SOLVED Thunderbird Email - SSL Certificate error with Lets Encrypt

swbrains

Well-Known Member
Sep 13, 2006
156
19
168
Hi,

I had an AlphaSSL certificate installed on my domain, which expired today. I decided to enable AutoSSL on that account, and a Lets Encrypt certificate was successfully installed on my domain. But when I launch Thunderbird to get my email, it now issues an error regarding the certificate:
screencapture_000042.png

So I logged into my server account and deleted the expired AlphaSSL cert from the domain and ensured that only the active LE cert was remaining, but the problem persists.

If I click Get Certificate in the above , I get this error, even though the new LE cert is installed and working for web access (HTTPS):
screencapture_000043.png

If I remove the :995 port from the Location field above, I can click Get Certificate and it finds the LE cert, but tells me I don't need to make any changes to the email account configuration, so Thunderbird issues the same error above the next time I retrieve email.

Does anyone have any ideas why using Lets Encrypt with Thunderbird is an issue or has anyone seen this before?

Thanks!
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @swbrains,

Can you verify what you are entering for the mail server host name? For instance, are you using "domain.tld", "mail.domain.tld", or your server's hostname? Can you also check that the "mail" subdomain is not excluded from AutoSSL in cPanel >> SSL TLS Status?

Thank you.
 

swbrains

Well-Known Member
Sep 13, 2006
156
19
168
I ended up generating an AlphaSSL certificate for my primary domain and installing that on the primary domain account, but the error still happened. What was strange is that I noticed the cert that TB was showing in its error window was a wildcard cert that also had the root domain listed on it. I had generated the new wildcard cert via AlphaSSL a while ago (August). My server admins later determined that the Service SSL Cert needed to be replaced by the newest AlphaSSL wildcard certificate generated in August.

I couldn't find the expired wildcard cert in Manage SSL Hosts or in SSL Storage Manager, but I *could* still see it on the server in the list when I was viewing the page where you install an SSL certificate and clicked the Browse Certificates button to view existing certs on the server. When I selected to Browse Apache certificates, I found what I believe to be the expired certificate that is being retrieved by Thunderbird and MS Mail. I didn't know where it was being referenced from on the server to be in that list, but apparently it was in the Services SSL area. Once the current cert (from August) was installed there, TB works properly when accessing my primary domain account.