Apple MacOS Server and iOS don’t like StartCom Certificates

An error reading „Cannot Connect Using SSL“ on my iPhone caused me some extra grey hair: The symptoms I observed since mid of December were:

  • iOS Mail came up with a SSL error when trying to negotiate SSL/TLS through the IMAP service on my MacOS server. Adding a new mailbox was not possible, Apple Mail always suggested to turn of SSL (which I didn’t want to do for good reason).
  • My Squirrelmail webbased email reader suddenly couldn’t connect to the IMAP mailbox anymore. The error observed was: „Error connecting to IMAP server: <server_name>. 0

First I thought that there was a problem with the MacOS Server, but when I switched to a self signed certificate – things worked OK again (only with the hint that I use an untrusted cert of course).

After some more googling around for the symptoms I observed, I came across this article Lists of available trusted root certificates in iOS (in German). It clearly mentions, that from December 2016 onward, the certificates of StartCom (which were available also cost free) are not recognized anymore. Now, my MacOS Server did not throw any error in the Server Manager, but the services didn’t work as expected anymore.

And for testing Squirrelmail, I found this very nice information at James Bottomley’s random Pages:

echo 'fsockopen("tls://yourmailserver.domain",993,$errno,$errmsg,15);'|php -a

I used it to check the connection to my mailserver, and look and behold, I got to see the PHP error that I had a certificate issue!

So I decided to order a RapidSSL certificate to replace the StartCom certificate. Said and done, set it all up, and voilá – all services are running smoothly again.

While the Server App correctly changes certs for all services including the postfix Mail service, I have configured TLS manually in the postfix main.cf as this was a requirement for my outbound mail forwarder. These configuration statements I always have to change manually when updating the certificate. Now there is at the end of the file:

smtp_tls_cert_file = /etc/certificates/<hostname>.ID.cert.pem
smtp_tls_CAfile = /etc/certificates/<hostname>.ID.chain.pem
smtp_tls_key_file = /etc/certificates/<hostname>.ID.key.pem

For the correct keys just compare to the statements before, like:

smtpd_tls_key_file = /etc/certificates/<hostname>.ID.key.pem
smtpd_tls_cert_file = /etc/certificates/<hostname>.ID.cert.pem

If you run into similar troubles as described above, I suggest to get a „real“ SSL certificate which is trusted by the Apple OS. I got mine from the folks at CheapSSL.com.

Advertisment ad adsense adlogger