On 2022-01-14, Randy Hartman <ra...@randy7.com> wrote: > Hello, > > Just in case anyone else has the same problem... > > Both iPhone mail and mutt complained of an invalid certificate when > connecting to my mail server via imaps:// after certificate > expiration/renewal. The invalid certificate was installed by acme-client > from Let's Encrypt and sent out by dovecot. I removed the invalid > certificate and the email clients are working again. > > Inspecting fullchain.pem by itself was not enough to find the problem. I > noticed the invalid certificate by looking at the certificate path and > finding an expired self-signed root certificate. There were two > certification paths, one valid and one not valid.
Clients are supposed to ignore the expired root certificate when there is a valid chain to an alternative root. There were problems with this in old clients; in OpenBSD/libressl this was fixed in -current and in syspatches. Not an iPhone user but I would assume that it should not be an issue in up-to-date versions of their software too.. > > Valid path: > > myserver, SHA256: > e661209d7c6a1779d35768eb53c4b60e0207cb97366796a056f56b367f2a9d48 > > R3, SHA256: > 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd > > ISRG Root X1 (Self-signed), SHA256: > 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 > (Self-signed) > > > Non-valid path: > > myserver, SHA256: > e661209d7c6a1779d35768eb53c4b60e0207cb97366796a056f56b367f2a9d48 > > R3, SHA256: > 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd > > ISRG Root X1, SHA256: > 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f > > DST Root CA X3 (Expired Self-signed), SHA256: > 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739 > > -- Please keep replies on the mailing list.