[Mourvedre]

Hello,
For several years, I've been using Thunderbird on different PCs with a personal certificate issued by CACert to sign my e-mails. This worked perfectly.

I am now trying to use Thunderbird 52.8.0 on a W10 pro 1709 machine.
On this PC, I encounter a curious problem: from the TB options, I install the CACert root certificates, give them the "trust" necessary for email signing, and then install my own certificates. Everything works very well and my mails are correctly signed.

If I close TB and restart it 3 min after, everything is gone: my certificates and the root certificates from CACert! I just have to start again all the job...

I checked the Appdata directory and its subdirectories, to make sure there were no authorizations issues and that everyone had write access. It's OK, but I don't know what to do now!

If anyone has an idea, I will be very grateful.
Thank you in advance for your help.

[tanstaafl]

Are you using it for a S/MIME digital signature?
Did you "For both certificates, select "Trust this CA to identify websites" and "Trust this CA to identify email users."?
Afterwards did you "select the "Root CA" "CA Cert Signing Authority". Check that the certificate has been verified as "Email signer certificate", "Email Recipient certificate" and "Status responder certificate"." ?

I'm wondering if you skipped a step so that the trust was only stored in memory (and lost when you restarted).

http://wiki.cacert.org/FAQ#Certificate_related_problems
http://wiki.cacert.org/ThunderBird

[Mourvedre]

Hello! Sorry for the long time to answer, but the site was unreachable these last days...
- Yes, I use it for a S/MIME digital signature.
- Yes, I checked the three boxes of "trust" and checked they were still checked after I closed an reopened the certificate window. By the bye, everything works OK, till I don't close TB!
- Yes, it looks exactly as if it were only stored in memory, but WHY?
I've already had a deep look at CACert WiKis, but in vain...
Thanks.

[tanstaafl]

I don't know why. I've configured S/MIME before, but not for CACert. Have you considered using a Comodo certificate instead so that you don't have to deal with the trust issues?
http://kb.mozillazine.org/Getting_an_SMIME_certificate

[Mourvedre]

OK, I'll try that. But CACert certificates work perfectly on my others PCs! And don't disappear...

[Mourvedre]

Well... I created and installed the Comodo certificate: everything is OK, no need for more, as the authority certificates are already included in TB. I can send signed mails without problem.
But when I close Thunderbird, the next time I reopen it, my certificate is gone! Exactly as for the CACert one!

Do you know WHERE and HOW Thunderbird stores these certificates?
Thanks for your help.

[tanstaafl]

http://kb.mozillazine.org/Files_and_fol ... hunderbird

Certificates are in cert8.db . The key database is in key3.db. You need to treat them as a set. I noticed I also have a key4.db file and a cert9.db file dated 3/18/2018. Since I sometimes have multiple versions on my system (some really old, the current release, plus beta/daily builds) using the same profile its hard for me to figure out who created a file.

[Mourvedre]

The last news:
- Comodo certificates also disappear
- I copied cert8.db & key3.db from another machine where the certificate is installed and doesn't disappear. When I started TB, it didn't mind at all and the certificate was gone!
So, it's probably not a storage problem, since when using "good" certificate files, TB persists in ignoring them...
Any ideas?

[tanstaafl]

Are you using something like ccleaner to clean up profiles?
See if the problem disappears if you use safe mode (help -> restart with add-ons disabled or hold down shift key when clicking on Thunderbird shortcut)

[Mourvedre]

No, I don't use Ccleaner or any other kind of things.
The safe mode didn't solved the problem either. As soon as it started, I checked the certificates: gone!

[makaiguy]

No, I don't use Ccleaner or any other kind of things.
The safe mode didn't solved the problem either. As soon as it started, I checked the certificates: gone!

As a stopgap, what happens if, while TB is loaded, you jump out and set the cert file as read-only?

[tanstaafl]

cert_override.txt is used to store security exceptions and (supposedly) intermediate certificates. https://support.mozilla.org/en-US/questions/1150335 describes a problem with a disappearing certificate with Firefox that was solved by deleting that file. Try deleting it in your Thunderbird profile. Firefox and Thunderbird both use a Mozilla toolkit, so certain components are very similar with both applications.

[Mourvedre]

@tanstaafl: Thanks for your search, but I didn't see any cert_override.txt!

@makaiguy: I "locked" cert8.db and key3.db, closed TB and restarted it. And... it worked! My certs are still there and usable.
While this good idea doesn't explains why this happens, I think it might be a track to help experts explain the whole thing...

Thank you!