Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: "Cannot verify server identity" message from mail, iOS 10.2.1

SInce upgrading to iOS 10.2.1, the mail app cannot send mail, returning a certificate error, "cannot verify server identity"


Previously, all I needed do was view the certificate details, then simply select "trust" to accept the certificate. This option is no longer available.


Apple support tried to tell me my provider (Dreamhost) must have changed setting so iOS would no longer allow me to trust their certificates. Really. That's what they said.


Now, imagine generating a server certificate. Then, further imagine setting it (if it were even possible), so that no client could trust and use it. That's what Apple Support suggested to me.


I've seen other complaints on the internets about this behavior with this iOS version.


Does anyone here know how to trust a mail certificate with iOS 10.2.1?

Posted on Jan 29, 2017 11:15 PM

Reply
Question marked as Solved
Answer:
Answer:

Thanks, Boris. I did get that suggestion from Dreamhost, and that was going to be my last resort.:


Here's what I discovered:


Simply deleting the email account that is using the offending outgoing mail server doesn't do the job. Since I have several email accounts, that outgoing mail server entry remains in iOS, available for those other email accounts to use.


What has to be done is to go to the outgoing mail server settings for another email account (after deleting the mail account that was using the failing outgoing mail server), and deleting the failing outgoing mail server entry from the list of outgoing mail servers. It isn't possible to delete the entry for the failing outgoing mail server if it is in use by any email account


It does nothing to delete the account that has the failing outgoing mail server, as suggested by the Apple support page, if you have more than one email account defined. As long as that entry exists in the outgoing email server list, iOS will not present the option to trust its certificate after the 10.2.1 update.


For us, I deleted all email accounts on our iPads that were hosted by Dreamhost, leaving my Google mail account. It was in the outgoing mail server list for the Google mail account where I was able to delete the failing outgoing mail server entries. Then, when I recreated those email accounts, I was able to accept the certificate as before the 10.2.1 update.

Posted on Feb 3, 2017 10:13 AM

Question marked as Helpful

Jan 31, 2017 1:23 PM in response to rbakelaar In response to rbakelaar

In fact, I had already seen that article, and tried everything in it before posting here. It really is shockingly unhelpful to repeat what a quick search in the support pages returns.


I did remove and recreate the account with the problem, which did not solved nothing. That's what motivated me to try to ask here.


So far, Apple support has been of no use. They won't even admit to the problem. There is little wonder then, that their support articles are of no use to solve this problem. They actually suggested the same thing you did, that it was somehow my service provider that made the configuration change that caused this problem.


Well, I've bounced this off of the support engineers at Dreamhost. They made no changes. In fact, they wouldn't make changes to their PKI infrastructure based on some iOS firmware update that Apple decides to release. Using PKI server certificates to secure communications between clients and servers is an industry standard process which doesn't dance to Apple's tune. Furthermore, hosting services do actually provide services to other than Apple product users. So, no. This has never been the fault of my commercial hosting service.


Apple created this problem when they released iOS 10.2.1. They changed how iOS behaves regarding PKI certificates. Now, if no one here knows exactly what to do to reverse engineer their product to fix a problem they caused, fine. That's how it is.


Did you see the image I posted that clearly shows that it was once possible to choose to trust a certificate? Here's what iOS update 10.2.1 did to that dialog. Note the upper right corner. That is where the option to Trust a certificate once existed:


User uploaded file


Do you understand the problem now? This is a problem with how iOS handles SSL certificates, not with the certificates themselves.

Jan 31, 2017 1:23 PM

Question marked as Helpful

Jan 29, 2017 11:28 PM in response to rbakelaar In response to rbakelaar

What do any of those things have to do with the iOS update 10.2.1?


Worked fine before that update, now I have no option to trust the certificate. I had to endure this same basic questioning from Apple support.


I know perfectly well how to set up the mail client. IOS updated, and it stopped working.

Jan 29, 2017 11:28 PM

Question marked as Helpful

Jan 30, 2017 8:14 AM in response to rbakelaar In response to rbakelaar

Listen, man. If you don't know how to solve the problem, let's wait for someone who does, shall we?


Remember how you said iOS had no option to trust a certificate? Take a look at that screenshot. Note the part highlighted in red on the top right corner.


User uploaded file


This option is no longer available after the iOS 10.2.1 update.


I haven't used a POP email server for probably a decade. Further, that article to which you linked is useless. It solved nothing.


I cannot send email because iOS 10.2.1 doesn't trust my hosting service's certificate, and the iOS no longer allows me to trust that certificate.

