"Cannot verify server identity" message from mail, iOS 10.2.1

Listen, man. If you don't know how to solve the problem, let's wait for someone who does, shall we?

Remember how you said iOS had no option to trust a certificate? Take a look at that screenshot. Note the part highlighted in red on the top right corner.

This option is no longer available after the iOS 10.2.1 update.

I haven't used a POP email server for probably a decade. Further, that article to which you linked is useless. It solved nothing.

I cannot send email because iOS 10.2.1 doesn't trust my hosting service's certificate, and the iOS no longer allows me to trust that certificate.

In fact, I had already seen that article, and tried everything in it before posting here. It really is shockingly unhelpful to repeat what a quick search in the support pages returns.

I did remove and recreate the account with the problem, which did not solved nothing. That's what motivated me to try to ask here.

So far, Apple support has been of no use. They won't even admit to the problem. There is little wonder then, that their support articles are of no use to solve this problem. They actually suggested the same thing you did, that it was somehow my service provider that made the configuration change that caused this problem.

Well, I've bounced this off of the support engineers at Dreamhost. They made no changes. In fact, they wouldn't make changes to their PKI infrastructure based on some iOS firmware update that Apple decides to release. Using PKI server certificates to secure communications between clients and servers is an industry standard process which doesn't dance to Apple's tune. Furthermore, hosting services do actually provide services to other than Apple product users. So, no. This has never been the fault of my commercial hosting service.

Apple created this problem when they released iOS 10.2.1. They changed how iOS behaves regarding PKI certificates. Now, if no one here knows exactly what to do to reverse engineer their product to fix a problem they caused, fine. That's how it is.

Did you see the image I posted that clearly shows that it was once possible to choose to trust a certificate? Here's what iOS update 10.2.1 did to that dialog. Note the upper right corner. That is where the option to Trust a certificate once existed:

Do you understand the problem now? This is a problem with how iOS handles SSL certificates, not with the certificates themselves.

What do any of those things have to do with the iOS update 10.2.1?

Worked fine before that update, now I have no option to trust the certificate. I had to endure this same basic questioning from Apple support.

I know perfectly well how to set up the mail client. IOS updated, and it stopped working.

Thanks, Boris. I did get that suggestion from Dreamhost, and that was going to be my last resort.:

Here's what I discovered:

Simply deleting the email account that is using the offending outgoing mail server doesn't do the job. Since I have several email accounts, that outgoing mail server entry remains in iOS, available for those other email accounts to use.

What has to be done is to go to the outgoing mail server settings for another email account (after deleting the mail account that was using the failing outgoing mail server), and deleting the failing outgoing mail server entry from the list of outgoing mail servers. It isn't possible to delete the entry for the failing outgoing mail server if it is in use by any email account

It does nothing to delete the account that has the failing outgoing mail server, as suggested by the Apple support page, if you have more than one email account defined. As long as that entry exists in the outgoing email server list, iOS will not present the option to trust its certificate after the 10.2.1 update.

For us, I deleted all email accounts on our iPads that were hosted by Dreamhost, leaving my Google mail account. It was in the outgoing mail server list for the Google mail account where I was able to delete the failing outgoing mail server entries. Then, when I recreated those email accounts, I was able to accept the certificate as before the 10.2.1 update.

I've done it in iOS for years. My hosting service's certificate domain doesn't match my domain name, and it causes an error. Previously, all I needed do was view the certificatedetails, and choose to trust it.

To what settings are you referring? Apple Support said this same stuff. Settings. What, port number? That hasn't changed. Still works on my other iPad, that isn't running 10.2.1. What other settings can affect iOS refusing to trust a certificate?

IOS is getting the cert, it just won't let me trust it any more.

Right now, the only option I have is to shut off SSL. Oh, that's nice, isn't it? My email in transit in plaintext.

Of course I'd been through Apple' support process before I posted here. Who doesn't do that?

If their support staff were trained to support their product, we wouldn't be having this little discussion, would we?

So, since you are admittedly a consumer with no knowledge of server certificates and how client operating systems use them, what are you chiming in for?

Nope.

This happened on one device. Only after an IOS update. The useless people at Apple tech support told me the same thing. Essentially, youremi plying that my email hosting service was just waiting for me to upgrade to the latest version of IOS, then changed the ports they were using. Which, of course, has NOTHING to do with a server certificate.

The the goal in solving this problem is to remove all instances of the cached server certficicate from the device having this problem. Then, when replacing that server, IOS will once again present the option to trust the server certificate.