iPhone not recognising new LE Certs (Symbiosis)

Ahoy there,

It’s been rather slow on here for a while so I thought I’d post on the topic of one of my pet issues just incase someone has a better workaround. Issue - Apple products don’t seem to want to accept newly issued LE certs. The only workaround I have found is to remove / delete and reinstall the mail account at which point the device normally accepts the new LE cert.

Does anyone know of a more graceful workaround ?

Rgds Pete

What hostnames are you using when configuring the clients?

In theory, using example.com which is likely in your SSL cert, rather than something like mail.example.com or imap.example.com should be okay and survive new certs being issued.

I’m using example.com for mail server settings. I must add that I’m still hosting mail and sites on Bytemark’s servers. Does anyone know whether this issue exists when there’s a rollover of certs with the Sympl setup?
Rgds Pete

I have that trouble too. When the certificate changes I have to remove and re-add each email account on my ipad and iphone

I use mx.example.com now but previously just used the ip address.

You should be fine to use the bare domain (example.com) or another alias it has pointing to it, as the certificate will match.

This was a fix added to Sympl so it has full support for SNI for mail, and some clients, notably Apple ones, can be really picky when you connect to a domain name that doesn’t directly match the names available in the certificate.

Obviously this will be fully fixed when wildcard support is added, but for now, you should be fine connecting to any name used by a current SSL certificate.

What’s the actual domain name? Knowing that, we’ll be able to check the certificate, and see exactly what the issue is. Also, what’s the client that you’re trying to connect? I guess Apple Mail, but if you’re explicit, that helps, too. What does the relevant configuration of your client look like (domain name, port, etc)? Finally, what error message are you seeing if any?

Without that information, we can only guess at the solution. But did you follow the Bytemark documentation for implementing SNI in both Exim and Dovecod?

Good to hear from you Ian Sir,

Which side are you on these days? Mythic or Bytemark?

Issue - Apple products don’t seem to want to accept newly issued LE certs.
This was a well documented issue on Bytemark’s forums, well until the forums were removed from public viewing.

Each time there’s a rollover of LE certs my customers complain that their iPhones won’t auto accept the new certificate. This issue isn’t isolated to just one domain it’s prevalent with every domain and every server. And I suspect the issue is iPhone related rather than server setup.

The Bytemark documentation for implementing SNI in both Exim and Dovecot has been implemented to the letter.

Kind regards Pete

Until wildcards are added, I am using gmail as a workaround. I can still receive and send to my domains, as if I was on them directly. It actually works very well and you get the advantage that gmail do a great job filtering spam. In gmail, just add the accounts as required, then on sympl add forwarding.