Jan 30, 2017 8:14 AM

There’s more to the conversation

Read all replies

Jan 29, 2017 11:22 PM in response to Jesse Ohlsson In response to Jesse Ohlsson

Hi Jesse,


What email domain are you using? Use https://www.apple.com/support/mail-settings-lookup/ to check your email's incoming and outgoing server settings. Then go to Settings > Mail > Accounts > Tap on your account > Then tap on your email at the top. Verify that incoming and outgoing mail server settings are correct. If that doesn't help use this article: If you can’t send or receive emails on your iPhone, iPad, or iPod touch

Jan 29, 2017 11:22 PM

Reply Helpful (1)
Question marked as Helpful

Jan 29, 2017 11:28 PM in response to rbakelaar In response to rbakelaar

What do any of those things have to do with the iOS update 10.2.1?


Worked fine before that update, now I have no option to trust the certificate. I had to endure this same basic questioning from Apple support.


I know perfectly well how to set up the mail client. IOS updated, and it stopped working.

Jan 29, 2017 11:28 PM

Reply Helpful (5)

Jan 29, 2017 11:39 PM in response to Jesse Ohlsson In response to Jesse Ohlsson

There is no option to "trust" a certificate in iOS. iOS is not designed the same way that Mac OS is. That message you're getting is directly related to your email providers incoming and outgoing server settings. It's nothing to do with the certificate. If your incoming and outgoing server settings aren't working. It's an issue with your email account specifically. Account settings are updated along with software updates. So it is indeed possible they could've changed the settings to accommodate the update.

Jan 29, 2017 11:39 PM

Reply Helpful

Jan 29, 2017 11:59 PM in response to rbakelaar In response to rbakelaar

I've done it in iOS for years. My hosting service's certificate domain doesn't match my domain name, and it causes an error. Previously, all I needed do was view the certificatedetails, and choose to trust it.


To what settings are you referring? Apple Support said this same stuff. Settings. What, port number? That hasn't changed. Still works on my other iPad, that isn't running 10.2.1. What other settings can affect iOS refusing to trust a certificate?


IOS is getting the cert, it just won't let me trust it any more.


Right now, the only option I have is to shut off SSL. Oh, that's nice, isn't it? My email in transit in plaintext.

Jan 29, 2017 11:59 PM

Reply Helpful

Jan 30, 2017 12:05 AM in response to Jesse Ohlsson In response to Jesse Ohlsson

Like I said before follow my earlier post. Look up your email in the settings in the tool I gave you https://www.apple.com/support/mail-settings-lookup/ Then remove and re-add the account with those settings. Your account is most likely a pop account which is old technology. Update it to an imap account or get your email provider to do it for you. You simply said that you're having an issue with SENDING mail. Follow this article if you're having that issue: If you can’t send or receive emails on your iPhone, iPad, or iPod touch

Jan 30, 2017 12:05 AM

Reply Helpful
Question marked as Helpful

Jan 30, 2017 8:14 AM in response to rbakelaar In response to rbakelaar

Listen, man. If you don't know how to solve the problem, let's wait for someone who does, shall we?


Remember how you said iOS had no option to trust a certificate? Take a look at that screenshot. Note the part highlighted in red on the top right corner.


User uploaded file


This option is no longer available after the iOS 10.2.1 update.


I haven't used a POP email server for probably a decade. Further, that article to which you linked is useless. It solved nothing.


I cannot send email because iOS 10.2.1 doesn't trust my hosting service's certificate, and the iOS no longer allows me to trust that certificate.

Jan 30, 2017 8:14 AM

Reply Helpful (5)

Jan 30, 2017 9:48 PM in response to Jesse Ohlsson In response to Jesse Ohlsson

Exactly I wasn't trying to be rude but that's what I suggested to you. Brian is saying the same thing I was man. We're just trying to help you. If you don't want to take our suggestions. Then don't ask for them on here. I said you most likely have a pop account. I never said you did. Obviously it sounds like you didn't follow that article. Because at the bottom of it it tells you to remove and re-add the accounts. I'm a consumer and don't have a business email. So things will be different on my end then yours and not have certificates.

Jan 30, 2017 9:48 PM

Reply Helpful
Question marked as Helpful

Jan 31, 2017 1:23 PM in response to rbakelaar In response to rbakelaar

In fact, I had already seen that article, and tried everything in it before posting here. It really is shockingly unhelpful to repeat what a quick search in the support pages returns.


I did remove and recreate the account with the problem, which did not solved nothing. That's what motivated me to try to ask here.


