You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

💡 Did you know?

⏺ If you can't accept iCloud Terms and Conditions... Learn more >

⏺ If you don't see your iCloud notes in the Notes app... Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

iOS 13.1 'Cannot verify server identity'

This method https://support.apple.com/en-us/HT204477 is still available in certificate trust settings under iOS 13. However, 'Cannot verify server identity' error is thrown up when adding an Exchange account that uses the trusted root certification authority, unlike in iOS 12. Please help!

Posted on Sep 25, 2019 2:20 AM

Reply
Question marked as Top-ranking reply

Posted on Oct 6, 2019 12:50 PM

Solved this today. Took me several hours on a Sunday evening. Like I had nothing better to do, thank you Apple for that. I wish you would let people connect to their LAN however they want but no, SSL it must be (with all professional-level requirements that is).


My issue: because of new TLS certificate requirements in IOS 13 (https://support.apple.com/en-us/HT210176), my old self-signed certificate was no longer compliant (more than 825 days, no EKU, no SAN).


So, no way around this but to hit the command prompt with openssl.

Turns out you need quite some research to make sure you can enter the EKU and SAN properly.

Here the procedure for those in the #selfhosted community which may be pulling their hairs at the moment:


  • Create an openssl config file - See in "Additional text" the contents of mine (do change values where applicable)


  • Generate a new certificate:

sudo openssl req -config server-selfsigned-CA.cnf -new -x509 -out server-selfsigned-CA.crt


  • Check the certificate results via

openssl x509 -in server-selfsigned-CA.crt -text -noout


  • Import the new self-signed certificate into IOS via (e.g.) download on self-hosted page
    • copy the server-selfsigned-CA.crt file into your http server and rename the extention as .cer
    • create an html file in your web server pointing to the server-selfsigned-CA.cer file
    • point your iOS devices to your server (using http, not https) and newly created html file, then download the CER file and click on Install
    • then go to iOS settings / general / profiles and install the newly downloaded profile
    • then go to settings / general / about / scroll down to "certificate trust settings" and enable your newly certificate


  • replace the new certificates in your apache config file

use the crt file for SSLCertificateFile

use the .key file for SSLCertificateKeyFile

(think about creating a "dhparam" file and making it available on the same file, e.g. SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem")


  • restart apache
  • test your connection




12 replies
Question marked as Top-ranking reply

Oct 6, 2019 12:50 PM in response to fixitnowyes

Solved this today. Took me several hours on a Sunday evening. Like I had nothing better to do, thank you Apple for that. I wish you would let people connect to their LAN however they want but no, SSL it must be (with all professional-level requirements that is).


My issue: because of new TLS certificate requirements in IOS 13 (https://support.apple.com/en-us/HT210176), my old self-signed certificate was no longer compliant (more than 825 days, no EKU, no SAN).


So, no way around this but to hit the command prompt with openssl.

Turns out you need quite some research to make sure you can enter the EKU and SAN properly.

Here the procedure for those in the #selfhosted community which may be pulling their hairs at the moment:


  • Create an openssl config file - See in "Additional text" the contents of mine (do change values where applicable)


  • Generate a new certificate:

sudo openssl req -config server-selfsigned-CA.cnf -new -x509 -out server-selfsigned-CA.crt


  • Check the certificate results via

openssl x509 -in server-selfsigned-CA.crt -text -noout


  • Import the new self-signed certificate into IOS via (e.g.) download on self-hosted page
    • copy the server-selfsigned-CA.crt file into your http server and rename the extention as .cer
    • create an html file in your web server pointing to the server-selfsigned-CA.cer file
    • point your iOS devices to your server (using http, not https) and newly created html file, then download the CER file and click on Install
    • then go to iOS settings / general / profiles and install the newly downloaded profile
    • then go to settings / general / about / scroll down to "certificate trust settings" and enable your newly certificate


  • replace the new certificates in your apache config file

use the crt file for SSLCertificateFile

use the .key file for SSLCertificateKeyFile

(think about creating a "dhparam" file and making it available on the same file, e.g. SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem")


  • restart apache
  • test your connection




Oct 23, 2019 9:33 AM in response to benny2020

Problem solved. I was using a version of OWASP ZAP proxy that was not the latest. It was not properly handling the SSL communication between my iOS 13.x devices and my self-signed root CA which was created with openssl per Apple's requirements listed in https://support.apple.com/en-us/HT210176. I upgraded ZAP to the 10/21/2019 release and that fixed all issues.

Sep 25, 2019 2:42 AM in response to rakman_baba

Ran into a similar problem. iOS 13 seems to be enforcing that certificates be valid and trusted, whereas previous versions didn't. I had to change the self-signed certificate on my IMAP server (which had worked for years on all iOS versions) over to a valid certificate from a real CA. Chances are there's something wrong with your cert, and older versions just didn't care.

Sep 25, 2019 5:32 AM in response to B R F

My understanding was that the trusted root certification authority setting was meant to force OS to trust the self signed certificate and as this method across all OSes ( Microsoft, Apple or Google) and across all browsers removed the need to buy a CA certificate.


The certificates seem very dear to subscribe to unless you renew free ones every 90 days which would be tedious. What certificate vendor did you go with and at what cost?

Sep 25, 2019 5:43 AM in response to rakman_baba

I never had my self-signed CA cert imported into the phone before (as is done in the support article you linked). It simply wasn't necessary in the past. Either iOS auto-OK'ed certs from mail servers when you added an account, or there was a prompt to permanently OK a cert - I don't actually remember which. So it could be that your imported CA cert was never doing anything all this time anyway, and instead, it worked for other reasons.


Now I'm using a letsencrypt.org cert that requires renewal every 90 days, but the renewal is fully automated via certbot. Works fine.

Oct 3, 2019 1:27 PM in response to rakman_baba

Hi,

Been really getting crazy on this one for a week now.

Really, I have better things to do than troubleshooting because you can not let people use their local servers in peace, seriously?

First there was the thing about mandating SSL, then this stupid certificate issue.

All my other machines are connecting fine but both iPhone and iOS stopped working after update to iOS 13 and started giving this certificate issue. I wonder if IPv6 has anything to do but target server has no ipv6 enabled. I am using a self signed certificate but it is loaded and trusted.

Can you please Apple deliver a solution for this now?!

thanks

Oct 22, 2019 2:03 PM in response to fixitnowyes

I followed the instructions and was able to get all my http/https traffic to traverse out my proxy using the root CA created per the instructions. HOWEVER, there is one major exception. iOS devices (tablets and iphones) running 13.x will not work. However, iOS devices running 10.3.3 will work. Not sure about any versions between 10.3.3 and 13.x. All my Windows 10 boxes were also able to use the root CA without issue - so there remains a detail left out in order to work with iOS 13.x.

Dec 12, 2019 6:23 PM in response to Booger_1

Most likely whoever runs the email server will have to fix the problem, but it's also possible there's a different hostname other than "smtp-server.cinci.rr.com" you're supposed to be using to connect to the server. When I connect to the SMTP port at that address, it returns an SSL certificate that doesn't match up with the hostname.

iOS 13.1 'Cannot verify server identity'

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.