Let's Encrypt Certificates with Apple IOS Phones

Hello,

A couple weeks ago I suddenly stopped being able to access my email from my phone. When I tried I got a message that the server identity could not be verified. When I cluck on details it tells me the denial is issued from Let’s Encrypt. Can anyone help me with restoring my email access? I don’t know where Let’s Encrypt came form or why it’s blocking my emails but it’s a real pain.

Thanks!

Let’s Encrypt has nothing to do with your mail delivery or access, and is not blocking anything. If a security certificate issued by Let’s Encrypt (or any other CA) has expired, the mail client on your phone may be giving warnings. What, exactly, do the “details” say?

Is this webmail hosted by yourself? Or some other party? If the latter is the case, you should contact that other party of your problem, as it most likely is a configuration problem on their end.

The details say “ssl.server293.com Issued by Let’s Encrypt Authority…Not Trusted Expires 8/26/17” When I click on More Details it gives me a bunch of information but under “Issuer Name” the organization is Let’s Encrypt Authority X3. Thanks for helping me out!

It’s hosted by some other party, but it has been for several years and this just popped up recently. I’ll check with them, though, in case they changed something on their end that’s causing this. Thanks for your help!

Hi @user2, this error is usually caused by the e-mail host choosing to use Let’s Encrypt certificates, but then forgetting to renew them. Renewing the certificate is mandatory, but it’s possible for the host to forget to do it. Only the host can perform this renewal; Let’s Encrypt itself can’t do anything to fix it without the host’s involvement.

It’s possible that the host had switched from some other certificate provider to Let’s Encrypt because Let’s Encrypt certificates are free of charge. But Let’s Encrypt certificates have to be renewed more frequently than some other certificates do, so it might be easier for people to forget about the mandatory renewals.

Actually @schoen, based on this:

It looks like the certificate is not expired, and was probably issued in late May (i.e., a couple weeks ago). I’m guessing the problem is one of these:

  • Missing intermediate certificate
  • Phone does not include DST Root X3 in its trust store.

@user2, can you tell us what model of phone, and most importantly what version of the operating system you are running, and what software you normally use to access your email?

Thanks for catching that, @jsha.

@user2, the host should still probably be in a position to fix the problem, but I agree that the problem is not exactly what I thought. Per @jsha’s suggestions, It could be that the host configured the certificate incorrectly when installing it, or that your phone isn’t compatible with Let’s Encrypt certificates.

Actually I just checked this host using:

