Let's Encrypt got on my iphone without my permission


#1

I never heard of Let’s Encrypt until I found that I can’t send emails from my phone. I just want this off my phone. How do I get rid of this?


Let's Encrypt expire error message
#2

I have a hard time understanding what you mean. How exactly is Let’s Encrypt present on your phone? Could you upload an example screenshot for more clearity? Or at least tell us more details about the application involved and what the exact message/situation is where you encounter something from Let’s Encrypt?


#3

I didn’t put Let’s Encrypt on my phone. Why is it there? Below is a screen grab from my iphone.


#4

Here is the error message I’m getting on my phone:

Cannot Verify Server Identity
The identity of “greenlightcreative.net” cannot be verified by Mail.


#5

It seems you’re just reading the information about the TLS certificate send to your phone by the webserver of greenlightcreative.net. Your webbrowser or e-mail client (or other TLS client for that matter) checks this certificate for genuineness of the server you’re connecting to.

So it isn’t really something on your phone, but it’s send by the server you’re connecting to.

For example, if you connect to disney.com, you’d see a certificate issued by the Organization “Entrust, Inc.”.

This counts for every TLS connection or TLS certificate and for every public Certificate Authority, not just Let’s Encrypt.


#6

I can no longer send emails now, but I can receive them. On my certificate is says it’s issued by Let’s Encrypt Authority x3. It says “Not Trusted,” and that it expired on 6/25/18 at 7:21:58 AM.

Is Let’s Encrypt on every iphone? Does that come standard? Here’s another screenshot with an error message:


#7

The Let’s Encrypt certificates are signed by the Let’s Encrypt Intermediate X3 certificate, which itself is signed by the DTS Root X3 root certificate of IdenTrust, which is included in most root certificate stores, including Apples iOS.

If and how Let’s Encrypt certificates are used and thus shown/processed by your phone depends on if the system administrator of the SITE or SERVICE (such as e-mail) uses Let’s Encrypt certificates. Or if he/she uses another Certificate Authority to get certificates from. That choice is not one of your phone.


#8

Bottom line - how do I get this off my phone and go back to my original certificate trust settings?


#9

As I’ve told you many, MANY times in the posts above, the certificate is send to you by the computer you are connecting to, also called the server.

If you surf to for example google.com, you’ll get a certificate presented to your client (i.e., your phone) from Google (and not Let’s Encrypt). You won’t be asking Google to remove the Google certificate from your phone I’m guessing?

Or ask Disney to remove the Entrust Inc’s certificate from your phone when you surf to disney.com?


#10

I’ll just take it into Apple and get it fixed there.


#11

Essentially, what you need to do is contact the operator of greenlightcreative.net and tell them they need to renew their certificate. The certificate is on their server, not your phone, so only they can fix the problem.


#12

There is a relatively easy way.

Do you own the website https://www.greenlightcreative.net/ ?

If you do, go to any certficate store (e.g. comodo.com) and purchase a certificate for this domain, then install the certificate to your server (mail server), then viola.

P.S. this site is using Siteground cPanel server, hense it should be extremely easy to swap / change certificates.


#13


#14

The certificate is up to date, so it doesn’t necessarily need to be renewed.


#15

For HTTPS on port 443, yes.

But for port 25, 110 and port 143 (with STARTTLS) or 465, 993 and 995 (without STARTTLS) that’s a whole other story. But not an Let’s Encrypt certificate though :wink:

Those services provide a certificate from AlphaSSL with SAN “*.sgcpanel.com, DNS:sgcpanel.com”. So that won’t work if @bellidash tries to connect to those servers with greenlightcreative.net as the hostname.


#16

I get a Let’s Encrypt cert on 993 with SNI, I’m surprised it’s supported but I guess the one @bellidash is seeing on their iPhone must be coming from somewhere right?


#17

An IMAP daemon supporting SNI? :open_mouth:

Didn’t even try SNI b/c I’m not used for mailservers to support it… I’m not sure mail clients do either?


