Revisiting SSL certificate trust on iOS devices for email


#1

I’m a longtime Dreamhost user and manage a family full of Macs and iOS devices. I’m pretty savvy but I’m experiencing a new email related problem within the last 24 hours that I haven’t been able to resolve. The Macs and iOS devices are all starting popping up “Cannot Verify Server identity” messages every minute even if the Mail application isn’t in use, even though the Mail settings are meticulously set to Dreamhost’s recommended settings (and triple checked). I’m familiar with re-trusting the (invalid) SSL certificate on the Mac but I don’t see a way of doing this in iOS 10.2. Dreamhosts instructions state that one can click on the ‘Details’ button and then ‘Trust’ in the upper right hand corner but this button doesn’t exist. Perhaps such a button existed in an earlier version of iOS but it is not there today on 10.2.

I’ve also updated my keychain on the Mac to ‘Always Trust’ and use iCloud for keychain syncing but the iOS devices continue to fail to connect.

So I have four iPhones that suddenly can’t get mail at all and are practically unusable for anything else because they are constantly bringing up “Cannot Verify Server identity” messages over and over again even without the Mail app open. On the Macs I’ve been able to set to ‘Always Trust’ and have dismissed these messages. So this boils down to two questions:

  1. How can we set an iOS 10.2 device to trust an apparently invalid SSL Certificate?

  2. Is there a way to make or use a valid certificate? Do I need to buy SSL certificates for my domains? What are other people doing with their own domains?

Thanks in advance!


#2

Hi Scott,

Thank you for contacting us for support! I answered your questions below:

  1. How can we set an iOS 10.2 device to trust an apparently invalid SSL Certificate?
    I am also on iOS 10.2 worked for me yesterday. It should allow you to click on details for the specific certificate, then you should be able to trust it from there. If still doesn’t work please create a ticket and give us screenshots, that would be helpful: https://panel.dreamhost.com/index.cgi?tree=support.msg&

  2. Is there a way to make or use a valid certificate? Do I need to buy SSL certificates for my domains? What are other people doing with their own domains?

This guide should be helpful: https://help.dreamhost.com/hc/en-us/articles/215306748-Certificate-domain-mismatch-error-when-connecting-to-a-DreamHost-mail-server


#3

Unfortunately this guide is partially incorrect. For iPhone users it incorrectly states "It will show the message “Cannot Verify Server Identity”. Click “Details” below that message, followed by “Trust” in the top-right corner. " For existing accounts, the Trust button is not there, even if you replace the hostname.

It appears the only way to get this to work is to delete your email accounts and re-create them. When we do this the Trust button becomes available under the Details window. Can I suggest this page be updated to reflect this? Deleting existing accounts is essential.

And I now see the answer to my 2nd question. Instead of using mail.customdomain.com we can use sub3.mail.dreamhost.com (or similar) for the outgoing mail server. Thanks!


#4

Thanks Scott, that helped me get my email going again. Dreamhost instructions were definitely incomplete.
fyi, I’m using homie.mail.dreamhost.com for my incoming and outgoing with no problems now.
-Terry


#5

As to question #2, when I use “homie.mail.dreamhost.com” as the outgoing mail server, it also comes up as having an invalid certificate. So Question# 2stands: Is there a way to make or use a valid certificate? Do I need to buy SSL certificates for my domains? What are other people doing with their own domains?
[hr]

Great! I’m seeing the same “invalid certificate” with homie.mail.dreamhost.com just like when the custom domain is used. While I can now opt to trust it, the question remains: why is it not valid? Can we use a valid certificate anywhere?

Did you get a message saying the SSL Certificate for homie.mail.dreamhost.com was valid?
[hr]
Let me repeat - there is NO ADVANTAGE to using a *.dreamhost.com mail server over a custom one. Is there any way we could use a valid SSL Certificate and avoid all of the problems?


#6

I was glad to see this wasn’t just a problem I was having; it would have taken me too long to guess that the accounts would need to be deleted and re-added.

