Since self-signed certificates fell out of favour I’ve been using Lets Encrypt certificates served by Symbiosis and Sympl. Whilst certificates update seamlessly, I run into problems every time a certificate is automatically renewed with mail clients running on iOS. I have 300 email accounts some of which are used by people working abroad.
Problem - iOS fails to recognise a certificate update and warns that the certificate is not reliable.
Resolution - It appears there is no way to accept the new certificate within iOS unless the account is deleted and reconfigured. As LE certificates are updated more often than is practical (every 90 days) this is becoming a right royal PITA.
Has anyone found a solution better than instructing users to delete and reinstall their email accounts?
Here’s a guess. Turn off the SSL setting for the server. Click Done.
This should fail because the port is now wrong and the server should return a fail.
Turn it on again… and click done. Does this re-verify the cert?
???
As a follow-up… I don’t seem to get the problem you are describing. I wonder if it’s dependent on IOS release number.
There are always problems with IOS devices.
Sometimes it is user error (they’re falsely sold as a “non-technical” magic bean) but much is down to Apple.
Although I have heard of similar problems, it hasn’t been for a very long time. I’m not aware of changing anything, but the problem went away.
If it hadn’t, it still wouldn’t be my problem: I have never advised anyone to buy Apple. Quite the opposite.
I can see that this sort of thing could happen with Symbiosis as it doesn’t support SNI for POP3/IMAP and would default to the self-signed certificate, so clients might complain about that, as long as the user has the server configured with the relevant/correct host name it should be fine and not even prompt.
I’d be surprised if Apple gets upset at valid certs changing as they’re one of the main ones pushing for shorter certificate ages.
Been using LE certificates on my mail accounts for years with a multitude of Apple devices. Never had any issues so don’t know what the problem might be.
[quote=“compassweb, post:1, topic:226, full:true”]Has anyone found a solution better than instructing users to delete and reinstall their email accounts?
[/quote]
If you’re using Sympl, then clients should use the bare domain (ie: example.com rather than www.example.com or mail.example.com) as the hostname for mail configured in the mail client.
See Configuring an Email Client - Sympl Wiki for details.
As the certificates are valid and the IMAP/POP3 server is using SNI to provide the relevant cert based on the hostname, the user won’t be prompted.
Note: This will not work in Symbiosis as it does not have SNI support, and requires both the base domain to have DNS pointed to the server, and a valid SSL certificate for the base domain.
I’m not an IOS user, but my wife has an iPad and iPhone and uses email on my Sympl server, as does at least one desktop IOS user that I know, and they have not reported problems.
They are all using the primary domain now. I seem to remember there were problems when they used the mail subdomain in the past.
Using the base domain works for me as well, across all devices and software (Mail on iOS, Thunderbird on Linux, neomutt on Linux etc.)