Some iOS 10, 11 unable to accept certificate

Help
1

I gave Letsencrypt a try on one of my servers (x16.webinger.net). So far everything seems to run fine. The certificate was created within the newest Version of Virtualmin, Version 6.01.

Now I ran into a strange Problem that only some iOS Devices (iOS 10, 11). For example iPhone 6s and some iPads do not recognize the letsencrypt certificate as a trustworthy on their standard email app.

7d2645de-a503-4f02-881a-21383b701c8e
7d2645de-a503-4f02-881a-21383b701c8e.jpg720×1280 33.4 KB

And they are not able to accept them. I never had problems to accept even self signed certificates before.

Any ideas on that?

2

The only thing I can find is that the site supports SSLv3 - which is BAD:
https://www.ssllabs.com/ssltest/analyze.html?d=x16.webinger.net&hideResults=on
https://www.WhyNoPadlock.com/ shows:

whynopadlock
x16.webinger.net.whynopadlock.jpg854×389 47.1 KB

3

You mean the poodle thing? Actually tha vulererability was closed or is there another thing why SSL3 is not secure?

4

I don’t know why you can’t connect via your iOS devices - mine connects just fine.
And like I said, The ONLY thing I can find is that the site supports SSLv3
This does not mean that supporting SSLv3 is the reason for your problem, nor that you have to do anything about it to resolve your problem (although, who knows, it might be related).

Maybe someone else can look and see something we have both missed.

5

And on the topic of vulnerabilities…
Things break (are broken) all the time.
Today’s highlight: WPA2
KrackAttacks.com

6

I cannot say, if this is the reason, but you apparently have deployed the certificate for smtp only. If I try to connect to your server to the pop3/imap ports, then I get another (self signed) certificate:

$ openssl s_client -starttls imap -connect x16.webinger.net:143
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = v2201503549923830.yourvserver.net, CN = v2201503549923830.yourvserver.net, emailAddress = root@v2201503549923830.yourvserver.net
verify error:num=18:self signed certificate

7

thank you for the test
should work now for pop3/imap

8

Yes, works right.
So, is your issue still valid?

9

not sure. i do not have those problematic ios devices here. i will tell you how it turned out

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.