there is now a few days that every 10 minutes Thunderbird throw an error about certificate of my e.email account.
the image shows a security warning dialog in French from the Thunderbird email client. Here’s a translation and description:
*---------------------------------------------------------------------------------------------
“Adding a Security Exception”
Warning Message:
“You are about to bypass how Thunderbird identifies this site.”
“Banks, stores, and other legitimate public websites warn you not to do this.”
Details:
Address field: e.email (partially filled)
“This site is attempting to identify itself with invalid information”
“The certificate is not safe because it is impossible to verify if it was issued by a trusted authority using a secure signature”
Options:
“Get the Certificate” button
“See…” link to more details
Checkbox: “Keep this exception permanently”
Two buttons at the bottom: “Confirm Security Exception” and “Cancel”
*---------------------------------------------------------------------------------------------
Issuer: Same as Subject (Acme Co, Kubernetes Ingress Controller Fake Certificate)
Validity Period:
Valid From: Tuesday, 25 Mar 2025 20:49:54 GMT
Valid Until: Wednesday, 25 Mar 2026 20:49:54 GMT
Alternative Subject Names:
DNS Name: ingress.local
Public Key Information:
Algorithm: RSA
Key Size: 2048 bits
…
Whatever I try, like obtain certificate, cancel or accept or confirm security exception, the same issue return a few minute later.
I am using “mail.ecloud.global” as server on port 993 and 587 (SSL/TLS)
my other account are not affected. (it may be the thunderbird calendar app as well, I have not checked this one)
Probably something weird going in with your DNS. The cert you’ve hit is for a service called “ingress.local” and it’s picking up a cert from a kubernetes cluster somewhere. When I’ve tested the server it shows a cert from LetsEncrypt.
strange, I’m using cloudflare 1.1 as nameserver same problem with quad9 9.9.9.9 … I’m about to investigate my own machine (I don’t have any kube on my machine I know about)
(this isn’t dns) - your thunderbird requests something on https at e.email - that serves the bogus acme certificate and what thunderbird doesn’t like, thus the warning. You can ofc ignore it. Could be a autoconfig request - but other than that I don’t know what it wants to fetch there.
I have the same issue and still somewhat hesitant to ignore it as @tcecyk suggested. Why would the e.email server all of a sudden start serving a wrong certificate?
so autoconfig requests happen, but cert errors during the autoconfig phase are not surfaced (don’t need to as it’s probing wildly).
It’s the tail end of requests in the second screenshot when looking for the carddav / caldav well-knowns when thunderbird brings the error to the user.
/.well-known/carddav
/.well-known/caldav
I’m not sure thunderbird is supposed to check them? the autoconfig doesn’t set the endpoints (as of now). It could create those sections and point to their endpoints to avoid the error - but atm I think TB is overreaching. Bugzilla doesn’t have an entry on this yet.
(it works for murena.io users because the cert is valid and sure the fix is to just do so too on e.email - but technically imo thunderbird has to handle this better. No dav entries in autoconfig, don’t probe and act up)
on my side it is clearly the certificate for https://e.email that is showed.
…
after further investigation, some tcpdump, strace and so on, I have found on thunderbird some address-book relaying on https://e.email (from long time ago) that are sync from time to time. after unsubscribing, et re-enter with murena.io the alert seems t have disappear.