IOS issue after certificate renewal

kevinc · October 10, 2020, 4:04pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mail.carpenter-farms.us

I ran this command:certbot renew

It produced this output:Renewal succcessful

My web server is (include version): certonly mail server

The operating system my web server runs on is (include version): Linux 4.19.57

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.5.0

After renewal all my Apple IOS devices complain the certificate is expired. Only solution I've found is to delete and renew the mail account on each device, which is a real pain to do every 90 days. Even when re-added IOS complains the certificate is invalid, but allows me to continue (for another 90 days)

griffin · October 10, 2020, 5:45pm

Welcome Back to the Let's Encrypt Community, Kevin

Does this only happen with iOS devices?

I don't immediately have too many thoughts regarding mail.carpenter-farms.us.

What webserver software are you using here (e.g. apache, nginx)?

Did you restart the webserver software after renewing the certificate?

Did you clear the caches on the affected iOS devices after renewing the certificate?

The wrong certificate is being served over port 443 (HTTPS). This isn't a great concern since your mail doesn't use this port anyhow.

I have great concerns regarding carpenter-farms.us and www.carpenter-farms.us.

The wrong certificate is being served over port 443 (HTTPS).

The redirects in place are completely dysfunctional.

Screenshot_20201010-112813_Samsung Internet

Screenshot_20201010-112914_Samsung Internet

Complete certificate history for reference:
https://crt.sh/?Identity=carpenter-farms.us&deduplicate=Y

JuergenAuer · October 10, 2020, 6:05pm

Hi @kevinc

checking your mail ports 25, 465, 587, 993 and 995 via OpenSsl:

25, 587 (SMTP) and 993 (Imap) - all have the correct certificate with the correct chain. The other ports don't answer, but that's ok if you don't use these.

So I don't see a problem.

Do you use the correct server name mail.carpenter-farms.us? But your main domain doesn't have open ports, so you would see a different error message.

Is there a better reason? Why complains IOS? (Invalid name, CA?)

griffin · October 10, 2020, 6:30pm

Are you meaning carpenter-farms.us? I was able to access it in various ways without any issues as seen in my screenshots. Maybe a regional block or something?

JuergenAuer · October 10, 2020, 6:33pm

That's not a mail port.

The problem is the mail account.

So all port 443 / redirects / webservers etc. are unrelevant.

The mail port has a valid certificate.

griffin · October 10, 2020, 6:37pm

Ah. That makes sense. I only pointed out the other things just to make sure that Kevin was aware of them.

How were we both able to check for certificates if the ports weren't open though?

rg305 · October 10, 2020, 6:38pm

I agree with @JuergenAuer, the mail ports all show the correct cert.
I believe the problem is within the iOS client (version) and its' trusted CA list/file.

rg305 · October 10, 2020, 6:39pm

They are open from where I'm sitting.
Try:
openssl s_client -connect mail.carpenter-farms.us:25 -starttls smtp

griffin · October 10, 2020, 6:42pm

Hence why I asked Juergen (or is it Jürgen?) about this:

I just want to make sure we're all on the same page and seeing the same things.

rg305 · October 10, 2020, 6:45pm

I believe that "domain" and "ports" there are in context with "normal domain access" (ie 80/443).
Which neither has been setup for that FQDN (and are not required for mail use).

griffin · October 10, 2020, 6:49pm

I already confirmed that port 443 is open for mail.carpenter-farms.us, carpenter-farms.us, and www.carpenter-farms.us. For mail usage port 443 is, of course, irrelevant for mail.carpenter-farms.us. Perhaps Juergen was referring to the mail ports for carpenter-farms.us (which I never checked)?

Update:

Just confirmed that ports 25, 465, 587, 993, and 995 are closed for carpenter-farms.us.

@JuergenAuer

This was all just a miscommunication issue. We're all on the same page.

_az · October 10, 2020, 11:22pm

Do they?

993 has a certificate which has been expired for 16.5 hours now:

$ openssl s_client -connect mail.carpenter-farms.us:993 -showcerts 2>/dev/null  | openssl x509 -noout -dates -subject
notBefore=Jul 12 06:47:43 2020 GMT
notAfter=Oct 10 06:47:43 2020 GMT
subject=CN = mail.carpenter-farms.us

rg305 · October 11, 2020, 12:01am

So then Dovecot is not pointing to the latest cert OR its' restart (after the cert is renewed) was excluded from the script that did the rest.

kevinc · October 11, 2020, 3:10am

Just restarted dovecot, and you were correct - the crontab entry did not do that.

Thank you for pointing that out!

rg305 · October 11, 2020, 4:52am

Thanks ot @_az for taking the time to notice.
I actually only checked the first two and thought well they are both the same - they should all be the same .
Lesson learned!
[take nothing for granted]

Glad to hear that you have a good working procedure now and that your iOS isn't outdated!

Cheers from Miami

JuergenAuer · October 11, 2020, 6:51am

Ah, checked only the first, but if different mail ports have different certificates, that's not enough.

PS: Without restarting the mail server that can't work.

system · November 10, 2020, 6:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.