Applicable to:
- Plesk for Linux
Symptoms
-
Let's Encrypt SSL certificate securing mail has been renewed on the Plesk server.
- Mail server name is specified correctly in settings of mail client (iOS mail and MacOS mail). It matches the server name in the certificate at Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.
-
Mail users with iOS / MacOS devices cannot access mail after certificate renewal on Plesk server. The following error appears in UI:
CONFIG_TEXT: Cannot Verify Server Identity
Settings cannot verify the identity of "mail.example.com". Would you like to continue anyway? -
In iOS / MacOS mail client there is no "Trust" button on "Details" screen in the upper-right corner.
Cause
iOS / MacOS issue: system does not allow the user to "trust" a SSL/TLS certificate after renewal
add the following PPPM-14463 to the ticket in order to get more feedback
Resolution
There are two possible solutions:
Solution 1. Recreate mail accounts devices
- Remove mail account from iOS / MacOS device.
- Re-create email account on iOS / MacOS device.
Solution 2. Manually install and allow using required SSL certificates from device settings:
- Get the certificate. The certificate can be exported from the browser to a .cer file:
- Press F12 > Security > View certificate.
- On the new opened window go to the Details tab and click on Copy file.
- It will open the export wizard. Click on Next.
- Select "DER binary coded X.509 (.CER)" and click Next.
- Select a name for the file and click Next
- Review the information and click on Finish
- Upload the .cer file on iOS device through email, Safari browser or File Sharing and install it by clicking/tapping on the uploaded file.
- Set up the email account.
- If more information is needed on the certificate, it can be found in: Settings > General > Profile.
Note: Interfaces on different versions of iOS / MacOS may vary.
Comments
5 comments
Imagine that you have a client with nearly a hundred email accounts. Many of these folks use MACs and iPhones. The Let's Encrypt certificate renews, and then you're spending days on the phone walking all of these people through deleting their email accounts and setting them up again. This happens every three months at each renewal until the customer gets fed up and goes somewhere else. This has happened to me several times, and I've been on the phone all day today because of a cert that renewed yesterday. I wish I could offer a solution. There needs to be a better way.
And I thought "Outlook" was poorly programmed! I cannot believe the IOS mail client is unable to handle a certificate change properly.. I'm telling clients to disable all SSL,TLS,MD5 Authentication and sticking to "Password".. It's insecure but it gets their job done.
07/02/23 I may have a fix for this frustrating situation. If you have a domain on the Plesk server that has been set up as what I might call a primary domain on the server for the purposes of reverse DNS, your customers can use that domain for their incoming and outgoing mail servers, instead of the default; mail.subscriptiondomain.com. I am in the process of testing this, but so far, so good. When the certificate for that reverse DNS domain automatically renewed, my phone did not start ringing again with complaints from Apple users, and my own iPhone continued without a hiccup. I will be more confident that this is a true fix when another 90 days have passed, but I am optimistic.
Hello,
I have the same problem and here is solution https://community.letsencrypt.org/t/certificates-renewal-and-apple-os-mail/152621
For me solution 2. works:
Each time the certificates are renewed, restart postfix and dovecot. I think this second option reloads both daemons with the latest certificates, but I do not know yet if it works (I will have to wait three months).
So is it possible that Plesk itself reload mail services (Postfix and Dovecot) after SSL is renewed?
Regards,
Miha Gregorš
Still nothing?
Please sign in to leave a comment.