#18

You would also need to specify -servername…

from my openssl command, the certificate is up to date…
openssl s_client -connect greenlightcreative.net:465 -servername www.greenlightcreative.net

CONNECTED(00000148)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=greenlightcreative.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGMTCCBRmgAwIBAgISA/X7za7G8ms7XT0gp4V+4ImFMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MjMwNjQyMTBaFw0x
ODA5MjEwNjQyMTBaMCExHzAdBgNVBAMTFmdyZWVubGlnaHRjcmVhdGl2ZS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGClvTcLDR/z+xWuGyoO4N
i/7k0UHYHo55EG8Q7rBj/zrh/sbsmKLrxQ+w2ddvlUrK0vEi3udYwuQwX1bp6HSm
hAXcF07ucUH22I7szEd23PDfqEhTdzoQqCA9V8/nJqXNs3t7Rz90lkvc98tXUAfD
HxQ53NhqMeQkE5EA3gjvVPw1B9vFhM3ofpgeVRpOCO/+bCI/SR8p0SjSWSmT2ea9
l+RwPeTPA1cKUdjjjo5tm5deTG+ts8bIvg61MqdlpADV3+xY4NGUO6E4MdgzTmff
5hVYbHemMwslFspwSBy/GNyeh9iP6g4TQyxtvkMRJl/BBgRL7XA+E4fWjVRmRdGR
AgMBAAGjggM4MIIDNDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKOLxM4Kdj1JxF1+
QUQB+ln6R1irMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wPQYDVR0RBDYwNIIWZ3JlZW5saWdodGNyZWF0aXZlLm5ldIIa
d3d3LmdyZWVubGlnaHRjcmVhdGl2ZS5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwB
AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl
IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg
b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm
b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQIG
CisGAQQB1nkCBAIEgfMEgfAA7gB1ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12d
Tze2H79kAAABZCuX37gAAAQDAEYwRAIgV5Co7xDr6jL9WNk2DON+Ua13GwGWbG+r
tozMz2cAxtwCID65O8C6qQDJ1im5DWI7Cf8gsad4GjGA9IKu66BPiJdWAHUAKTxR
llTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFkK5ffvQAABAMARjBEAiAk
ttuUfISeWL4dtVbLUE4L6d4tUKWz3LeWhbcfq6a87QIgA0bTNncfAdi1O5bdL+AN
Dbpau3W7dEYj9tdoT1rnM/MwDQYJKoZIhvcNAQELBQADggEBAHKc9Z80nWuQOhss
UsVHAZWNohUmFavwPZuCet3HfCWQQagNbqR3LjddQBP4GO045sIxe7Uc2Iim1p9/
v+4zGISfik90wfPtj68lyM5CJxWRVJRj4Rr8aTozPQ+Ymz66TVmDc+HzZqIg+7vH
piCUD37ATjkELxssTp0dkzsBkYalVlvURrXcC2Zi1KXZmpnYR9dbNf6t6Sx46Usq
VmgJS5EJLeeCC7XpwBHPlWH+G5l5qZdiBDEp6iXGa9aHZh6tjyMWnnTFxZusMSkm
GHlGrJSHuIzVHoYy4hY0m10nxbPGorPkqYaKw3UMBJLF/31TZvEdcKTBook9VzqI
8NdtqBs=
-----END CERTIFICATE-----
subject=/CN=greenlightcreative.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3277 bytes and written 337 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9BC967805B4EC464DC730EFB7C446EBF3FBAAFB38AEF094BB6061B3009C8B1E7
    Session-ID-ctx:
    Master-Key: E3C383CC2976EF9B01ADB036F54096EDD37DE07E60B61022CD9871D6B657AF9388D2FC32620F840538AEF0EF31316C47
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1529959642
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
220-us13.siteground.us ESMTP #148 Mon, 25 Jun 2018 15:47:21 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

If not specifying servername, it will provide a sitegroundcpanel certificate…


#19

The people who can fix it are

https://www.greenlightcreative.net/?page_id=3974 (or their hosting provider, SiteGround)

@bellidash, I know that your Apple phone mentions Let’s Encrypt in relation to an error but as people here have explained, neither Apple nor Let’s Encrypt is responsible for the error, nor in a position to fix it. Instead, the problem with Green Light Creative’s servers, which have not been updated correctly. The information that your phone displays about the error is not intended to get you to change something about your phone, but to help people who are responsible for the server understand what’s wrong and what they need to fix.


#20

cPanel supports it… lol