So far, Apple support has been of no use. They won't even admit to the problem. There is little wonder then, that their support articles are of no use to solve this problem. They actually suggested the same thing you did, that it was somehow my service provider that made the configuration change that caused this problem.


Well, I've bounced this off of the support engineers at Dreamhost. They made no changes. In fact, they wouldn't make changes to their PKI infrastructure based on some iOS firmware update that Apple decides to release. Using PKI server certificates to secure communications between clients and servers is an industry standard process which doesn't dance to Apple's tune. Furthermore, hosting services do actually provide services to other than Apple product users. So, no. This has never been the fault of my commercial hosting service.


Apple created this problem when they released iOS 10.2.1. They changed how iOS behaves regarding PKI certificates. Now, if no one here knows exactly what to do to reverse engineer their product to fix a problem they caused, fine. That's how it is.


Did you see the image I posted that clearly shows that it was once possible to choose to trust a certificate? Here's what iOS update 10.2.1 did to that dialog. Note the upper right corner. That is where the option to Trust a certificate once existed:


User uploaded file


Do you understand the problem now? This is a problem with how iOS handles SSL certificates, not with the certificates themselves.

Jan 31, 2017 1:23 PM

Reply Helpful (6)

Jan 31, 2017 10:28 PM in response to Jesse Ohlsson In response to Jesse Ohlsson

Like I said. I'm a consumer. So I've never had a problem with certificates as I use a gmail account. What gets me irritated is that you called Apple support for help. They are trained to support these products very well. Let them do their job.

Jan 31, 2017 10:28 PM

Reply Helpful

Feb 1, 2017 11:18 AM in response to rbakelaar In response to rbakelaar

Of course I'd been through Apple' support process before I posted here. Who doesn't do that?


If their support staff were trained to support their product, we wouldn't be having this little discussion, would we?


So, since you are admittedly a consumer with no knowledge of server certificates and how client operating systems use them, what are you chiming in for?

Feb 1, 2017 11:18 AM

Reply Helpful (3)

Feb 2, 2017 5:05 PM in response to Jesse Ohlsson In response to Jesse Ohlsson

Hi Jesse,

Another update, another casualty....... This is yet another case of Apple assuming you don't know what you're doing and "protecting" you from trusting a domain you possibly shouldn't - again, "possibly" is the key here, since as you know there are a lot of reasons why you might WANT to trust a valid certificate from a name that does not agree with the cert. I have a custom domain on Dreamhost and had the same problem.


Change your "outgoing mail server" for the account from mail.yourcustomdomain.com to homie.mail.dreamhost.com (Yes, that is a silly name, but you know Dreamhost) and the problem will go away without you having to delete anything.


You're not alone in your frustration - support and IOS in general are in a state of gradual decline for several years now. Apple is now in the business of pushing toys and fluff "features" while ignoring real issues, basically punishing you for trying to do "real work" with your devices. Formerly-working features are broken or removed without warning in almost every new update, but hey, think of the pretty balloons and all the new emoji you've got! Do a quick search for "apple core rot" to see a funny summary of the state of things (funny-sad, but at least good for a laugh).


Peace,

Boris

Feb 2, 2017 5:05 PM

Reply Helpful (1)
Question marked as Solved

Feb 3, 2017 10:13 AM in response to Boris Y In response to Boris Y

Thanks, Boris. I did get that suggestion from Dreamhost, and that was going to be my last resort.:


Here's what I discovered:


Simply deleting the email account that is using the offending outgoing mail server doesn't do the job. Since I have several email accounts, that outgoing mail server entry remains in iOS, available for those other email accounts to use.


What has to be done is to go to the outgoing mail server settings for another email account (after deleting the mail account that was using the failing outgoing mail server), and deleting the failing outgoing mail server entry from the list of outgoing mail servers. It isn't possible to delete the entry for the failing outgoing mail server if it is in use by any email account


It does nothing to delete the account that has the failing outgoing mail server, as suggested by the Apple support page, if you have more than one email account defined. As long as that entry exists in the outgoing email server list, iOS will not present the option to trust its certificate after the 10.2.1 update.


For us, I deleted all email accounts on our iPads that were hosted by Dreamhost, leaving my Google mail account. It was in the outgoing mail server list for the Google mail account where I was able to delete the failing outgoing mail server entries. Then, when I recreated those email accounts, I was able to accept the certificate as before the 10.2.1 update.

Feb 3, 2017 10:13 AM

Reply Helpful
User profile for user: Jesse Ohlsson

Question: "Cannot verify server identity" message from mail, iOS 10.2.1