Pages: 1
RSS
TheBat Voyager and Sectigo AddTrust External CA Root certificate issue, expired certificate issue
 
Hello. I can't check mails by TLS from one of providers due to expiration of Sectigo AddTrust External CA Root.
I am user of Voyager version 6.8.4.1 (i know it is quite old version but it worked till now without much issues).
The provider certificate is valid till march 2021 but when i try to check for new mails or send mails i get (sorry for local names):

>2020-06-22, 17:14:16: FETCH - Wystawca: "GB", "Greater Manchester", "Salford", "Sectigo Limited", "Sectigo RSA Domain Validation Secure Server CA". Ważny od 2018-11-02 do 2030-12-31 23:59:59.
>2020-06-22, 17:14:16: FETCH - Wystawca: "US", "New Jersey", "Jersey City", "The USERTRUST Network", "USERTrust RSA Certification Authority". Ważny od 2000-05-30 10:48:38 do 2020-05-30 10:48:38.
>2020-06-22, 17:14:16: FETCH - Główny: "SE", "AddTrust AB", "AddTrust External TTP Network", "AddTrust External CA Root" Ważny od 2000-05-30 10:48:38 do 2020-05-30 10:48:38. Ten certyfikat wygasł!
!2020-06-22, 17:14:16: FETCH - Błąd fazy potwierdzania TLS: Nieważny certyfikat serwera (Ten certyfikat wygasł).

Steps i took:
I have installed new set of Sectigo AAA cross certificates in Windows 7:
AAACertificateServices.crt, SSLcomDVCA_2.crt, USERTrustRSAAAACA.crt, and removed expired AddTrust External CA Root and USERTrust RSA Certification Authority.
It didn't change the outcome.
Then i removed RootCA.EBD and IntermCA.EBD as some forum user suggested and the outcome is now:

>2020-06-22, 17:22:18: FETCH - Wystawca: "GB", "Greater Manchester", "Salford", "Sectigo Limited", "Sectigo RSA Domain Validation Secure Server CA". Ważny od 2018-11-02 do 2030-12-31 23:59:59.
>2020-06-22, 17:22:18: FETCH - Wystawca: "US", "New Jersey", "Jersey City", "The USERTRUST Network", "USERTrust RSA Certification Authority". Ważny od 2000-05-30 10:48:38 do 2020-05-30 10:48:38. Ten certyfikat wygasł!
>2020-06-22, 17:22:18: FETCH - Brak wydawcy: "SE", "AddTrust AB", "AddTrust External TTP Network", "AddTrust External CA Root".
!2020-06-22, 17:22:18: FETCH - Błąd fazy potwierdzania TLS: Nieważny certyfikat serwera (Ten certyfikat wygasł).

TheBat is still trying to go by old "AddTrust External CA Root" and "USERTrust RSA Certification Authority" even if i have removed them from system.
Is TheBat unable to take alternative chain path? Is it TheBat fault, or mail provider fault for pointing such chain to verify?
 
Quote
I have installed new set of Sectigo AAA cross certificates in Windows 7:

The Bat / Voyager, by default, use their own certificate store. The certificates are stored in the Address Book, where you can import certificates too (in the address book, use View | Certificate Address Books to see them).

Certificates stored in Windows itself will only be used if you go to Options | S/MIME and TLS and choose to use the Microsoft CryptoAPI instead of The Bat's own certificate store.

Quote
TheBat is still trying to go by old "AddTrust External CA Root" and "USERTrust RSA Certification Authority" even if i have removed them from system.
Is TheBat unable to take alternative chain path? Is it TheBat fault, or mail provider fault for pointing such chain to verify?

The certificate itself dictates against which higher-level certificate it must be verified. If that parent certificate is missing, or has expired, nothing can be done.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Thank You very much. S/MIME and TLS option worked. But can i somehow fill the inner base of TB with these certificates from crt files?
When i try to do import crt in address book TB displays that there is nothing to import. I can manually add new entries and attach certificates to it, but even if they are in address book, I still can't fetch mails - error is the same.

EDIT:
Don't know if i made it correctly but for
Główny: "SE", "AddTrust AB", "AddTrust External TTP Network", "AddTrust External CA Root" - i have attached updated AAA Sectiago certificate (without removing the old one), and for Wystawca: "US", "New Jersey", "Jersey City", "The USERTRUST Network", "USERTrust RSA Certification Authority" i have attached USERTrustRSAAAACA. Now TB is able to fetch mails.
Edited: Krzysztof Jachowicz - 23 June 2020 00:18:03 (Further modifications)
Pages: 1