[BlueOnyx:25158] Re: Let's Encrypt CA cert expiry - fix for Apple devices

[Meaulnes Legler @ MailList]

On 01.10.21 20:07, Michael Aronoff wrote:
> I have done a yum update but I am still having users with Apple devicesthat cannot check email. Anyone have any suggestions?
> ________________________________
> M Aronoff Out – maronoff at gmail.com

the answer from Michael in the following mail suggesting to renew the LE certificates worked on Apple's *Firefox only* (strange enough, huh?), Safari, Chrome & Opera still showed the old R3 certificate and broke the chain of my Mac users. I thought it was a AdminServer problem, but it ain't,it's an Apple-LetsEncrypt idiosyncrasy, it took me a while to find out...

the fix for Mac users:
• download the ISRG Root X1 certificate file from https://letsencrypt.org/certs/isrgrootx1.pem
• download the LE's R3 certificate file from https://letsencrypt.org/certs/lets-encrypt-r3.pem
• open «Keychain Access.app» and select the System folder in the Keychains column on top left (not the System Roots folder)
• drag the two downloaded files isrgrootx1.pem and lets-encrypt-r3.pem file into the System folder's right pane, one must approve this action with the administrator password (Trust: Use System Defaults)

the ISRG Root X1 certificate should be listed as valid Root certificate authority expireing Monday, 4 June 2035 at 13:04:38 Central European Summer Time
the R3 certificate should be listed as valid «R3» Intermediate certificate authority expiring Monday, 15 September 2025 at 18:00:00 Central European Summer Time

now accessing the AdminServer over port :81 shouldn't throw an error on any browser of the Mac. I think it fixed AppleMail's certificate problem, too; it did it on Thunderbird

best regards
で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660

I'm on *Wire* as @meaulnes — https://get.wire.com/
/no more Whatzap and so on!/