Let's Encrypt with expired CA certificate and Apple Mail

Solution 1:

It looks like your IMAP server is only serving the leaf certificate, not the intermediate cert(s) that're needed to verify it. You can check this with the openssl s_client command:

$ openssl s_client -connect imap.piraneo-canepa.ch:imap -starttls imap </dev/null
CONNECTED(00000005)
depth=0 CN = piraneo-canepa.ch
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = piraneo-canepa.ch
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=piraneo-canepa.ch
   i:/C=US/O=Let's Encrypt/CN=R3
---
[...]

Note that the "Certificate chain" section only lists a single certificate, which is the server's leaf certificate. Compare that with your SMTP (incoming mail) server, which does include the intermediates:

$ openssl s_client -connect mail.piraneo-canepa.ch:smtp -starttls smtp </dev/null
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=piraneo-canepa.ch
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
[...]

Here the "Certificate chain" section includes two intermediates along with the server's leaf cert. If you add the -showcerts option, it'll print all three certs (in PEM format).

...so I think all you need to do is add those same intermediates to the TLS config on your IMAP server.