There was an additional hitch for me, which I’m posting in case anybody else has problems: even after deleting and re-adding all my DH accounts, I still didn’t get the “Trust” button. This was because I had my DH mail server lingering in the list of SMTP servers (from a previous round of email-wrestling). Once I removed it — by going into the list of SMTP servers via a different (non-DH) account, and deleting it there — I was able to re-add my DH accounts and get a “Trust” option.

Between the instructions, the odd Apple choice to not provide a “Trust” button, and the rarity of having to do this sort of thing, this problem ate up an insane amount of time. I hope it’s faster for the next folks who find this post — or that a simpler method is available the next time the certificates change.

[Edit: I forgot to mention: iPhone 6S running iOS v10.2 (14C92).]


#7

It’s interesting, I wonder why some had to jump through all this.

I didn’t have any trouble. I was able to just “Trust” much like DH Matt describes above. I did later discover I also needed to “trust” the SMTP server, but I had no trouble there either. To be clear, I didn’t have to do any deleting and re-adding of accounts.

What was shocking is Dreamhost didn’t warn us a certificate change was coming. I had to do 10 minutes of due diligence to figure out why I was suddenly getting new warnings, and whether I should in fact by-pass or trust them.


#8

There was that, too, but what bugged me more was that I couldn’t figure out how exactly we’re supposed to verify the certificate. I found the blog post on dreamhoststatus.com, which gave a fingerprint, but that fingerprint didn’t show up anywhere in the cert info that my phone (or Apple Mail) was showing me. I couldn’t find any way to match up what I was seeing on my phone with what I could find on the DH web site(s).

I’d definitely like to be able to do that, so I can be assured I’m accepting the right certificate.


#9

Hi,

I’ll add the same, some family iPhone 7’s don’t seem to get the ‘trust’ option at all. My iPhone 6+ was fine. It’s been pretty frustrating, but looks like I’m re-entering a few email accounts. :frowning:

-Danny


#10

[quote=“LakeRat, post:7, topic:63951”]
I was able to just “Trust” much like DH Matt describes above. I did later discover I also needed to “trust” the SMTP server, but I had no trouble there either. To be clear, I didn’t have to do any deleting and re-adding of accounts. [/quote]

Are you using iOS 10.2 (the current version)?


#11

Yes, iOS 10.2, and I failed to state earlier, it’s an iPhone 7.


#12

Shoot well that seems inconsistent. My own phone is an iPhone 7 and I deleted all my Mail accounts, recreated them, and not I’m getting the “Cannot Verify Server” message again… and no trust button.

Perhaps I should say my Mail accounts are IMAP accounts - are yours different?


#13

Thanks! This was the key for me. Since I have multiple email accounts through Dreamhost, I had to delete ALL of them, then go into another non-Dreamhost account to remove all dreamhost SMTP server entries, similar to what was stated above. So one of the reasons that this thread seems to work for some and not for others may be whether or not your phone has multiple Dreamhost email accounts.


#14

[quote=“KevinO, post:13, topic:63951”]So one of the reasons that this thread seems to work for some and not for others may be whether or not your phone has multiple Dreamhost email accounts.
[/quote]

Fair enough! I too have multiple DH email accounts. Deleting and re-creating all of them a week ago continued to bring up the “Cannot Verify Server” messages without the ability to “Trust” them. Something happened during the week however and one day that stopped. Now when I create new email accounts on iOS using the “homie.mai.dreamhost.com” SMTP server we don’t have the ability to hit “Trust” and apparently don’t need to… This exact same procedure didn’t work the week prior, shortly after they updated the domain certificates - but it doe now.

I suspect Dreamhost quietly did something on their end to fix this last week and is correctly assuming that this problem will go away.


#15

These issues were all related to this incident:

https://www.dreamhoststatus.com/pages/incident/575f0f606826303142000510/588156051cbcb48151001209

Since that has been resolved, I’ll close this thread.


#16