[snap] Cannot confirm security exception for invalid certificate

Bug #1904789 reported by Johan
42
This bug affects 9 people
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Note: This bug is specific to the Snap version of Thunderbird, I can't reproduce it with the Ubuntu-packaged version for example (which I have installed on Ubuntu, used for multiple years and stopped using recently to get the more recent versions of TB available with Snap).

When a certificate problem arrises with a server from which Thunderbird tries to retrieve emails, the "Add Security Exception" window gives you the option to "Confirm Security Exception" (meaning that Thunderbird will overlook the invalid certificate).

The problem is that nothing happens when I click the "Confirm Security Exception" button. I've tried the usual workarounds, including removing the email account and adding it again, to no avail.

The peculiar thing here is that I have had certificate problems before, when using a non-snap version of Thunderbird, and clicking the "Confirm Security Exception" button has always worked. Not with the Snap version it seems.

Tags: snap
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in thunderbird (Ubuntu):
status: New → Confirmed
Revision history for this message
launcher of pad's (321launch) wrote :

Same here;

Name Thunderbird
Version 78.5.1
Build ID 20201130232704
Distribution ID ubuntu-snap-build
Update Directory
/snap/thunderbird/96
Update History
Update Channel release-cck-ubuntu
User Agent Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
OS Linux 5.4.0-56-generic
Application Binary /snap/thunderbird/96/thunderbird-bin

Revision history for this message
Olivier Tilloy (osomon) wrote :

To everyone affected: could you please run thunderbird from a terminal (`snap run thunderbird`) and in another terminal window run `journalctl -f | grep DEN`, reproduce the problem, close thunderbird, and share the output of both terminal windows here?

Thanks!

tags: added: snap
Revision history for this message
Johan (johanricher) wrote :

Hi Olivier, thanks for your help.

snap run thunderbird
Gtk-Message: 11:39:31.230: Failed to load module "canberra-gtk-module"
Gtk-Message: 11:39:31.248: Failed to load module "canberra-gtk-module"

(directly at launch, then nothing when reproducing the issue)

Nothing either with journalctl -f | grep DEN.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Thanks Johan. When you say "nothing happens" in the bug description, do you mean that the dialog is closed but the behaviour is not the one you expected, or does the dialog remain up and visible (i.e. the button doesn't close the window)?

summary: - [snap] Cannot confirm security exception
+ [snap] Cannot confirm security exception for invalid certificate
Revision history for this message
Johan (johanricher) wrote :

By "nothing happens" I mean that the "Add Security Exception" window stays open with seemingly no effect when clicking on the button "Confirm Security Exception". Clicking multiple times doesn't change the state of the window either. The only way to advance is to click "Cancel" which closes the window (without adding the exception of course).

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, is there a public server which triggers the dialog which could be used for testing? Could you try to start thunderbird --jsconsole and see if any error is printed when trying to validate the exception?

Changed in thunderbird (Ubuntu):
importance: Undecided → Low
Revision history for this message
launcher of pad's (321launch) wrote : Fwd: Submit Request Failure

i'll try again with a text file as i got an error sending the error ;)

-------- Forwarded Message --------
Subject: Submit Request Failure
Date: Mon, 14 Dec 2020 21:12:22 -0000
From: <email address hidden>
Reply-To: <email address hidden>
To: <email address hidden>

An error occurred while processing a mail you sent to Launchpad's email
interface.

Error message:

The message you sent included commands to modify the bug report,
but you didn't sign the message with an OpenPGP key that is
registered in Launchpad.

--
For more information about using Launchpad by email, see
https://help.launchpad.net/EmailInterface
or send an email to <email address hidden>

Revision history for this message
Johan (johanricher) wrote :

Looking at the Error Console was the right idea, thanks. Here's the error that is caught when clicking the "Confirm Security Exception" button:

Exception { name: "NS_ERROR_FAILURE", message: "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.port]", result: 2147500037, filename: "chrome://pippki/content/exceptionDialog.js", lineNumber: 156, columnNumber: 0, data: null, stack: "getURI@chrome://pippki/content/exceptionDialog.js:156:7\naddException@chrome://pippki/content/exceptionDialog.js:386:13\n_fireButtonEvent@chrome://global/content/elements/dialog.js:487:19\n_doButtonCommand@chrome://global/content/elements/dialog.js:466:29\n_handleButtonCommand@chrome://global/content/elements/dialog.js:460:19\nInformUserOfCertError@chrome://messenger/content/mailWindow.js:685:10\nOnStopRunningUrl@chrome://messenger/content/mailWindowOverlay.js:2938:30\n", location: XPCWrappedNative_NoHelper }

The previous

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks, unsure what's the issue, it might be worth reporting upstream on https://bugzilla.mozilla.org

There are issues discussed on https://bugzilla.mozilla.org/show_bug.cgi?id=1590474 but it sounds a bit different

Did you try the deb of 78 or an older version? Could you also give some details on how to trigger the warning, is there a public website where an account could be created for testing?

Revision history for this message
Johan (johanricher) wrote :

I understand that it's particularly difficult to reproduce the bug because it requires a mail server with a certificate problem. Since it was blocking me, I temporarily dealt with this by not using the Snap version of TB and returning to the versions from the official Ubuntu PPA (in my case TB 68.10.0 on my Ubuntu 20.04.1 LTS machine and TB 78.3.2 on my Ubuntu 20.10 machine) which are not affected by this issue. That's why I tagged it as Snap-specific.

Today, I've finally found a solution to the certificate problem on my email server (which of course was the goal all along) so I returned to the Snap version on my Ubuntu LTS machine (to be able to use the most recent version of TB). Now, the "Add Security Exception" window is not blocking my anymore.