$ openssl s_client -connect ssl.server293.com:143 -servername ssl.server293.com -starttls imap -showcerts < /dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=ssl.server293.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGizCCBXOgAwIBAgISBL2xcoDBpjd9ePNDTRSIIm2iMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MjgwNTM0MDBaFw0x
NzA4MjYwNTM0MDBaMBwxGjAYBgNVBAMTEXNzbC5zZXJ2ZXIyOTMuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHuOOuz5wBpe8xC8z3JXFTYnuE1G
Ur+9joYRz+UZ0BmLodaD8va1haGnwXlhc+HVBegZRqnZEnb0Tx5Ku9pvHHoCTZqQ
VZ3hFuZH4t6Ate0bC/UK4Jc0iK9l+PfUhn0Va/9hNwqZkfU6R/7ewn1EeRtUA5Uf
8AprfJMPiDXeL8yZCkjjO7V75pseBYFCG0PviezzyczPKfrzbMvqYQMcJomp5y6z
H0o3IcTKgpwM7n8j7TleA1unVKcBLu0LJmNr2LIyPOu5q1Ic2g7snoZ1wSBcLiUq
ba2Vriebtv7c97xvgjg/5DWzmWbpQ3zRBi6/OBtHetssk7KMYt40ZnQtxQIDAQAB
o4IDlzCCA5MwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSCuYjm/9sA9uGHHKaFGvcC
gMMOkzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMIIBoAYDVR0RBIIBlzCCAZOCEGRiLnNlcnZlcjI5My5jb22CEWRucy5z
ZXJ2ZXIyOTMuY29tghFmdHAuc2VydmVyMjkzLmNvbYISaW1hcC5zZXJ2ZXIyOTMu
Y29tghNpbWFwNC5zZXJ2ZXIyOTMuY29tghZpbmNvbWluZy5zZXJ2ZXIyOTMuY29t
ghJtYWlsLnNlcnZlcjI5My5jb22CEm1ib3guc2VydmVyMjkzLmNvbYITbXlzcWwu
c2VydmVyMjkzLmNvbYIUbXlzcWw0LnNlcnZlcjI5My5jb22CFG15c3FsNS5zZXJ2
ZXIyOTMuY29tghBucy5zZXJ2ZXIyOTMuY29tghZvdXRnb2luZy5zZXJ2ZXIyOTMu
Y29tghFwb3Auc2VydmVyMjkzLmNvbYIScG9wMy5zZXJ2ZXIyOTMuY29tgg1zZXJ2
ZXIyOTMuY29tghJzbXRwLnNlcnZlcjI5My5jb22CEXNzbC5zZXJ2ZXIyOTMuY29t
ghV3ZWJtYWlsLnNlcnZlcjI5My5jb22CEXd3dy5zZXJ2ZXIyOTMuY29tMIH+BgNV
HSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcC
ARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGb
VGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5
aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0
aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcv
cmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAF0W2sQFcfNH3AMdTFLALajJ
NejS4GEeTJYd+CAeiPz2wKLE5g3CcAVw7S+Kyhkc6yzHNMdh900BEDgNIltCKjBx
wQ2mgE4za49ZPNGm0mC57ocoS1O14LiPYhTxtufpQdTEiiTL63HaEL7SmDn3o3aU
QWlivvcZCQ83Rt+ANrT+643glwUlNjCQlaoL40E0WYnNiKHV+ROfvPCkWB3fAIAa
Rqof4OxzKvVMjqdte180/vfsIUA2+ff5ue1oV949iGVMwLAutHywCvknqAkbyfeT
iHpw+R08m9W/KCWu/+qf0JwW+Rc85Uja3mpmo/gJGNh7rOv59t5lHozIi2MlrFI=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ssl.server293.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3876 bytes and written 515 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2167925AC1A79046C44AA42ACA67F15A54E3DED3AFCDFC5F07334AB74B03104C
    Session-ID-ctx: 
    Master-Key: B1213A8BF80298CA6D93A1F15CCE2CAEE492BB69573712EB338E873B0A48260ABE15DE6CA09C59CB5128B742E71DBD3B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d0 16 50 52 30 83 a4 e3-12 79 ed 41 03 3c 28 5c   ..PR0....y.A.<(\
    0010 - ae 9e 8d fa 31 fa 7d 41-e0 21 86 39 d7 2a cb 69   ....1.}A.!.9.*.i
    0020 - 4b 18 67 d0 50 50 2b 29-4e b5 d8 07 14 07 13 1b   K.g.PP+)N.......
    0030 - cf 03 f9 72 cf a7 5d fb-99 9a a5 de aa a9 b5 0c   ...r..].........
    0040 - f9 30 51 9f 83 0d a4 a9-d6 58 7b 98 8b a1 5e 24   .0Q......X{...^$
    0050 - af 2a b0 2c 8c 9c f7 51-fc 63 7a 8b c9 8c fb b7   .*.,...Q.cz.....
    0060 - 96 5d c7 0b 86 e3 27 35-f8 0e 6d eb e4 9e ec 20   .]....'5..m.... 
    0070 - dc 05 d6 94 8d e9 0e 24-c5 aa 09 7e ca eb 73 97   .......$...~..s.
    0080 - d6 85 c5 8c 76 de 2d c7-f6 70 da 62 c8 dc 3e b8   ....v.-..p.b..>.
    0090 - 27 ea e0 2d 4c 5e 89 32-8f 51 7f 29 5a ea a2 b4   '..-L^.2.Q.)Z...
    00a0 - 16 41 ac 70 20 91 d0 9f-ba ef 4f 2c 9f eb 54 71   .A.p .....O,..Tq

    Start Time: 1496869457
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This shows that intermediate certificate is correctly included, so most likely the problem is that your phone does not include DST Root X3. The answers to my questions above would still be useful. You can also check the compatibility list at https://letsencrypt.org/docs/certificate-compatibility/.

1 Like

openssl s_client -connect ssl.server293.com:587 -starttls smtp
shows a proper unexpired cert:

Can’t tell if it is sending the intermediate chain info…
or if your phone doesn’t like that they prefer DHE ciphers but offer them via only DH 1024:
subject=/CN=ssl.server293.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits

SSL handshake has read 3846 bytes and written 399 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384

I have an iPhone 6s. I’m running 10.2.1. There is a new version available but I haven’t downloaded it yet. Could that be the problem?

I’ll check that out. Hopefully it will solve the problem. Thanks!

Your iPhone 6s running 10.2.1 should support Let’s Encrypt certificates. Are you using the built-in mail app?

I’ve confirmed that the intermediate certificates are correctly configured on the usual ports, so that’s not the problem.

Can you take a screenshot of the error you see and post it? Instructions here: https://support.apple.com/en-us/HT200289

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.