IOS issue after certificate renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mail.carpenter-farms.us

I ran this command:certbot renew

It produced this output:Renewal succcessful

My web server is (include version): certonly mail server

The operating system my web server runs on is (include version): Linux 4.19.57

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.5.0

After renewal all my Apple IOS devices complain the certificate is expired. Only solution I've found is to delete and renew the mail account on each device, which is a real pain to do every 90 days. Even when re-added IOS complains the certificate is invalid, but allows me to continue (for another 90 days)

Welcome Back to the Let's Encrypt Community, Kevin

Does this only happen with iOS devices?

I don't immediately have too many thoughts regarding mail.carpenter-farms.us.

What webserver software are you using here (e.g. apache, nginx)?

Did you restart the webserver software after renewing the certificate?

Did you clear the caches on the affected iOS devices after renewing the certificate?

Screenshot_20201010-112418_Samsung Internet1439×465 109 KB

The wrong certificate is being served over port 443 (HTTPS). This isn't a great concern since your mail doesn't use this port anyhow.

Screenshot_20201010-111713_Samsung Internet1439×2724 445 KB

I have great concerns regarding carpenter-farms.us and www.carpenter-farms.us.

The wrong certificate is being served over port 443 (HTTPS).

Screenshot_20201010-114250_Samsung Internet1439×2724 554 KB

Screenshot_20201010-111504_Samsung Internet1439×2724 448 KB

The redirects in place are completely dysfunctional.

Complete certificate history for reference:
https://crt.sh/?Identity=carpenter-farms.us&deduplicate=Y

Hi @kevinc

checking your mail ports 25, 465, 587, 993 and 995 via OpenSsl:

25, 587 (SMTP) and 993 (Imap) - all have the correct certificate with the correct chain. The other ports don't answer, but that's ok if you don't use these.

So I don't see a problem.

Do you use the correct server name mail.carpenter-farms.us? But your main domain doesn't have open ports, so you would see a different error message.

Is there a better reason? Why complains IOS? (Invalid name, CA?)

Are you meaning carpenter-farms.us? I was able to access it in various ways without any issues as seen in my screenshots. Maybe a regional block or something?

Screenshot_20201010-123018_Samsung Internet1439×2724 1.16 MB

That's not a mail port.

The problem is the mail account.

So all port 443 / redirects / webservers etc. are unrelevant.

The mail port has a valid certificate.

Ah. That makes sense. I only pointed out the other things just to make sure that Kevin was aware of them.

How were we both able to check for certificates if the ports weren't open though?

I agree with @JuergenAuer, the mail ports all show the correct cert.
I believe the problem is within the iOS client (version) and its' trusted CA list/file.

They are open from where I'm sitting.
Try:
openssl s_client -connect mail.carpenter-farms.us:25 -starttls smtp

Hence why I asked Juergen (or is it Jürgen?) about this:

I just want to make sure we're all on the same page and seeing the same things.

I believe that "domain" and "ports" there are in context with "normal domain access" (ie 80/443).
Which neither has been setup for that FQDN (and are not required for mail use).

I already confirmed that port 443 is open for mail.carpenter-farms.us, carpenter-farms.us, and www.carpenter-farms.us. For mail usage port 443 is, of course, irrelevant for mail.carpenter-farms.us. Perhaps Juergen was referring to the mail ports for carpenter-farms.us (which I never checked)?

Update:

Just confirmed that ports 25, 465, 587, 993, and 995 are closed for carpenter-farms.us.

@JuergenAuer

This was all just a miscommunication issue. We're all on the same page.

Do they?

993 has a certificate which has been expired for 16.5 hours now:

$ openssl s_client -connect mail.carpenter-farms.us:993 -showcerts 2>/dev/null  | openssl x509 -noout -dates -subject
notBefore=Jul 12 06:47:43 2020 GMT
notAfter=Oct 10 06:47:43 2020 GMT
subject=CN = mail.carpenter-farms.us

So then Dovecot is not pointing to the latest cert OR its' restart (after the cert is renewed) was excluded from the script that did the rest.

Just restarted dovecot, and you were correct - the crontab entry did not do that.

Thank you for pointing that out!

Thanks ot @_az for taking the time to notice.
I actually only checked the first two and thought well they are both the same - they should all be the same .
Lesson learned!
[take nothing for granted]

Glad to hear that you have a good working procedure now and that your iOS isn't outdated!

Cheers from Miami

Ah, checked only the first, but if different mail ports have different certificates, that's not enough.

PS: Without restarting the mail server that can't work.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.