Let's Encrypt got on my iphone without my permission


I never heard of Let’s Encrypt until I found that I can’t send emails from my phone. I just want this off my phone. How do I get rid of this?

Let's Encrypt expire error message

I have a hard time understanding what you mean. How exactly is Let’s Encrypt present on your phone? Could you upload an example screenshot for more clearity? Or at least tell us more details about the application involved and what the exact message/situation is where you encounter something from Let’s Encrypt?


I didn’t put Let’s Encrypt on my phone. Why is it there? Below is a screen grab from my iphone.


Here is the error message I’m getting on my phone:

Cannot Verify Server Identity
The identity of “greenlightcreative.net” cannot be verified by Mail.


It seems you’re just reading the information about the TLS certificate send to your phone by the webserver of greenlightcreative.net. Your webbrowser or e-mail client (or other TLS client for that matter) checks this certificate for genuineness of the server you’re connecting to.

So it isn’t really something on your phone, but it’s send by the server you’re connecting to.

For example, if you connect to disney.com, you’d see a certificate issued by the Organization “Entrust, Inc.”.

This counts for every TLS connection or TLS certificate and for every public Certificate Authority, not just Let’s Encrypt.


I can no longer send emails now, but I can receive them. On my certificate is says it’s issued by Let’s Encrypt Authority x3. It says “Not Trusted,” and that it expired on 6/25/18 at 7:21:58 AM.

Is Let’s Encrypt on every iphone? Does that come standard? Here’s another screenshot with an error message:


The Let’s Encrypt certificates are signed by the Let’s Encrypt Intermediate X3 certificate, which itself is signed by the DTS Root X3 root certificate of IdenTrust, which is included in most root certificate stores, including Apples iOS.

If and how Let’s Encrypt certificates are used and thus shown/processed by your phone depends on if the system administrator of the SITE or SERVICE (such as e-mail) uses Let’s Encrypt certificates. Or if he/she uses another Certificate Authority to get certificates from. That choice is not one of your phone.


Bottom line - how do I get this off my phone and go back to my original certificate trust settings?


As I’ve told you many, MANY times in the posts above, the certificate is send to you by the computer you are connecting to, also called the server.

If you surf to for example google.com, you’ll get a certificate presented to your client (i.e., your phone) from Google (and not Let’s Encrypt). You won’t be asking Google to remove the Google certificate from your phone I’m guessing?

Or ask Disney to remove the Entrust Inc’s certificate from your phone when you surf to disney.com?


I’ll just take it into Apple and get it fixed there.


Essentially, what you need to do is contact the operator of greenlightcreative.net and tell them they need to renew their certificate. The certificate is on their server, not your phone, so only they can fix the problem.


There is a relatively easy way.

Do you own the website https://www.greenlightcreative.net/ ?

If you do, go to any certficate store (e.g. comodo.com) and purchase a certificate for this domain, then install the certificate to your server (mail server), then viola.

P.S. this site is using Siteground cPanel server, hense it should be extremely easy to swap / change certificates.



The certificate is up to date, so it doesn’t necessarily need to be renewed.


For HTTPS on port 443, yes.

But for port 25, 110 and port 143 (with STARTTLS) or 465, 993 and 995 (without STARTTLS) that’s a whole other story. But not an Let’s Encrypt certificate though :wink:

Those services provide a certificate from AlphaSSL with SAN “*.sgcpanel.com, DNS:sgcpanel.com”. So that won’t work if @bellidash tries to connect to those servers with greenlightcreative.net as the hostname.


I get a Let’s Encrypt cert on 993 with SNI, I’m surprised it’s supported but I guess the one @bellidash is seeing on their iPhone must be coming from somewhere right?


An IMAP daemon supporting SNI? :open_mouth:

Didn’t even try SNI b/c I’m not used for mailservers to support it… I’m not sure mail clients do either?


You would also need to specify -servername…

from my openssl command, the certificate is up to date…
openssl s_client -connect greenlightcreative.net:465 -servername www.greenlightcreative.net

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
Certificate chain
 0 s:/CN=greenlightcreative.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3277 bytes and written 337 bytes
Verification error: unable to get local issuer certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9BC967805B4EC464DC730EFB7C446EBF3FBAAFB38AEF094BB6061B3009C8B1E7
    Master-Key: E3C383CC2976EF9B01ADB036F54096EDD37DE07E60B61022CD9871D6B657AF9388D2FC32620F840538AEF0EF31316C47
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1529959642
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
220-us13.siteground.us ESMTP #148 Mon, 25 Jun 2018 15:47:21 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

If not specifying servername, it will provide a sitegroundcpanel certificate…


The people who can fix it are

https://www.greenlightcreative.net/?page_id=3974 (or their hosting provider, SiteGround)

@bellidash, I know that your Apple phone mentions Let’s Encrypt in relation to an error but as people here have explained, neither Apple nor Let’s Encrypt is responsible for the error, nor in a position to fix it. Instead, the problem with Green Light Creative’s servers, which have not been updated correctly. The information that your phone displays about the error is not intended to get you to change something about your phone, but to help people who are responsible for the server understand what’s wrong and what they need to fix.


cPanel supports it… lol