Pages: 1
RSS
Problem with TheBat! and certificate when using POP3/TLS
 
Hello everyone.

My TheBat! client worked fine for years until last Saturday, when the provider updated some certificates on their server.
Now I am getting the following error when trying to query my mailbox:
Quote
2020.06.03, 22:09:11: FETCH - receiving mail messages
2020.06.03, 22:09:11: FETCH - Connecting to POP3 server mail.inbox.lt on port 995
2020.06.03, 22:09:11: FETCH - Initiating TLS handshake
>2020.06.03, 22:09:11: FETCH - Certificate S/N: 284577BEA174C1BBC0EA4FDD3122C1BE, algorithm: RSA (2048 bits), issued from 6/1/2020 to 9/3/2022, for 2 host(s): mail.inbox.lt, www.mail.inbox.lt.
>2020.06.03, 22:09:11: FETCH - Owner: mail.inbox.lt.
>2020.06.03, 22:09:11: FETCH - Issuer: GB, Greater Manchester, Salford, Sectigo Limited, Sectigo RSA Domain Validation Secure Server CA.
>2020.06.03, 22:09:11: FETCH - Issuer: US, New Jersey, Jersey City, The USERTRUST Network, USERTrust RSA Certification Authority.
!2020.06.03, 22:09:11: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).

The mailbox provider's support is totally useless. At first, they denied having changed anything in their system, then when I bolded the new certificate issue date, they simply stopped responding at all.

Could someone please help me figure out this issue?

Thank you!
 
I can only say what I would try - I'm not a security specialist :)

To me it looks like you need a root certificate for 'USERTrust RSA Certification Authority'.

It could be that one is already present in your version of Windows. If so, you could go to Options | S/Mime and TLS and use the top-most option to switch from the internal certificate depository to Windows' CryptoAPI. Maybe that will solve it.

It could also be that you are using a very old version of The Bat and that upgrading to a current release would solve the problem.

Or, you can look for that certificate on the internet and manually add it to your address book (which also holds certificates).

I think I found a copy of that certificate here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

(look for a line that says "[Download] SHA-2 Root : USERTrust RSA Certification Authority")

I would download that certificate and import it into the address book of The Bat. Importing goes like this:

Open the Address Book
Go to Menu: View | Certificate Address Books
Right-click on the Root Certificates group and choose New Contact
Go to tab 'Certificates' and import your certificate.

(If that does not solve it, I would delete the certificate from the address book again, just to be sure).
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Same issue but with Gmail, Bat 9.1.18
Code
>5.06.20, 11:46:06: FETCH - Certificate S/N: 5E73E37A237B94E408000000003EBF0F, algorithm: ECC (256 bits), issued from 5/5/2020 8:36:14 AM to 7/28/2020 8:36:14 AM, for 1 host(s): pop.gmail.com.
>5.06.20, 11:46:06: FETCH - Owner: "US", "California", "Mountain View", "Google LLC", "pop.gmail.com".
>5.06.20, 11:46:06: FETCH - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM. The issuer of this certificate chain was not found!
>5.06.20, 11:46:06: FETCH - Missing issuer: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign".
!5.06.20, 11:46:06: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).


Needless to say same certificate in browser version of gmail works just fine.

Solution:

Winkey+R -> certmgr.msc ->  Enter

Go to Trusted Root -. Certificates, find "Google Trust Services - GlobalSign Root CA - R2", double-click, then "Copy to file" and export as x.509 DER
Then import via Address Book as mentioned above
Edited: Digika Yandexovna - 05 June 2020 21:28:21
Pages: 1