MacOS X and iOS rejecting Cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: VirtualHost configuration:

*:443 default (/etc/apache2/sites/0000_127.0.0.1_34543_.conf:1)

*:80 is a NameVirtualHost

default server fortunata.teleinteractive.net (/etc/apache2/sites/0000_127.0.0.1_34580_.conf:1)

port 80 namevhost fortunata.teleinteractive.net (/etc/apache2/sites/0000_127.0.0.1_34580_.conf:1)

port 80 namevhost press.teleinteractive.net (/etc/apache2/sites/0000_127.0.0.1_80_press.teleinteractive.net.conf:1)

alias blogs.teleinteractive.net

alias www.teleinteractive.net

alias blog.teleinteractive.net

alias press.teleinteractive.net

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.28 (Unix)

The operating system my web server runs on is (include version): Mac OS X 10.11.6

My hosting provider, if applicable, is: self collocated at MacStadium

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Apple Server.app v5.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.6.0

Statement: I last used certbot on August 3. Today, as with so many others, the certificates are not recognized by our Mac OS (older and current on various machines) and iOS14.8. I use a script from the Let’s Encrypt community to convert the fullchain.pem into a P12 certificate for Apple Server. This certificate handles our email and website. The script is:

#!/bin/sh

PEM_FOLDER="/etc/letsencrypt/live/fortuna.teleinteractive.net/"
LOG_FOLDER="/Users/dipaolantonio/Documents/sslcerts/letsencrypt/lets_script/logs"
DATE=$(date +"%d-%m-%y")
LOG_FILE="${LOG_FOLDER}/${DATE}.log"

# Generate a passphrase - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

# Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

# import the p12 file in keychain - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

The PEM folder contains

sudo ls -al /etc/letsencrypt/live/fortuna.teleinteractive.net/
Password:
total 64
drwxr-xr-x  8 root  wheel   272 Aug  3 12:13 .
drwxr-xr-x  4 root  wheel   136 Sep 28  2017 ..
-rw-r--r--  1 root  wheel   543 Sep 28  2017 README
lrwxr-xr-x  1 root  wheel    52 Aug  3 12:13 cert.pem -> ../../archive/fortuna.teleinteractive.net/cert23.pem
lrwxr-xr-x  1 root  wheel    53 Aug  3 12:13 chain.pem -> ../../archive/fortuna.teleinteractive.net/chain23.pem
lrwxr-xr-x  1 root  wheel    57 Aug  3 12:13 fullchain.pem -> ../../archive/fortuna.teleinteractive.net/fullchain23.pem
-rw-r--r--  1 root  wheel  9957 Aug  3 12:19 letsencrypt_sslcert.p12
lrwxr-xr-x  1 root  wheel    55 Aug  3 12:13 privkey.pem -> ../../archive/fortuna.teleinteractive.net/privkey23.pem

Yes, I know that I should migrate from Server, and it’s long overdue. I would truly appreciate any help from the community to tide us over until I can do so. As far as I can tell, I am using the fullchain.pem to create the P12 cert, so all the other topics here that recommend the fullchain don’t help. Please let me know what I am missing, or what I can try. Thank you.

Your served chain looks good to me:
openssl s_client -showcerts -connect fortunata.teleinteractive.net:443 -servername fortunata.teleinteractive.net

Have you tried a reboot of your clients?

No, but I just rebooted the server, based on your suggestion. It has only been 25 years since I last worked as a sysadmin — I shouldn’t have forgotten such a simple thing /sigh The iOS clients are receiving email now. I will check the others. Thank you so very much for your quick response.

Good to know, I didn't think a server reboot would matter for Linux (it does on Windows).

Neither one looks perfect to me:

---
Certificate chain
 0 s:/CN=fortunata.teleinteractive.net
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/CN=fortunata.teleinteractive.net
   i:/C=US/O=Let's Encrypt/CN=R3
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 4 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Both show the same output:

openssl s_client -connect fortuna.teleinteractive.net:443 -servername fortuna.teleinteractive.net
openssl s_client -connect fortunata.teleinteractive.net:443 -servername fortunata.teleinteractive.net

Lines ZERO and ONE are duplicates.
Line FOUR is a root and should never be sent.

This might be prt of that problem:

Thank you for your help. I am not sure that I understand the problem with that line from the script. Is the information in the cert file duplicating the information in the fullchain file, thus causing the duplication of line 0 into line 1 and exposing the root in line 4? Would you have any recommendations on how to change that line of the script, or resources that I might research to fix it? Thank you again.

The fullchain.pem file contains cert.pem.
Using them both would then include cert.pem twice.

Here, let me draw it out:
cert.pem = CERT
fullchain.pem = CERT + CHAIN
cert.pem & fullchain.pem = CERT & CERT + CHAIN

I don't know what is required or what can be skipped in that script, so I can't be 100% certain.
That said, the most obvious choice is to NOT use fullchain.pem and instead use chain.pem
[a file that is hardly ever used - even I had to look at the contents to make sure it does what it says]

I see. openSSL is not an area that I understand well. The script came from the Let’sEncrypt community and I have been using it for years. Should that line of the script be changed to:

# Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}chain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

That is, simply replace the fullchain.pem with chain.pem? Thank you for your patience.

That would seem to do the trick on the ZERO and ONE duplication.
The jury is still out on the FOUR problem...
[but that is likely not that problematic; as no one accepts roots from web servers anyway]

Let's make that one fix and see how things look.
Like via SSL Labs [they do a really good job]

Then we shall see. Thank you again for your help and insight. Be well.

Glad to be of service
Cheers from Miami

#FreeCUBA