Topic: Letsencrypt/Dehydrated iOS 10 email issues

[ReetP]

Hmmm, thanks Apple.

My wife started to report issues with iOS 10.1.x on her ipad thingy saying it wasn't happy with the Letsencrypt cert. The cert was good but there was a host/domain mismatch.

The cert has a number of hosts in it e.g.

imap.mydomain.co.uk
smtp.mydomain.co.uk
esmith.mydomain.co.uk

It also had a sub domain for Rocket Chat

chat.mydomain.co.uk

It did not have the main domain (for various reasons)

mydomain.co.uk

This then caused the domains.txt file to look like this:

chat.mydomain.co.uk  imap.mydomain.co.uk  smtp.mydomain.co.uk  esmith.mydomain.co.uk

iOS mail suddenly started complaining that it didn't like the cert 'chat.mydomain.co.uk'

It seems to ignore any other hosts or domains on the cert.

I have cured this by adding in the main domain mydomain.co.uk and setting the mail settings in iOS to use mydomain.co.uk as the IMAP/SMTP server.

Domains.txt now looks like this

mydomain.co.uk  chat.mydomain.co.uk  imap.mydomain.co.uk  smtp.mydomain.co.uk  esmith.mydomain.co.uk

I think I might rewrite the contrib slightly so that it always does:

domain1, host(s).domain1, domain2, host(s).domain2 etc etc

However I don't think that will cure the iOS issue specifically.

Any ideas why iOS ignores other hosts in the certificate file ?

B. Rgds
John

[Jean-Philippe Pialasse]

I think I have written a piece of code to make the contrib to choose the PRimary domain at top of the list, unless it is not selected to be in the list of ssl domain and unless a domainname have been selected for the httpd server and mail server with the correct db entry.

I was overlooking this kind of inappropriate behaviour of application not respecting the wildcard or multiple domain cert, also I was satisfying my OCD having my main domain at first

will try to send it to you

[ReetP]

I have got your code in there but I need to rethink the ordering logic a little more. Probably need to give priority to main domain/main domain hosts first.

Will try and look later this week or next as I am in the UK all week

It's really a bug in iOS not respecting multi certs. Seems to happen on the ipad but not phones (as yet). I'll update them when back and see what happens.

B. Rgds
Johm

[Daniel B.]

Here's the logic I use for this part: http://gitweb.firewall-services.com/?p=smeserver-letsencrypt-client;a=blob_plain;f=root/etc/e-smith/templates/etc/dehydrated/domains.txt/10domains;hb=HEAD

I ensure the primary domain is always the first in domains.txt, so it's the Common Name (all other domains are Alt Subject Names). I do not have any iOS device to test myself, but several of my clients have, and I got no report of any issue (most of them are using one of the Alt Subject Name as server name for IMAP and SMTP)

[ReetP]

Thanks Dan.

I'll check when I have a mo.

It might have been having a subdomain first. I really don't know. Need to test more when home.

B. Rgds
John