Hello,
I’m fetching email from a server that I run myself. I have an imap account with a valid certificate (start TLS connection) and all went very well until today.
K9 mail keeps telling me that my server certificate has expired while it hasn’t. I don’t where it gets the info that the certificate has expired. I even forced renew the certificate on my server, and it is valid until december. I checked with an online SSL checker that my certificate is valid, and it says it is.
Any idea ?
Is the chain file up to date?
Is the CA root certificate on your device valid?
Yes, I think the chain file is up to date since I recreated all my certificates on my server and the SSL checkers online do not complain.
On my android device where I usually use K9 mail, it cannot automatically verify my certificate like it used to. K9 mail sees an expiration date as of september 20, but in fact the real expiration date (as printed by certbot on the server) is december 21.
Well, in fact when I run gnu-tls it says that the certificate chain uses expired certificate. I guess the problem is on my server, not with K9 mail.
I will inverstigate further.
Apparently, my problem is related to the way old android devices (android 7 and earlier) check certificates.
Not so much the way they check certificates but the CA root certificates they check against.
Unless you import newer CA root certificates to your device, all (!) certificates will be rejected sooner or later.
https://knowledgebase.geolantis.com/HOW%20TO/how-to-install-root-certificate-on-android-6-0-device/
That is why since Android 14 the CA root certificates are updateable through Play Store: https://www.xda-developers.com/android-14-root-certificates-updatable/