Let's Encrypt with expired CA certificate and Apple Mail
Solution 1:
It looks like your IMAP server is only serving the leaf certificate, not the intermediate cert(s) that're needed to verify it. You can check this with the openssl s_client
command:
$ openssl s_client -connect imap.piraneo-canepa.ch:imap -starttls imap </dev/null
CONNECTED(00000005)
depth=0 CN = piraneo-canepa.ch
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = piraneo-canepa.ch
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=piraneo-canepa.ch
i:/C=US/O=Let's Encrypt/CN=R3
---
[...]
Note that the "Certificate chain" section only lists a single certificate, which is the server's leaf certificate. Compare that with your SMTP (incoming mail) server, which does include the intermediates:
$ openssl s_client -connect mail.piraneo-canepa.ch:smtp -starttls smtp </dev/null
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=piraneo-canepa.ch
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
[...]
Here the "Certificate chain" section includes two intermediates along with the server's leaf cert. If you add the -showcerts
option, it'll print all three certs (in PEM format).
...so I think all you need to do is add those same intermediates to the TLS config on your IMAP server.