Root Certificate - says expired and is not
Reported by FlyboyArt | February 12th, 2019 @ 03:45 AM
I used the ProtonMail bridge application to connect to the ProtonMail server. The Bridge has been working fine for a year and now I get a message each time I start MailMate claiming the root certificate is "not trusted". However this is not true, the certificate was renewed on 06-Feb-2019 and is good for a year. (see attached image file).
Can you find out why MailMate is reporting the certificate is"not trusted"?
Thanks, Art
Comments and changes to this ticket
-
benny February 12th, 2019 @ 10:09 AM
- State changed from new to resolved
In short, you have to explicitly trust the certificate.
Note that MailMate is not claiming the certificate expired. It is telling you that it cannot verify the certificate received from 127.0.0.1. I first thought this would make sense if the common name used in the certificate was some IMAP hostname, but it isn't. It's actually 127.0.0.1. But MailMate is also not claiming a mismatch in the hostname.
It appears the certificate is quite new (not valid until after February 6th 2019), so my guess is that something has recently changed with the bridge certificate or the same thing happened a year ago and you told macOS to trust the certificate.
It makes sense that the system (macOS) is not, by default, setup to trust a ProtonMail root certificate on 127.0.0.1 since ProtonMail does not “own” that IP address. I'm not an expert on these issues and I'm not sure what would be a better solution. My guess is that it would be better if ProtonMail used a real server address as the Common Name of the certificate and then used a properly verified certificate. This would allow me to introduce a setting which would make MailMate compare the certificate with the “real” server name instead of 127.0.0.1. It would be a somewhat confusing setting, but it could, e.g., just appear when using 127.0.0.1 or localhost in the IMAP/SMTP settings.
Do let me know if you find anything indicating that MailMate is doing something wrong.
(I assume, by the way, that you would get a similar error from other desktop email clients.)
-
FlyboyArt February 12th, 2019 @ 10:29 AM
Hi Benny, You're correct. I checked the instructions for hooking AppleMail up to PM Bridge and they have a step that tells users to accept the certificate warning (see image in attached file). So, I must have done this a year ago and couldn’t' remember for this time. Sorry to trouble you with something so trivial!!
BTW, I still do (and always have had) a problem with PM Bridge and MailMate with the Drafts folder. For some reason, PM does not allow you to have a Drafts folder on their server and suggest you create one locally however MM doesn't appear to allow me to create one locally. Any way to accomplish this?
Many thanks for a great program and great support!
Art
-
benny February 12th, 2019 @ 10:43 AM
You can use “Mailbox ▸ New IMAP Mailbox” to create a mailbox in the account and then use “Mailbox ▸ Take Offline” to take it offline. Finally, if needed, use “Mailbox ▸ Mailbox Type” to make sure it is used for drafts.
A Drafts folder cannot work with ProtonMail because it would mean that non-encrypted (unfinished) emails could be uploaded to the server.
-
FlyboyArt February 12th, 2019 @ 10:49 AM
- Tag changed from certificate security to certificate security, protonmail
Works like a champ Benny! Actually, a folder was created in MM already but has always sported the 'failed' tag in its title. I just right-clicked on it and took it offline. It was already of Type 'drafts'. I created a test message in my PM account and saved it. Voila, it's in the drafts folder under my PM account.
Fantastic!
-
FlyboyArt February 14th, 2019 @ 05:10 PM
- Tag changed from certificate security to certificate security, protonmail
I contacted ProtonMail and got this response back (just for additional information, no action item):
Hi Art,
Thanks for the message, sorry for the delay.
With the latest version for the Bridge app (1.1.1), we've improved the certificate generation. So with it, you shouldn't experience issues with the certificate anymore.
Since the Bridge app operates on localhost, it is expected to trust(enable) the certificate.
When you're prompted for this, can you accept the certificate and let us know if the issue will persist?
Best Regards,
The ProtonMail Team
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Mac OS X email client.