R3 Cert not trusted by iphone (iOS 15.1)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: my.gcmex.com

I ran this command:

It produced this output:

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: Docker/Cloudron

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Cloudron

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

email certificate is not trusted by iphone (iOS 15.1).
SSL Labs shows rating A+
No issues in other clients
This cert is automatically generated by Cloudron

2

Hi @rfg76 and welcome to the LE community forum :slight_smile:

Do you get the same message with:

3

Hi @rfg76,

That is pretty mysterious because iOS 15.1 definitely accepts the X1 root, and, as you saw, you have an A+ on SSLLabs including a simulation of an iOS client.

Is it possible that the iOS client in question is on a network that is interfering with the connection in some way, such as an intercepting proxy or firewall? Is it your own iOS device, or did you get a report from someone else about this compatibility problem? Can you get a screenshot of the specific error message?

Which protocol and port is the client using? Is it some particular app under iOS? Is it HTTPS on port 443 or one of the e-mail services on 587, 25, or 993? (Though all of those also look right to me.)

1 Like
5

I remember about iOS will default to expired R3-signed by DST root if no intermediate certificate provided.

2 Likes
6

SSLLabs wouldn't give an A+ if there was no correct certificate chain :wink:

7

SSL Labs only checks port 443.
Lord only knows where else they may also be using that cert.

NOTE: The very subtle clue...

2 Likes
8

Thanks for your response

User always use mobile data (cellular connection). The error is while using email services (imap and smpt) and only states: "not trusted" but let him continue. He uses the native iOS email app.

1 Like
9

That's embarrasing, is there any other service to check email certificate?

10

There probably is - I use openssl [old school]
Here is what I found:

Port 25,443,587,993:
---
Certificate chain
 0 s:/CN=my.gcmex.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

They are all using the exact same cert.
So, the "problem" may be with the clients not liking the ("longer") cross-signed chain.
You could try switching to the "shorter" self-signed "ISRG Root X1" chain.
OR
If that doesn't get you to 100%, switch to using another free CA.

Note: I may have missed some ports - not all ports responded.

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.