account settings (advanced/manual setup) for receiving (POP or IMAP) and SMTP for sending BUT DO NOT CHECK MAIL (leave password blank to ensure TB can't check mail). This sets up the account settings.
Exit Thunderbird
Now what I did was copy the mail folder contents from the 91 profile's account to the newly created (and mostly empty) mail folder for the profile I just created.
In the 91 profile there is a folder \Mail containing a folder for each account. I had to figure out which folder was used for the same account that I just created and copy it to the \Mail\xxxxx account folder for the profile that I just setup. If you have a bunch of accounts for that profile then you will have multiple folders under \Mail folder. What makes it worse is that TB seems to name these folders based on the POP server name, so if you have multiple accounts that connect to the same POP server then you will have folders named something like pop.yourdomain.com, pop.yourdomain-1.com, pop.yourdomain-2.com etc.
One way to try to figure out which account is in which folder is to open *.mdf files with Notepad or a text editor and examine contents (such as the "To:"). The other way is to just copy the contents of the folder (i.e. the contents of pop.yourdomain.com folder under \Mail) to the newly created profile's \Mail\<account> folder, overwriting any files. YOU MUST EXIT THUNDERBIRD BEFORE YOU DO THIS.
Then open TB and check the account's Inbox folder to see if the files you copied match up with the correct account. That is, if you setup nuclear_response_team@yourdomain.com the inbox contents should be for that account and not sleazy_politician_slush_fund@yourdomain.com because this could cause unintended embarrassment.
If incorrect, exit TB and delete files inside the newly created profile's \Mail\<account> folder.

If you have multiple accounts within the profile you will have to repeat the process for each account.

The only disadvantage is that address book is not preserved but I can live with that. I believe the address book format has changed between older and newer TB versions.

There may be a backup program or better way to do this but this is how I did it manually.
« Last Edit: October 20, 2021, 07:27:12 PM by Griphon »