You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Lee Chubb
Lee Chubb Author
User level: Level 1
8 points

iOS Mail - certificate not trusted

I've run my own server for ages. All services, but let's concentrate on mail.


I missed a security certificate renewal on Sunday and mail broke (not trusted). I renewed the certificate, Mail on OS X (14.4.1.) picked up the new certificate with no problem. Mail on iOS (17.5.1) got the new certificate but won't trust it.


Error reads - Cannot Verify Server Identity. The identity of mail cannot be verified.


But if I click on the Details button for that message it shows me that Mail has the new certificate. That certificate is fine and trusted by Mail and Safari on OS X, the certificate is fine and trusted by Safari on my phone, but Mail on that same phone doesn't trust the certificate.


For those of you who know how certificates work, it is a wildcard certificate. It covers every subdomain of ****.com, so it if works for the subdomain then it should work on the mai


And it does, except for Mail on iOS.


A call with Apple Support was no help at all. Tier 1 was kind and tried hard. Tier 2 was rude, and when questioned it became clear that they had no idea at all how security certificates work and weren't interested in learning.


So I need to get Mail on iOS to trust the certificate that every other app has no problem trusting. Any tips for how to get that to happen?


Thanks.


[Edited by Moderator]

iPhone 13 Pro

Posted on Jun 18, 2024 3:21 PM

Reply
5 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
124,789 points

Jun 18, 2024 3:36 PM in response to Lee Chubb

is the certificate intermediate chain as expected?


Is the mail server DNS perfect? Forward and reverse match, and DKIM, DMARC, SPF are all correct?


I’ll assume the unnamed mail server has been restarted, and the certificates have been imported and processed as needed for whatever mail server this might involve.


That’s all server side, of course.


Last two times I chased these errors client-side, one had mail seemingly caching the stale certificate, though that was on macOS. Safe Mode cleared that, and I’d try a forced restart on iOS here. The other time was a missing intermediate in the mail server.


I am here assuming this is a commercial cert and not a self-signed chain, too.

Reply
User profile for user: Lee Chubb
Lee Chubb Author
User level: Level 1
8 points

Jun 20, 2024 7:21 AM in response to MrHoffman

It's a Let's Encrypt certificate, so self-signed.


I used xxxx as a substitute for my real domain. The moderator apparently thought I was trying to promote some adult site and edited my post, but they mangled it in the process and apparently locked me out of editing it, so here is what the fifth paragraph should have said.


For those of you who know how certificates work, it is a wildcard certificate. It covers every subdomain of ****(dot)com, so it if works for the www(dot)****(dot)com subdomain then it should work on the mail(dot)****(dot)com subdomain.


My reasoning is that Apple OS's (and therefore apps) likely all point to the same root certificate, so the certificate chain from there must also be the same. If the certificate is trusted by MacOS Mail and Safari and it is trusted by iOS Safari, what is the glitch that makes Mail on iOS not trust it?


I have had the server for ages, nothing has changed. I have used Lets Encrypt for ages and never had this problem. The only difference this time is that I didn't renew in time and there was a day where the old certificate rightly shouldn't have been trusted. The server is providing the new/correct public key now and all four apps have it, so I believe I am seeing a bug in iOS Mail here.


If you think there is an error in my reasoning, I am all ears.


[Edited by Moderator]

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
124,789 points

Jun 20, 2024 9:10 AM in response to Lee Chubb

The LE cert is not a self-signed certificate.


example.com, example.net, and example.org (and subdomains) are available for and reserved for documentation and for discussions and postings such as this thread.


Make sure the mail server has all necessary intermediates configured for the new LE cert.


I would absolutely review DNS, DKIM, DMARC, SPF.


DNS and certs and cert chain checks have all been being tightened.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
124,789 points

Jun 20, 2024 9:53 AM in response to Lee Chubb

Most likely culprit here is an issue with the cert itself, or need for an intermediate for a client lacking that, but that check inherently also involves verifying mail server DNS, too.


Less so with verifying other parts, as DKIM, DMARC, and SPF “only” block mail delivery, and not client access.


If you’ve verified server correctness, then some issue with the client or its configuration and troubleshooting that is a next reasonable assumption.

Reply

iOS Mail - certificate not trusted

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up