My iPhone seems to used a cached version of the old expired R3?

This is not really related to letsencrypt.org, however maybe someone has any ideas: starting today my main iPhone iOS 15 is marking my letsencrypt certificate as "not trusted, expired 29 september 2021", however the certificate is correctly issued using the new "R3 <- ISRG Root X1" path, I triple checked and also checked it using crt.sh / other certificate checkers.

merged|690x497

This only happens on my main iPhone (where I have stumbled upon the old R3 certificate in the past), on any other device (laptop, desktop, other iPhones with iOS 15, iPads, etc) it's trusted/working as intended. Is there any chance that my main iPhone has a cached version of the old "R3" and doesn't want to refetch the new "R3" due to the same name? I tried shutting it off and turning it back on, no success. I do not want to do a factory/full settings reset.

We can't really help you without knowing the hostname, but a likely cause is because your server doesn't send the intermediate certificates. This causes clients to fetch them themselves and may lead to what you're seeing.

2 Likes

Thank you, you are correct. I wasn't sending the full chain and the client seemed to have some old cache for the intermediate certificates. Fixed

3 Likes

Hello,

Ill be glad if you'll clarify, isn't it a good practice to provide just the certificate itself instead of the whole chain?
This way you rely on the OS vendor to provide the correct root and intermediate certificates and which make an attacker who will provide his own chain for a known site fail?
If it is so then I think its in LetsEncrypt's interest to contact apple and ask them to update the root/intermediate certificates they provide to their clients, am I right?

Thanks in advance for your answers.

6 posts were split to a new topic: R3 expired iOS IMAPS using Dovecot

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.