iOS Mail not trusted?

I’ve configured a server with DirectAdmin with a Letsencrypt certifcate. Everything works fine on Mac, Pc, iOS and Android: See

Now I tried to use the same certificate files for Exim by making a symlink from /etc/exim.cacert, /etc/exim.cert and /etc/exim.key to the letsencrypt certifcate elsewhere on the server.
On Windows live mail (Windows 10) and Apple Mail (Mac OS El Captain) SSL mail works great.

At my updated iphone the certificate isn’t trusted at all.
I asked a friend to check on his updated Android device and the certifcate isn’t trusted on that device either.

Has anyone else issued the same problem before? Did I misconfigured something or is Letsencrypt just not authorized yet?

Try connecting to the server with openssl. example:

openssl s_client -starttls smtp -connect or
openssl s_client -starttls imap -connect or on an ssl port
openssl s_client -connect (if using imaps)

At the start of the large volume of text this outputs, you should find:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X1
verify return:1
depth=0 CN =
verify return:1

Certificate chain
0 s:/
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

My andoid and ios clients are not complaining.

Thanks for your reply Kasper.

This is the output I got:

depth=0 /
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /
verify error:num=27:certificate not trusted
verify return:1
depth=0 /
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1

The letsencrypt ssl certifcate isn’t the problem. I did do something wrong with installing the certificate but don’t know what.
I thought it should be easy to install a cert to Exim. Exim and Dovecot are looking for the following files: /etc/exim.cert and /etc/exim.key. I made symlinks from /etc/exim.* to the letsencrypt cert en key file and got above output.

Any clue on what to do?

swissshuttles - Did you find any resolution to this? I'm having a similar issue and have started a new thread in hopes I can resolve this problem.

Hi basetwo, unfortunately I didn’t found the solution yet. Because of my lack of time I have disabled SSL for this particular email server for now.
At the same time I hoped someone else would face the same problem and would solve it. Love to hear from you when you found the solution!

@swisshuttles - Thanks for letting me know. I’m wondering at this point if anyone has tested iOS against a server that is protected by a LE cert. I see that you’re using EXIM - I’m using Exchange. However, seems to be the same result. I’ll let you know how things end up over here.

Just putting it out there, has anyone had success with using a LE cert with iOS 9 Mail? FWIW - Safari on the same device seems to connect without any complaint. Of course that’s assuming that Safari on iOS uses the same Root store as Mail does…

@basetwo @swisshuttles It looks like you are not making Exim use the full certificate chain.
As such, the (truncated) certificate chain cannot be validated, since it doesn’t end with a trusted root CA.

@nicoo - This is the path I’m headed down. Did you have success doing this? FWIW, I’m using the ACMESharp project to generate my cert, and at this point, it is my understanding that the tool does not support generating the full certificate chain. If you saw my other thread on this subject, you’ll notice that I was asking about the cert chain, where the certificate is showing the chain as, Let’s Encrypt Authority X3->myserver.mydomain.tld.

@basetwo I had a cursory look at the Exim documentation, and it doesn’t seem to support specifying an additional file for the “CA” part of the certificate chain.
You can always append new certs (the LE root certificate, in that case) at the end of the certificate file, but I guess you would have to integrate that in your automation.
(Using a less silly ACME client might also be an option)

@nicoo - FWIW I’m not using EXIM, @swisshuttles was. I’m on Exchange. As we’re running mostly Windows, and Windows seems to be treated as a second class citizen at this point, any suggestions on which client to use? It would be nice to have this automated where I’m not jumping through 20 hoops to get this regenerated every ~90 days.

I have no clue about Windows, so it might well be that ACMESharp is your only option.
Regarding automation, can you makes a script that calls ACMESharp, gets a new certificate, and then copies the (new) key where Exchange expects it, concatenate the new cert and the CA cert, and puts it where Exchange expects it, and make Exchange reload the whole thing?

@swisshuttles - as promised, I'm following up to let you know that I figured out the problem I was having with my LE SAN Cert and my Exchange test environment. Unfortunately, I don't think the fix I made will help you. But in case you're interested, the details are here: