Applicable to:
- Plesk for Linux
Symptoms
-
Let's Encrypt SSL certificate securing mail has been renewed on the Plesk server.
- Mail server name is specified correctly in settings of mail client (iOS mail and MacOS mail). It matches the server name in the certificate at Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.
-
Mail users with iOS / MacOS devices cannot access mail after certificate renewal on Plesk server. The following error appears in UI:
CONFIG_TEXT: Cannot Verify Server Identity
Settings cannot verify the identity of "mail.example.com". Would you like to continue anyway?
-
In iOS / MacOS mail client there is no "Trust" button on "Details" screen in the upper-right corner.
Cause
iOS / MacOS issue: system does not allow the user to "trust" a SSL/TLS certificate after renewal
Resolution
There are two possible solutions:
Solution 1. Recreate mail accounts devices
- Remove mail account from iOS / MacOS device.
- Re-create email account on iOS / MacOS device.
Solution 2. Manually install and allow using required SSL certificates from device settings:
- Get the certificate. The certificate can be exported from the browser to a .cer file:
- Press F12 > Security > View certificate.
- On the new opened window go to the Details tab and click on Copy file.
- It will open the export wizard. Click on Next.
- Select "DER binary coded X.509 (.CER)" and click Next.
- Select a name for the file and click Next
- Review the information and click on Finish
- Upload the .cer file on iOS device through email, Safari browser or File Sharing and install it by clicking/tapping on the uploaded file.
- Set up the email account.
- If more information is needed on the certificate, it can be found in: Settings > General > Profile.
Note: Interfaces on different versions of iOS / MacOS may vary.
Comments
11 comments
I am not sure who is dropping the ball here, Plesk or Apple, but it has been a long time now and the "solutions" listed here are not solutions -- they are workarounds. Real solutions are somewhere between Apple and Plesk.
I run 2 dedicated Plesk servers, and have clients. This problem is dragging for years. In general, securing email on Plesk has always been a headache and Plesk never really had a proper "solution" for it.
Hello @Al Ram,
Thank you for the feedback and sharing your user experience.
The issue looks to be on the Apple side as the same behavior my be not exclusively on Plesk-based server.
For example, here's one of the threads on Apple website: https://discussions.apple.com/thread/7713678
Yes, Ivan. I can see that when Let's Encrypt renews. iOS recognizes the new cert, does not trust it and it does not offer the option for user to trust it. This option is only available after deleting the account from iOS and deleting the outgoing server separately. Let's Encrypt renews every about three months and I am having to walk my clients through this every cycle. Some have switched to MS Exchange.
Apple is known to take years to fix problems like this, but I think Plesk should be on the phone with Apple every Monday because it directly affects Plesk. This is iOS, not some obscure mobile OS, and saying that it is Apple's problem is not enough. I am sure when app developers hit an iOS issue, they call Apple and try to get their attention to the problem. It's kinda like that.
1. Settings
2. Mail, Contacts, Calendars
3. Accounts
4. Select the problem account
5. Advanced
6. uncheck "Use SSL" in "incoming settings
@goodomencreative Such resolution hasn't been tested, and it looks like SSL is being disabled altogether for the account, which is not recommended.
Hello @Al Ram,
Sorry for not replying to you earlier.
To be more precise the issue is reported on Let's Encrypt side: https://community.letsencrypt.org/t/lets-encrypt-certificates-with-apple-ios-phones/35695/12
Plesk isn't required to be used for this issue to appear.
However, I've highlighted the issue to the Development team to see if we could push it from our side.
Thanks Ivan, that's what I concluded too. I am sure you will agree that the solutions people are posting on forums like this one are really just workarounds.
I also understand that there are three parties involved here and that a change in iOS is probably where the real solution lies, but I believe that it would be much more effective for Plesk or Let's Encrypt to make that push with Apple. I was hoping that iOS 13 would include a real fix, but that did not happen.
I do believe that where Plesk and Let's Encrypt are going is the right direction -- SSL bundling with server software -- so I am hoping this is just a bump that will be ironed out.
I look forward to an iOS update with at least persistent Continue button for now.
Any News on this? Lately more & more of our Customers calling because of this Problem ... and it's not really professional to tell them they have to "Re-Create" their Mail Accounts with out Servers every 2-3 Months ...
Hi Andreas Schnederle-Wagner this issue is on iOS Apple side and not something that we can fix from Plesk side. I recommend checking the following forum as well https://discussions.apple.com/thread/7713678
Does anyone know if there is a trustworthy, 3rd party IMAP email client, for iOS, like Outlook, Gmail, etc., that does not have this certificate renewal issue?
SSL certificate should be sent for port 993 for all domains on server and for common subdomains like “mail.”, not just for the server name. If on server example.con I have two more domains example1.con and example2.com, users could insert, for ex., example1.com or mail.example1.com and it should work
Please sign in to leave a comment.