Hello,

After upgrading to version 8 my email client started to show certificate errors when using SSL-enabled mail servers, like this:

02.03.2013, 12:01:23: FETCH - Connecting to POP3 server pop.gmail.com on port 995
02.03.2013, 12:01:23: FETCH - Initiating TLS handshake

02.03.2013, 12:01:23: FETCH - Certificate S/N: 3B7494C80000000068A7, algorithm: RSA (2048 bits), issued from 9/12/2012 11:57:23 AM to 6/7/2013 7:43:27 PM, for 1 host(s): pop.gmail.com.
02.03.2013, 12:01:23: FETCH - Owner: US, California, Mountain View, Google Inc, pop.gmail.com.
02.03.2013, 12:01:23: FETCH - Issuer: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
!02.03.2013, 12:01:23: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).

Unfortunately the email client I use, TheBat have got no ‘Always trust this’ option for this case.

Please advise.

Some system info:
Win 7 x64 Enterprise
AIS 8.0.1482
TheBat! v.5.2.2

Best regards - Serge.

Hello,
I have the same problem! I asked support for help but they suggested to reinstall the avast. I didn’t do that yet because I guess that can not resolve the problem. I have been using the avast 7 for the whole year and SSL scanning worked perfectly.

Best regards.

Hello sanders,

so do I, everything worked fine in version 7, now with version 8 only turning off SSL-scanning helps to prevent getting error messages.

Kind regards,

I had the same issue. I deleted the certificates within Thunderbird for all my mail servers, including IMAP, closed Thunderbird and then restarted. All appears to be working well with SSL scanning enabled within Avast! Check out this article for how to delete the certificates. Strangely, those certificates were grouped under an Avast! header.

http://support.appstate.edu/answers/certificate-error-thunderbird

Here is solution of the problem: https://feedback.avast.com/responses/mail-shield-related-ssl-eror-unable-to-get-local-issuer-certificate

Yes, it used to work for 7.X

I see no Avast certificate installed in my system. Perhaps this is the cause of the problem (btw, solutions for Thunderbird will not work for me, I don’t use Thunderbird :P). Quite probably it will appear after I reinstall AIS cleanly, will try later.

Best regards - Serge.

The above solution worked under avast! v8.XX for me too.

It seems that you have not choice

Hello,
I tried to reinstall AIS (with aswclear.exe)… Unfortunatelly without effect for SSL and TheBat!

Does this mean you see the AVAST’s certificate installed in your system when using the certmgr.msc snap-in?

Actually I do I use two ssl-enabled mail servers, gmail and a corporate one. I trust the antivirus protection on both so currently the “check SSL” option is disabled.

Best regards - Serge.

Yes, it does. I exported the certificate from the certmgr.msc snap-in and imported it to The Bat! successfully. There is no more any annoying messages and SSL mail checking works well.

Hello sanders,

after following the above instructions, did you try to import the “avast! Mail Scanner Root”- certificate into the addressbook of TheBat! ?

Cordially,

The above solution helped me twice already. Here are two screenshots. Sorry for Russian.

This is AVAST’s certificate in the certmgr.msc snap-in:

http://savepic.ru/4251045m.jpg

This is the same certificate imported to The Bat!:

http://savepic.ru/4237733m.jpg

So we are getting to the bottom of it Thanks everyone
It is necessary to have the certificate that was not installed into my system for some reason (and for the worst case it will never be installed by the installer).
It would be great if Avast team could make it publicly downloadable.

Best regards - Serge.

Well, I am not sure but it can be unique for each installation.

I can’t found the avast certificate in system storage, so I don’t import that certificate into the thebat storage.

Hi Serge,

Do you mean you have installed “invalid” avast certificate in your system before?

Please could you describe step by step what you did to fix the issue?
Thanks.

Hi sanders,

Not sure. I used to use 7.x and have upgraded to 8 using it’s own program update facility, not the exe installer. I don’t know if 7.x uses an installed certificate to handle SSL, just had no problems with it and never looked into the certificate store.

Unfortunately it is not fixed yet as this currently is not a real security issue for me. I’m going to try installing it cleanly.

Btw, I don’t think the certificate is unique for each installation. To be trusted by Windows by default it has to be issued and signed by a trusted certification authority, you cannot generate certificates yourself, that is the key point of certification.

Best regards - Serge.

The certificate what we are talking here about is a certificate authority root (CA root) one. Anybody can generate such: http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ Windows trusts it if it is added to the certmgr.msc snap-in. This is a root of the problem. The Bat!/Thunderbird thinks that SSL connection is not secure because it cannot find an appropriate CA root certificate which is used to sign a SMTP/POP3/IMAP certificate.

Hello,
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.

Yes, it is unique for each installation.

Vojtech, the Mail shield is running in my avast 8 but there is not the Mail shield root certificate is in the Windows certificate store.
I updated avast 7 to avast 8 (automatic update, without reinstall) - the problem occured. And the problem remained after I uninstall the avast with aswclear.exe and install avast 8 again.
In all cases the Mail shield root certificat is absent in the Windows certificate store.