After working through the problem it became apparent that the problem isn't with the certificate but with iOS 10.3 and it's inability to replace an expired certificate with a new one.
I have a coworker accessing mail via IMAP with a smartphone who has started received a message that the certificate has expired. I have a certificate in place that was created with Mercury but didn't think they expired. IMAP access using Pegasus Mail on my desktop PC works fine. Anyone have any thoughts about what is going on?
Follow-up...
I have attempted creating a new certificate (twice) but the IMAP connection attempts still fail from the smartphone. Two question:
1. Mercury.ini contains the server name (CN) as "domainname.com" The phones connect to "imap.domainname.com". Which should I use in the certificate?
2. In searching this forum I found a thread where someone had a problem with the certificate not loading. How do I check that or troubleshoot this problem further?
One user is accessing the server and a session log for one of those attempts contains an entry stating "no peer certificate presented" when connections are attempted. The other user is receiving a "server not responding" message.
MercuryI configuration points to the correct file (imapcert.pem); Mercury has been restarted.
I'm at a loss as to where to go from here.
I got my hands on one of these users phones. The new certificate is being recognized but is untrusted. At least I now know that the problem is with the phone and not with Mercury. I remained surprised by the expiration of the previous certificate though. I can not find any documentation about built-in expiration.
A certificate always has a validity period, even though the expiry date could be quite far in the future. I checked a .pem file I created a few years ago with Mercury:
Validity
Not Before: Jul 12 16:08:07 2013 GMT
Not After : Jul 12 16:08:07 2015 GMT
You can check the values in a certificate by running this command from a command window:
openssl x509 -in mycert.pem -text -noout
(mycert.pem should be replaced with the real filename of course.)
The 2 year expiration is consistent with what I experienced based on the date stamp of the expired certificate file.
It's astounding how difficult it is to get the new certificate trusted on iDevices. While researching I found info about installing a root certificate on the iPhone but there was emphasis on the server in the certificate being the same as the same as the configured mail server but did not specify whether the IMAP, POP, or SMTP server. This is contrary to the Mercury manual which says to use the server name configured in Core. I was able to get one device working by deleting then recreating the mail account. I haven't gotten access to another device but plan to test the installation of a root certificate on the next one.
Not sure if this helps or not but on most phones there is an option under "Security type" that says "SSL (accept all certificates)" or "TLS (accept all certificates)
I just use the mercury generated certificate and have never had any type of problem getting the certificate to be trusted.
Jim
I wish the iPhones were that easy. It's either SSL on or off. They don't provide a way to replace and expired certificate. I installed a root certificate on the 2nd users phone but it wasn't recognized by the email account.
It gets worse. Each install of an email account creates a new smtp server but removal of an account does not remove the associated server. The result is numerous smtp servers of the same name, none of which can be delete if any one of them is configured in an existing account. The only way to clean them up is to delete the account first. I've been really impressed with iPhones until now.
Note: The problem seems to be associated with iOS 10.3. An iPad running an older OS was notified of the new certificate and was able to trust it without issue.
I'm using LetsEncrypt certificates for SMTP, IMAP and POP3 with Mercury. No problems with any Windows- or Linux browser and Android > 4.0.
