@ebekker Hmmm - I'll look into that. The device is running the latest version of iOS, 9.3.1.
Taken from: Which browsers and operating systems support Let's Encrypt
Interestingly enough, Safari on that same iOS device seems to go through just fine when hitting the OWA site. However, because Safari doesn't let you view the certificates in use for that session, it's not really helpful. I assume that Safari would use the same root store as the Apple Mail app does, but I could be wrong on that.
Taken from: https://support.apple.com/en-us/HT205205
DST Root CA X3 is in the trusted store.
I verified the it had the same serial number as listed on the Apple support KB article.
I really think the issue is that the server is only presenting the client with:
- Let's Encrypt Authority X3
- {server certificate}
Rather than:
- {server certificate}
- DST Root CA X3
- Let's Encrypt Authority X3
- {Server certifiate}
- Let's Encrypt Authority X3
However, the fact that the Let's Encrypt Authority X3 cert was signed by DST Root CA X3 which is supposedly in the device's local root store, shouldn't that make the intermediate LE cert inherently trusted?