iOS15 not recognizing Let's Encrypt certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dschloss.net

I ran this command: sending email using sendmail in Perl

It produced this output: images blocked in iOS15

My web server is (include version): apache 2.4.51

The operating system my web server runs on is (include version): linux 4.19.150-76.ELK.el7.x86_64

My hosting provider, if applicable, is: JustHost

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel 94.0 (build 16)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi -
I'm a JustHost customer. I send emails to my iOS and Android app customers via sendmail in Perl. With iOS 15, my images are being blocked (with no error message, just an empty box). These images are hosted on my JustHost server and I access them through http in an img tag.
I spoke with JustHost. They say that Apple made a firmware update in late September that no longer recognizes your certificates in iOS15. JustHost does not have a resolution date. They say many of their customers are negatively impacted,
My emails show up fine on other versions of iOS and everywhere else.
Maybe you have more information!
Thank you very much,
- Jon

@jondspa Welcome to the forum!

Are your images hosted on your dschloss.net site? I ask because while I see you have issued certs from Lets Encrypt in the past for subdomains of that domain name, the cert you actually send from your server is from Sectigo - a different Certificate Authority:

Certificate chain
 0 s:/CN=dschloss.net
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

subject= /CN=dschloss.net
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
notBefore=Mar 29 00:00:00 2021 GMT
notAfter=Apr 11 23:59:59 2022 GMT
serial=670A9062B38A9F33434B3476DCB32ED1
SHA1 Fingerprint=74:AE:93:E8:4E:8E:CF:DA:C0:DE:FE:D5:82:26:54:FA:7B:77:26:BA

If I misunderstand your problem, please post a sample URL that is failing. Thanks

2 Likes

Wow, thanks for the quick reply!

Yes, they are on my shared server dschloss.net. An example of a img tag that is causing blocked images on iOS15:

<img src='http://50.87.101.167/~dschlos1/cgi-bin/moodfit_images/app/notice-brain.jpg' alt='' style='width:50%; max-width:300px; margin:auto; display:block'>

I access my Perl scripts from my apps using https but access my images with http. Even though I'm using http to access my images, JustHost still thought it was a certificate problem,

  • Jon

The img tag you posted is using HTTP rather than HTTPS. It is also pointing to an IP address rather than a domain name that your certificate would cover. You likely need to update your links so they are both HTTPS and using your domain name. So your example would change to:

https://dschloss.net/~dschlos1/cgi-bin/moodfit_images/app/notice-brain.jpg
3 Likes

Thanks! Tried that format and yes, I can retrieve images in a browser, but unfortunately the images are still blocked by iOS15. I get the dreaded empty white box in the email instead of an image, no error.

and

Ok, but now go back to my post #2. That domain name is not using a Lets Encrypt cert - it is using Sectigo. I don't see anything wrong with that cert or chain - but I am not an iOS15 device :slight_smile: (nor a Sectigo expert)

2 Likes

OK. Many thanks for the responses! I'll follow up with Sectigo.

By the way, is there a way to obscure my links I've put in this thread?

  • Jon

You want them to be more obscured than the public website they now sit at?
[which serves all content via HTTP, HTTPS, and IP]
See:

http://50.87.101.167/~dschlos1/cgi-bin/moodfit_images/app/notice-brain.jpg
http://dschloss.net/~dschlos1/cgi-bin/moodfit_images/app/notice-brain.jpg
https://dschloss.net/~dschlos1/cgi-bin/moodfit_images/app/notice-brain.jpg

I mean, if the site can be crawled, those links are already known by much more than anything that crawls this site.

OR have I missed your point?

1 Like

The only link you shared was for that jpg which you could just rename. It is also known to everyone receiving your emails. As for domain names, it is not productive to obscure them - they are publicly known and accessible by various means. Your only protection is to harden your servers. See the notice at the top of your initial post.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.