Koozali.org: home of the SME Server

Iphone stopped accepting mail certificate

Offline RDMidtun

  • *
  • 27
  • +0/-0
Iphone stopped accepting mail certificate
« on: June 13, 2022, 09:51:25 PM »
Accessing my mail from the Iphone has stopped working after an IOS update. It used to be fine. It now complains about the certificate being invalid.

I followed the recipe in https://wiki.koozali.org/Certificate to update the self signed certificates. The Iphone now sees the updated certificate, but still does not accept it.

Any ideas on how to work around this?

Offline bunkobugsy

  • *
  • 274
  • +4/-0

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Iphone stopped accepting mail certificate
« Reply #2 on: June 14, 2022, 12:35:51 PM »
If you can't use LetsEncrypt, try this:

1. Make sure the name* or IP** in the certificate matches the name or IP used by the email account on the iPhone

2. Open webmail in Safari from the iPhone using the name or IP in the certificate and hope that you get some prompts to install/trust the certificate


* The name used in the cert must resolve to your server from anyplace you want to be able to check your mail.

** If your certificate is using an IP for the name of the server, you will only be able to access your email from a location where that IP works.  LAN IP? --> email from LAN only.  WAN IP? --> Cert must be regenerated and re-trusted if your WAN IP changes.

[edit]
note added to step 2 in italics
« Last Edit: June 14, 2022, 12:37:29 PM by mmccarn »

Offline RDMidtun

  • *
  • 27
  • +0/-0
Re: Iphone stopped accepting mail certificate
« Reply #3 on: June 14, 2022, 08:57:25 PM »
If you can't use LetsEncrypt, try this:

1. Make sure the name* or IP** in the certificate matches the name or IP used by the email account on the iPhone

2. Open webmail in Safari from the iPhone using the name or IP in the certificate and hope that you get some prompts to install/trust the certificate


* The name used in the cert must resolve to your server from anyplace you want to be able to check your mail.

** If your certificate is using an IP for the name of the server, you will only be able to access your email from a location where that IP works.  LAN IP? --> email from LAN only.  WAN IP? --> Cert must be regenerated and re-trusted if your WAN IP changes.

[edit]
note added to step 2 in italics

I already had the old certificate installed and all was working before the IOS update to version 15.5. I tried installing the re-generated certificate by adding it to my website and pointing the Safari browser to it. It is downloaded to the IPhone, but it does no let me install as it complains about not being able to verify the authentification.

If I can work up the energy I will try LetsEncrypt, but from the documentation, it seems very complicated.

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Iphone stopped accepting mail certificate
« Reply #4 on: June 15, 2022, 12:15:29 AM »
page need updating as it is a mix of manual installation and usage of the contrib.

check the install procedure and the « rush job ».
that is all you need after making sure the domain you need are selected and real world dns point to your server.


Offline krisden

  • *
  • 43
  • +0/-0
Re: Iphone stopped accepting mail certificate
« Reply #5 on: June 15, 2022, 10:04:56 AM »
Any ideas on how to work around this?
A good start in this type of case is to have a second web browser installed.
Why ? Because you'll be able to check where the issue is.
Try with Firefox without importing your profile for the moment, just to test and reports.

Otherwise, did you already check something like that : https://support.apple.com/en-us/HT204477

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Iphone stopped accepting mail certificate
« Reply #6 on: June 15, 2022, 10:20:36 AM »
If I can work up the energy I will try LetsEncrypt, but from the documentation, it seems very complicated.

We've made it as simple as possible but as JP said the wiki page meeds simplifying.

It really is worth the effort long term.

Just work your way through the install, and make sure you use test mode until you get it right.

Once working you can pretty well forget it.

Plenty of help here..... Just be patient and ask.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline RDMidtun

  • *
  • 27
  • +0/-0
Re: Iphone stopped accepting mail certificate
« Reply #7 on: June 15, 2022, 01:25:33 PM »
Otherwise, did you already check something like that : https://support.apple.com/en-us/HT204477

Yes, I have checked it and I am able to download the certificate to the Iphone, but unfortunately it will not let me install it as it is not able  to verify it.

I have done a bit of googling and found that and other people have problems with certificates and IOS 15.5. I am not convinced this will be fixed by using LetsEncrypt. In addition it seems like using LetsEncrypt will cause you to re-new and then manually restore new certificates on the Iphone every 3 months or so? Anyway, for now I will use the fallback solution of accessing my mail from the Iphone using webmail. Webmail works well for me, I am not dependent on using the standard Iphone mail tool.

Thanks to all of you providing help on the issue!!!!

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Iphone stopped accepting mail certificate
« Reply #8 on: June 15, 2022, 02:11:04 PM »
Having to make the iphone to accept the certificate has nothing to do with it renewed, it has to do with using a certificate from a not trusted source. 

Sorry to tell you that but you are not a trusted source. LE is one.
You do not have to add an exception to the many services LE is currently protecting because LE is a trustable source and hence you simply have no clue where you go they use LE.

Apple is limiting more and more way to add untrustable certificates for 3-4 years now because it is now cheap to get a trustable one and allowing self signed certificates opens a potential security hole including man in the middle attacks.

15.5 is not the first nail in the coffin.


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Iphone stopped accepting mail certificate
« Reply #9 on: June 15, 2022, 02:42:29 PM »
I have done a bit of googling and found that and other people have problems with certificates and IOS 15.5. I am not convinced this will be fixed by using LetsEncrypt.

Your sources may be less than reliable...... or your question might be 'neutral' if you are looking for the answer you want rather than the answer that makes most sense.

So, yes self signed issues almost certainly, and no as JP said, LE certificates are trusted. Self signed are not. So convince yourself that they will be a better solution.

I have lots of Apple equipment (amongst a host of other kit) and none of it has issues with LE certs. I think the real issue is you don't want to believe that because you don't want to learn..... :-)


Quote
In addition it seems like using LetsEncrypt will cause you to re-new and then manually restore new certificates on the Iphone every 3 months or so? Anyway, for now I will use the fallback solution of accessing my mail from the Iphone using webmail. Webmail works well for me, I am not dependent on using the standard Iphone mail tool.

Again your sources are less than reliable. The certs get automatically renewed every 3 months, but that is all handled automagically by your equipment - both server and clients. It is seamless and transparent and no manual intervention is required. it just 'works'.

The only time you would have an issue is if there is a renewal failure.

If you have a static IP it is very a simple to do. If you have dynamic just make sure it is updated with the ddclient contrib.

Time to ditch those self signed certs and move on - some of us have for several years now!!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline RDMidtun

  • *
  • 27
  • +0/-0
Re: Iphone stopped accepting mail certificate
« Reply #10 on: June 15, 2022, 08:53:41 PM »
Ok, you convinced me, I installed the LetsEncrypt contrib. The problem was the intimidating documentation. When focusing on the "install" and the "rush job" chapters, the job was done in a few minutes. Then the hope is that this really is automtatically in terms of certificate renewals. Anyway, this fixed the problem, the Iphone mail tool is now working!

Thanks to all of you for your help!!!

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Iphone stopped accepting mail certificate
« Reply #11 on: June 15, 2022, 11:07:49 PM »
so we all learn a lesson today!

ours is documentation should not afraid the user!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Iphone stopped accepting mail certificate
« Reply #12 on: June 16, 2022, 12:10:53 AM »
Ok, you convinced me, I installed the LetsEncrypt contrib

Welcome to the 21st century :lol:

Good move.

Quote
Then the hope is that this really is automtatically in terms of certificate renewals.

Should be fine. If not raise a bug!!
Quote
Anyway, this fixed the problem, the Iphone mail tool is now working!

Who would have guessed :-)

Quote
Thanks to all of you for your help!!!

Well done for trying and not giving up.

We'll review the docs.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation