pop/imap certificate issues since 11.4.1

Question

Level 1

9 points

pop/imap certificate issues since 11.4.1

We run a pop/imap server in our organization and since Thursday 8/2/18, Apple products (iPad, iPhone, MacBook Pro) have been unable to verify the server identity complaining about an untrusted certificate.

This is not happening on every Apple device, not on every iphone, not on every ipad. But it is ONLY happening on Apple devices. All androids, all outlook profiles on Windows computers and all other configurations are fine.

Apple is the only common denominator.

I am wondering if there was some obscure security update since 11.4.1 came out that may be causing this issue. But I can't find anything published that would make sense to this.

It is not our certificate, like I said, there are no issues from any other vendor besides Apple. I have run our cert through numerous tests and all come back golden.

Any help is greatly appreciated.

iOS 11.4.1

Posted on Aug 6, 2018 9:03 AM

Reply

Answer 1

mabaeyens

Level 5

4,565 points

Aug 9, 2018 8:52 AM in response to adssfasfasf

I'm surprised it didn't happen earlier.

This comes from over a year ago, when developers at Mozilla and Google raised some concerns with Symantec practices issuing certificates by its owned brands (like Thawte, RapidSSL or Equifax) not following some industry standards, leading to potential issues in user and website security.

The list of root certificates was updated by Apple on July 20, and it affects most if not all Symantec issued certificates, including all brands which belong to Symantec. Google and Firefox already started with the distrust rollout as well, with different timelines. So by end of year, no major browser will support any of these certificates.

Some references and sources:

Reply

Answer 2

KiltedTim

Level 10

195,477 points

Aug 9, 2018 8:01 AM in response to adssfasfasf

Actually, the problem most likely is the certificate. Who is the signing authority for the certificate?

Reference this document: List of available trusted root certificates in iOS 11 - Apple Support

Reply

Answer 3

adssfasfasf Author

Level 1

9 points

Aug 9, 2018 7:54 AM in response to philipp163

Unfortunately not. We are fixing each device 1 by 1. Most of them are quick fixes, turn off SSL and turn it back on kinda things. But we have a huge user base and we are getting probably 10 calls a day for the past week to fix these issues with the Apple products.

Reply

Answer 4

adssfasfasf Author

Level 1

9 points

Aug 9, 2018 8:13 AM in response to KiltedTim

We use an untrusted certificate, but our certificate has been untrusted by Apple for years. We had another person (Apple partner) tell us that he did the same thing. Just reinstalled his current cert and that solved it.

None of this explains why it just all of a sudden happened though.

The cert it complains about is our intermediary and that is RapidSSL. Why would Apple decide not to trust an authority that everyone else does trust?

Reply

Answer 5

adssfasfasf Author

Level 1

9 points

Aug 9, 2018 9:56 AM in response to mabaeyens

Im confused, perhaps you can shed some light. Our cert was issued by digicert. Which is trusted by Apple. It is a RapidSSL cert that was issued by digicert. Did digicert buy rapidssl?

Our cert was issued 11/2017 and expires 11/2027. So it falls under the Case #4 from one of the threads you posted. So we need to replace this cert?

Reply

Answer 6

mabaeyens

Level 5

4,565 points

Aug 9, 2018 10:09 AM in response to adssfasfasf

No, if you did already it will be OK (and the reason why you don't have the error anymore, likely).

The note from Digicert: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/

If you followed this Generate report to identify certificates impacted by potential Chrome distrust you will be OK.

Reply

Answer 7

adssfasfasf Author

Level 1

9 points

Aug 9, 2018 10:28 AM in response to mabaeyens

Our root cert is trusted by Apple. serial #: 083be056904246b1a1756ac95991c74a

We did go through the Free replacement with digicert.

When the apple devices are complaining about the cert not being trusted, they are pointing to our RapidSSL cert that was issues by Digicert.

According to Apple and the Digicert threads, our cert should not have been affected. But still.... All Apple products running 11.4.3 have been untrusting us.

Reply

Answer 8

mabaeyens

Level 5

4,565 points

Aug 10, 2018 12:04 AM in response to adssfasfasf

Certificates follow a chain, from the one in your device to the highest level certificate authority's certificate. For one certificate to be valid, all the trust chain up to the top must be trusted, either forcefully (i.e.: self-signed CAs) or following the chain.

I don't know which part of that chain is this intermediate RapidSSL, but it should also be replaced: RapidSSL Intermediate and Root CA Certificates.

Reply

Answer 9

Aug 9, 2018 1:23 AM in response to adssfasfasf

Hi,

we have exactly the same problem. Did you solve it?

Reply

Answer 10

Aug 9, 2018 8:00 AM in response to adssfasfasf

We fixed it today by installing a new certificate on the mail-server. However we didn't find out the difference between the old and the new certificate yet.

Reply

Answer 11

mabaeyens

Level 5

4,565 points

Aug 9, 2018 8:54 AM in response to philipp163

Check my reply below with regards to the Symantec certificate distrust, in case it also applies to your issue.

Reply

Answer 12

adssfasfasf Author

Level 1

9 points

Aug 9, 2018 9:58 AM in response to adssfasfasf

Sorry, I was going to add, that we already replaced our cert once all this came up and digicert began replacing them for free. Do we need to do it again?

Reply

pop/imap certificate issues since 11.4.1

Similar questions