Sorry I can't bring more help to solve this problem but I hope this will help others to deal with it.

So, I don't think we should close this ticket because bypassing the security warning is still a useful temporary solution for end users which shouldn't be blamed for servers problems that can sometimes occur but as far as I'm concerned I can now move on.

Revision history for this message
launcher of pad's (321launch) wrote : Re: [Bug 1904789] Re: [snap] Cannot confirm security exception for invalid certificate

i stoped using the snap version and all is well again

On 18/12/2020 16:31, Johan wrote:
> I understand that it's particularly difficult to reproduce the bug
> because it requires a mail server with a certificate problem. Since it
> was blocking me, I temporarily dealt with this by not using the Snap
> version of TB and returning to the versions from the official Ubuntu PPA
> (in my case TB 68.10.0 on my Ubuntu 20.04.1 LTS machine and TB 78.3.2 on
> my Ubuntu 20.10 machine) which are not affected by this issue. That's
> why I tagged it as Snap-specific.
>
> Today, I've finally found a solution to the certificate problem on my
> email server (which of course was the goal all along) so I returned to
> the Snap version on my Ubuntu LTS machine (to be able to use the most
> recent version of TB). Now, the "Add Security Exception" window is not
> blocking my anymore.
>
> Sorry I can't bring more help to solve this problem but I hope this will
> help others to deal with it.
>
> So, I don't think we should close this ticket because bypassing the
> security warning is still a useful temporary solution for end users
> which shouldn't be blamed for servers problems that can sometimes occur
> but as far as I'm concerned I can now move on.
>

Revision history for this message
launcher of pad's (321launch) wrote :

like a boomerang I found myself ending up again with 78.7.1 (64bit) Thunderbird.

The issue still remains :(

Is there a workaround yet?

Can I set a breakpoint perhaps in the offending code and then tweak the local variables in such a way to get it working? I know how to debug with the dev tools. I just do not know yet where to look.

If you guys help me get going I'll post the workaround steps here and then report it on bugzilla

Revision history for this message
launcher of pad's (321launch) wrote :

how do I set a breakpoint early in the call stack?

Uncaught
Exception { name: "NS_ERROR_FAILURE", message: "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.port]", result: 2147500037, filename: "chrome://pippki/content/exceptionDialog.js", lineNumber: 156, columnNumber: 0, data: null, stack: "getURI@chrome://pippki/content/exceptionDialog.js:156:7\naddException@chrome://pippki/content/exceptionDialog.js:386:13\n_fireButtonEvent@chrome://global/content/elements/dialog.js:487:19\n_doButtonCommand@chrome://global/content/elements/dialog.js:466:29\n_handleButtonCommand@chrome://global/content/elements/dialog.js:460:19\nInformUserOfCertError@chrome://messenger/content/mailWindow.js:685:10\nOnStopRunningUrl@chrome://messenger/content/mailWindowOverlay.js:2940:30\n", location: XPCWrappedNative_NoHelper }
exceptionDialog.js:156
    getURI chrome://pippki/content/exceptionDialog.js:156
    addException chrome://pippki/content/exceptionDialog.js:386
    _fireButtonEvent chrome://global/content/elements/dialog.js:487
    _doButtonCommand chrome://global/content/elements/dialog.js:466
    _handleButtonCommand chrome://global/content/elements/dialog.js:460
    _handleButtonCommand self-hosted:844
    InformUserOfCertError chrome://messenger/content/mailWindow.js:685
    OnStopRunningUrl chrome://messenger/content/mailWindowOverlay.

Revision history for this message
launcher of pad's (321launch) wrote :

never mind, am now in the debugger with the offending piece of code.

if I can figure this out in 20 minutes then great. otherwise I will give up

Revision history for this message
launcher of pad's (321launch) wrote :

chrome://pippki/content/exceptionDialog.js
line 156
  if (uri.port == -1) { //offending line. url.port == undefined
    mutator.setPort(443);
  }

how do I change the source code to just not do this if statement?

Revision history for this message
launcher of pad's (321launch) wrote :

nah I am giving up. this debugger is not working as expected.
also this code is riddled with exceptions.

uninstalling and going back to better times

Revision history for this message
Francisco Robles Martín (froblesmartin) wrote :

Same issue here. I end up downloading the tar.bz2 package with the latest version and installing it myself. Will keep an eye to move back to snap once this is fixed :(

Revision history for this message
Phil (mirus.animus) wrote :

Same here, cannot use the snap version because of this :/

Revision history for this message
Gerhard Aigner (gerhard-aigner) wrote :

Same here. I defended Snaps in the past, but they are really getting in my way...

Revision history for this message
Sebastien Bacher (seb128) wrote :

There is a similar error mentioned on https://bugzilla.mozilla.org/show_bug.cgi?id=1693244 but not conclusion

Revision history for this message
frank plowright (frankplowright) wrote :

Apologies if this isn't the right place to post. I'm new to Ubuntu, and couldn't find anything recent that addresses my problem via a search of help topics.

As of this morning I can't access Thunderbird due to a box asking me to add a security exception as my mail server is attempting to identify itself with invalid information. The box to add an exception comes pre-ticked, but when I click on the 'Confirm Security Exception' button the box just remains. There are solutions available elsewhere, but they're all dependent on my being able to get into Thunderbird and change settings, and the presence of the box won't let me access the settings.

Is there a way around this. Please bear in mind I'm new to Ubuntu and have little experience in coding.

Revision history for this message
frank plowright (frankplowright) wrote :

After not being able to get into Thunderbird all day yesterday, this morning everything is fine. I'm not sure what happened, but I'm glad it seems to have fixed itself, and hope it doesn't happen again.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.