Help us to make our product better
photo

NON

shared this problem
1 year ago

Employees Involved

photo

Ivan Masopust

avast! Team

photo

vojtech

avast! Team

Statistics

8
Comments
1392
Views

Relates to

Share

281
votes

Mail Shield related SSL eror (unable to get local issuer certificate)

With Mail shield's "Scan SSL connections" enabled, I got this error (unable to get local issuer certificate) and cannot send/receive e-mails.

If I disable "Verify server certificate" in mail software settings, I can send/receive normally.

Official Answer
photo Employee
Ivan Masopust Posted 1 year ago

Hello,

the Mail Shiled stores its Root certificate to the Windows cetificate store which is used by most mail clients. Some mail clients (e.g. Thunderbird) use its own certificate store which needs additional handling.

Currently we handle Thunderbird so it should work automatically. If Thunderbird is running when the certificate is added, a message is displayed that you should restart Thunderbird. Unfortunately this message is empty in the pre-beta version. Please check if the certificate is in your Thunderbird store (Tools->Options->Advanced tab->Certificates tab->View Certificates->Authorities tab).

Other mail clients that have its own certificate store will need manual configuration:

1) Run Certmgr.msc, go to Trusted Root Certification Authorities and find "avast! Mail Scanner Root" certificate and export it to a file

2) Go to the mail client's certificate store and import that certificate

Add Comment

Comments (8)

photo
77

Hello IvanM,

I'm using Windows 7 SP1 32bit, GMail account.

My mail software is a minor one, called nPop, so I didn't use Outlook.

FYI, I got similar error (need to add security exception) in Thunderbird, saying certificate is unknown.

It says certificate is created by "avast! Mail Scanner Root".

Hope this helps.

photo Employee
88

Hello,

the Mail Shiled stores its Root certificate to the Windows cetificate store which is used by most mail clients. Some mail clients (e.g. Thunderbird) use its own certificate store which needs additional handling.

Currently we handle Thunderbird so it should work automatically. If Thunderbird is running when the certificate is added, a message is displayed that you should restart Thunderbird. Unfortunately this message is empty in the pre-beta version. Please check if the certificate is in your Thunderbird store (Tools->Options->Advanced tab->Certificates tab->View Certificates->Authorities tab).

Other mail clients that have its own certificate store will need manual configuration:

1) Run Certmgr.msc, go to Trusted Root Certification Authorities and find "avast! Mail Scanner Root" certificate and export it to a file

2) Go to the mail client's certificate store and import that certificate

photo
231

Thanks vojtech, now it works with both mail client. :)

Thunderbird has avast! certificate in its store.I added avast! certificate into nPop and it works like a charm.

photo
85

avast! Mail scanner root is not available in my certificates in CertMgr..

What to do?

reinstall avast?

I'm not running as an "admin" by default..

photo
41

i have same problem

photo
46

ak4d3a wrote:

i have same problem

photo
39

I have same problem too, been fine for years, Avast do update, mail no longer works.

photo
45

vojtech wrote:

Some mail clients (e.g. Thunderbird) use its own certificate store which needs additional handling.

Currently we handle Thunderbird so it should work automatically.

This seems only correct, if avast is installed after TB.

If TB is installed/configured later, which should be the preferred order, it doesn't work at me, and caused a data loss -> https://bugzilla.mozilla.org/show_bug.cgi?id=878764

Suggestion:

avast mail shield should check/update SSL-certificate in TB-profile on each start and on fail, it should ask the user what to do?

Even better:

Each time, before passing SSL-encrypted emails to TB, it should check SSL-certificate in TB-profile, and update it upon user acknowledge.

Please also follow:

http://forum.avast.com/index.php?topic=126530.0

Leave Comment

photo

Attach files...

The file must be a jpg, gif, png, bmp, ico, pdf, doc, rtf, txt, zip or rar no more than 2M