Help us to make our product better
photo

NON

shared this problem
1 year ago

Employees Involved

photo

Ivan Masopust

avast! Team

photo

vojtech

avast! Team

Statistics

9
Comments
1392
Views

Relates to

Share

284
votes

Mail Shield related SSL eror (unable to get local issuer certificate)

With Mail shield's "Scan SSL connections" enabled, I got this error (unable to get local issuer certificate) and cannot send/receive e-mails.

If I disable "Verify server certificate" in mail software settings, I can send/receive normally.

Official Answer
photo Employee
Ivan Masopust Posted 1 year ago

Hello,

the Mail Shiled stores its Root certificate to the Windows cetificate store which is used by most mail clients. Some mail clients (e.g. Thunderbird) use its own certificate store which needs additional handling.

Currently we handle Thunderbird so it should work automatically. If Thunderbird is running when the certificate is added, a message is displayed that you should restart Thunderbird. Unfortunately this message is empty in the pre-beta version. Please check if the certificate is in your Thunderbird store (Tools->Options->Advanced tab->Certificates tab->View Certificates->Authorities tab).

Other mail clients that have its own certificate store will need manual configuration:

1) Run Certmgr.msc, go to Trusted Root Certification Authorities and find "avast! Mail Scanner Root" certificate and export it to a file

2) Go to the mail client's certificate store and import that certificate

Add Comment

Comments (9)

photo
80

Hello IvanM,

I'm using Windows 7 SP1 32bit, GMail account.

My mail software is a minor one, called nPop, so I didn't use Outlook.

FYI, I got similar error (need to add security exception) in Thunderbird, saying certificate is unknown.

It says certificate is created by "avast! Mail Scanner Root".

Hope this helps.

photo Employee
89

Hello,

the Mail Shiled stores its Root certificate to the Windows cetificate store which is used by most mail clients. Some mail clients (e.g. Thunderbird) use its own certificate store which needs additional handling.

Currently we handle Thunderbird so it should work automatically. If Thunderbird is running when the certificate is added, a message is displayed that you should restart Thunderbird. Unfortunately this message is empty in the pre-beta version. Please check if the certificate is in your Thunderbird store (Tools->Options->Advanced tab->Certificates tab->View Certificates->Authorities tab).

Other mail clients that have its own certificate store will need manual configuration:

1) Run Certmgr.msc, go to Trusted Root Certification Authorities and find "avast! Mail Scanner Root" certificate and export it to a file

2) Go to the mail client's certificate store and import that certificate

photo
231

Thanks vojtech, now it works with both mail client. :)

Thunderbird has avast! certificate in its store.I added avast! certificate into nPop and it works like a charm.

photo
86

avast! Mail scanner root is not available in my certificates in CertMgr..

What to do?

reinstall avast?

I'm not running as an "admin" by default..

photo
43

i have same problem

photo
46

ak4d3a wrote:

i have same problem

photo
39

I have same problem too, been fine for years, Avast do update, mail no longer works.

photo
46

vojtech wrote:

Some mail clients (e.g. Thunderbird) use its own certificate store which needs additional handling.

Currently we handle Thunderbird so it should work automatically.

This seems only correct, if avast is installed after TB.

If TB is installed/configured later, which should be the preferred order, it doesn't work at me, and caused a data loss -> https://bugzilla.mozilla.org/show_bug.cgi?id=878764

Suggestion:

avast mail shield should check/update SSL-certificate in TB-profile on each start and on fail, it should ask the user what to do?

Even better:

Each time, before passing SSL-encrypted emails to TB, it should check SSL-certificate in TB-profile, and update it upon user acknowledge.

Please also follow:

http://forum.avast.com/index.php?topic=126530.0

photo
2

I got the same error message and exported the avast! certificate MailShield.der, but now I cannot find a way how to import it to Outlook. I looked in Tools/TrustCenter/Trusted Editors, there are some certificates listed but no way to import others. How can I import the avast! certificate into Outlook 2007?

The only thing that I can import are digital IDs, but there the extensions are different (not "der") and a password is required, so this does not appear to be the right place.

What I did: I installed the certificate by doublé clicking on it, but it does not show up in the Outlook Trust Center even after restarting Outlook.

Leave Comment

photo

Attach files...

The file must be a jpg, gif, png, bmp, ico, pdf, doc, rtf, txt, zip or rar no more than 2M